6.4
CVE-2024-9117 - Mapplic Lite <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Mapplic Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inโฆ
6.4
CVE-2024-9173 - GF Custom Style <= 2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The GF Custom Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, toโฆ
6.4
CVE-2024-9127 - Super Testimonials <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via alignmenโฆ
The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โalignmentโ parameter in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level aโฆ
6.4
CVE-2024-9125 - king_IE <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The king_IE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject โฆ
4.3
CVE-2024-47337 - WordPress Joy Of Text Lite plugin <= 2.3.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in Phillip Dane Joy Of Text Lite joy-of-text.This issue affects Joy Of Text Lite: from n/a through <= 2.3.1.
5.3
CVE-2024-47044 -
Multiple Home GateWay/Hikari Denwa routers provided by NIPPON TELEGRAPH AND TELEPHONE EAST CORPORATION are vulnerable to insufficient access restrictions for Device Setting pages. If this vulnerability is exploited, an attacker who identified WAN-side IPv6 address may access the product's Device Seโฆ
5.3
CVE-2024-9025 - Sight โ Professional Image Gallery and Portfolio <= 1.1.2 - Missing Authorization to Sensitive Infoโฆ
The Sight โ Professional Image Gallery and Portfolio plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handler_post_title' function in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to expose pโฆ
6.1
CVE-2024-8872 - Store Hours for WooCommerce <= 4.3.20 - Reflected Cross-Site Scripting
The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3.20. This makes it possible for unauthenticated attackers to inject arbitrary web scrโฆ
3.1
CVE-2024-47003 - DoS via non-string message using permalink embed
Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string,ย which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.
5.4
CVE-2024-42406 - Unauthorized access on archived channels
Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allowsย an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as wโฆ