8.8
CVE-2024-3242 - Brizy โ Page Builder <= 2.4.44 - Authenticated (Contributor+) Arbitrary File Upload
The Brizy โ Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the validateImageContent function called via storeImages in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributโฆ
6.4
CVE-2024-5554 - Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrโฆ
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โonclick_eventโ parameter in all versions up to, and including, 5.6.11 due to insufficient input sanitization and outโฆ
7.5
CVE-2024-40764 -
Heap-based buffer overflow vulnerability in the SonicOS IPSec VPN allows an unauthenticated remote attacker to cause Denial of Service (DoS).
7.1
CVE-2024-29014 -
Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update.
9.8
CVE-2024-6164 - Filter & Grids < 2.8.33 - Unauthenticated LFI
The Filter & Grids WordPress plugin before 2.8.33 is vulnerable to Local File Inclusion via the post_layout parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
5.4
CVE-2023-6708 - SVG Support <= 2.5.7 - Authenticated (Author+) Cross-Site Scripting via SVG
The SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG upload feature in all versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping, even when the 'Sanitize SVG while uploading' feature is enabled. This makes it possiblโฆ
4.3
CVE-2024-6599 - Meks Video Importer <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) API Keys Modifโฆ
The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajax_save_settings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and aboโฆ
5.5
CVE-2024-6705 - RegLevel <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
The RegLevel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and abovโฆ
6.4
CVE-2024-5964 - Zenon Lite <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode
The Zenon Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the โurlโ parameter within the theme's Button shortcode in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with โฆ
8.8
CVE-2024-5726 - Timeline Event History <= 3.1 - Authenticated (Contributor+) PHP Object Injection
The Timeline Event History plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1 via deserialization of untrusted input 'timelines-data' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject aโฆ