9.8
CVE-2021-4449 - ZoomSounds <= 5.96 - Unauthenticated Arbitrary File Upload
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may maβ¦
6.6
CVE-2021-4451 - NinjaFirewall <= 4.3.3 - Authenticated PHAR Deserialization
The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable softwarβ¦
5.4
CVE-2023-7287 - Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'pt_cancel_subscriptiβ¦
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized subscription cancellation due to a missing capability check on the pt_cancel_subscription function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscrβ¦
9.8
CVE-2021-4443 - WordPress Mega Menu <= 2.0.6 - Arbitrary File Creation
The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. This makes it possible for unauthenticated attackers to create arbitrary PHP files that can be used to execute malicious code.
7.4
CVE-2024-8918 - File Manager Pro <= 8.3.9 - Unauthenticated Limited JavaScript File Upload
The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, toβ¦
6.1
CVE-2024-9937 - Woo Manage Fraud Orders <= 2.6.1 - Reflected Cross-Site Scripting
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary β¦
5.4
CVE-2024-9888 - ElementInvader Addons for Elementor <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripβ¦
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes β¦
5.4
CVE-2024-9873 - Community by PeepSo <= 6.4.6.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
The Community by PeepSo β Social Network, Membership, Registration, User Profiles, Premium β Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to iβ¦
9.8
CVE-2024-10018 -
Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component.
9.8
CVE-2024-9105 - UltimateAI <= 2.8.3 - Authentication Bypass
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers tβ¦