5.8
CVE-2024-6591 - Ultimate WordPress Auction Plugin <= 4.2.7 - Missing Authorization to Unauthenticated Email Creation
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.7. This makes it possiblβ¦
5.3
CVE-2024-6548 - Add Admin JavaScript <= 2.0 - Unauthenticated Full Path Dislcosure
The Add Admin JavaScript plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path β¦
8.8
CVE-2024-6152 - Flipbox Builder <= 1.5 - Authenticated (Contributor+) PHP Object Injection
The Flipbox Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5 via deserialization of untrusted input in the flipbox_builder_Flipbox_ShortCode function. This makes it possible for authenticated attackers, with Contributor-level access and abβ¦
5.3
CVE-2024-1798 - Tutor LMS β Migration Tool <= 2.2.0 - Missing Authorization in tutor_lp_export_xml
The Tutor LMS β Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including privaβ¦
4.3
CVE-2024-1804 - Tutor LMS β Migration Tool <= 2.2.0 - Missing Authorization in tutor_import_from_xml
The Tutor LMS β Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level accesβ¦
5.4
CVE-2024-4410 - IgnitionDeck Crowdfunding Platform <= 1.9.8 - Missing Authorization
The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for auβ¦
5.3
CVE-2024-6547 - Add Admin CSS <= 2.0.1 - Unauthenticated Full Path Dislcosure
The Add Admin CSS plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of tβ¦
6.3
CVE-2024-42029 -
xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment.
7.4
CVE-2024-41815 - Starship vulnerable to shell injection via undocumented, unpredictable shell expansion in custom coβ¦
Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. This issue only affects users with custβ¦
9.8
CVE-2024-41120 - streamlit-geospatial blind SSRF in pages/9_π²_Vector_Data_Visualization.py
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 63 of `pages/9_π²_Vector_Data_Visualization.py` takes user input, which is later passed to the `gpd.read_file` method. `gpd.read_file` mβ¦