4.3
CVE-2024-6872 - Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-β¦
The Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! β TemplateSpare plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'templatespare_activβ¦
4.3
CVE-2024-6709 - Sync Post With Other Site <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Post Creatiβ¦
The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access aβ¦
6.4
CVE-2024-7356 - Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Stored Cross-Site Scripting via filβ¦
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βfilenameβ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-levβ¦
9.8
CVE-2024-7257 - YayExtra β WooCommerce Extra Product Options <= 1.3.7 - Unauthenticated Arbitrary File Upload via hβ¦
The YayExtra β WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary β¦
7.5
CVE-2024-7031 - File Manager Pro β Filester <= 1.8.2 - Authenticated Plugin Settings Update
The File Manager Pro β Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role thaβ¦
7.2
CVE-2024-7291 - JetFormBuilder <= 3.3.4.1 - Authenticated (Administrator+) Privilege Escalation
The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as suβ¦
7.5
CVE-2024-6477 - UsersWP < 1.2.12 - Users Information Disclosure
The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address
5.9
CVE-2024-6390 - Quiz and Survey Master (QSM) < 9.1.0 - Contributor+ Stored XSS
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
5.3
CVE-2024-42349 - FOG has a Log Information Disclosure
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.4 and earlier can leak authorized and rejected logins via logs stored directly on the root of the web server. FOG Server creates 2 logs on the root of the web server (fog_login_accepted.log and fog_login_failed.β¦
9.3
CVE-2024-42348 - FOG leaks sensitive information (AD domain, username and password)
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in 1.5.10.41.3 and 1.6.0-beta.1395.