6.4
CVE-2024-4448 - Essential Addons for Elementor β Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= β¦
The Essential Addons for Elementor β Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table' widgets in all versions up to, and including, 5.9.19 β¦
8.8
CVE-2024-4129 - Authentication bypass in Snow License Manager
Improper Authentication vulnerability in Snow Software AB Snow License Manager on Windows allows a networked attacker to perform an Authentication Bypass if Active Directory Authentication is enabled.This issue affects Snow License Manager: from 9.33.2 through 9.34.0.
8.8
CVE-2024-3828 - Spectra Pro <= 1.1.5 - Authenticated (Author+) Privilege Escalation
The Spectra Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.5. This is due to the plugin allowing lower-privileged users to create registration forms and set the default role to administrator This makes it possible for authenticated attackersβ¦
6.4
CVE-2024-4481 - Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Sβ¦
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makeβ¦
4.7
CVE-2024-3941 - reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF
The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.
8.8
CVE-2024-3940 - reCAPTCHA Jetpack <= 0.2.2 - Settings Update via CSRF
The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
5.9
CVE-2024-2749 - VikBooking < 1.6.8 - Broken Access Control
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting (categoriesβ¦
8.1
CVE-2024-2441 - VikBooking < 1.6.8 - Insecure Direct Object References
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's they shβ¦
5.3
CVE-2024-4280 - White Label CMS <= 2.7.3 - Missing Authorization to Plugin Settings Reset
The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings.
5.3
CVE-2024-4699 - D-Link DAR-8000-10 importhtml.php deserialization
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DAR-8000-10 up to 20230922. This issue affects some unknown processing of the file /importhtml.php. The manipulation of the argument sql leads to deserialization. The attack may be initiated β¦