4.3
CVE-2024-10050 - Elementor Header & Footer Builder <= 1.6.43 - Authenticated (Contributor+) Information Disclosure vβ¦
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft,β¦
7.5
CVE-2024-6049 - Unauthenticated Path Traversal
The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is onβ¦
6.3
CVE-2024-9943 - MultiVendorX β The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Cross-Site Requβ¦
The MultiVendorX β The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php. β¦
4.3
CVE-2024-8667 - HurryTimer β An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.10.0 - Missinβ¦
The HurryTimer β An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authβ¦
4.3
CVE-2024-9531 - MultiVendorX β The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Missing Authoriβ¦
The MultiVendorX β The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible β¦
6.1
CVE-2024-9864 - EventPrime β Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Crossβ¦
The EventPrime β Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket names in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers toβ¦
6.1
CVE-2024-9865 - EventPrime β Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Crossβ¦
The EventPrime β Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βep_booking_attendee_fieldsβ fields in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for uβ¦
6.1
CVE-2024-9374 - Terms descriptions <= 3.4.6 - Reflected Cross-Site Scripting
The Terms descriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in paβ¦
9.8
CVE-2024-48514 -
php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below.
9.3
CVE-2024-48548 -
The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack.