4.3
CVE-2024-7380 - Geo Controller <= 8.7.3 - Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deleti…
The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.7.3. This makes it possible for authenticated attackers, with S…
4.4
CVE-2022-3556 - Cab fare calculator <= 1.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting
The Cab fare calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vehicle title setting in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileg…
4.3
CVE-2024-7605 - HelloAsso <= 1.1.10 - Missing Authorization to Authenticated (Contributor+) Limited Options Update
The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plug…
6.3
CVE-2024-5957 -
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain APIs access of the Manager.
6.5
CVE-2024-5956 -
This vulnerability allows unauthenticated remote attackers to bypass authentication and gain partial data access to the vulnerable Trellix IPS Manager with garbage data in response mostly
6.4
CVE-2024-6894 - RD Station <= 5.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping of post metaboxes added by the plugin. This makes it possible for authenticated attackers, with Contributor-level a…
6.4
CVE-2024-6929 - Dynamic Featured Image <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via dfiF…
The Dynamic Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘dfiFeatured’ parameter in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-l…
6.5
CVE-2024-6332 - Booking for Appointments and Events Calendar – Amelia Premium <= 7.7 and Lite <= 1.2.4 - Missing Au…
The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.4. This makes it poss…
6.6
CVE-2024-6840 - Automation-controller: gain access to the k8s api server via job execution with container group
An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account.
5.5
CVE-2024-45107 - ZDI-CAN-24186: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerabili…
Acrobat Reader versions 20.005.30636, 24.002.20964, 24.001.30123, 24.002.20991 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue r…