7.2
CVE-2024-10260 - Tripetto <= 8.0.11 - Unauthentiated Stored Cross-Site Scripting via Form File Upload
The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages thatโฆ
6.1
CVE-2024-9356 - Yotpo: Product & Photo Reviews for WooCommerce <= 1.7.9 - Reflected Cross-Site Scripting
The Yotpo: Product & Photo Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'yotpo_user_email' and 'yotpo_user_name' parameters in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it pโฆ
4.3
CVE-2024-10582 - Music Player for Elementor โ Audio Player & Podcast Player <= 2.4.1 - Missing Authorization to Authโฆ
The Music Player for Elementor โ Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and including, 2.4.1. This makes it possible for authenticated attacโฆ
6.4
CVE-2024-10113 - WP AdCenter โ Ad Manager & Adsense Ads <= 2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scโฆ
The WP AdCenter โ Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpadcenter_ad shortcode in all versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it posโฆ
6.1
CVE-2024-39610 -
Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is using the product.
5.3
CVE-2024-42499 -
Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to know whether a file exists at a specific path, and/or obtain some part of the file contents under specifโฆ
6.1
CVE-2024-9609 - LearnPress Export Import โ WordPress extension for LearnPress <= 4.0.4 - Reflected Cross-Site Scripโฆ
The LearnPress Export Import โ WordPress extension for LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'learnpress_import_form_server' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makesโฆ
4.3
CVE-2024-10897 - Tutor LMS Elementor Addons <= 2.1.5 - Missing Authorization to Authenticated (Subscriber+) Limited โฆ
The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-โฆ
9.8
CVE-2024-10924 - Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possโฆ
9.8
CVE-2024-11120 - GeoVision EOL devices - OS Command Injection
Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received relatedโฆ