5.4
CVE-2024-10482 - Media Library Tools < 1.5.0 - Author+ Stored XSS via SVG
The Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO WordPress plugin before 1.5.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
8.5
CVE-2024-7517 - Privileged escalation via crafted use of portcfg command
A command injection vulnerability in Brocade Fabric OS before 9.2.0c, and 9.2.1 through 9.2.1a on IP extension platforms could allow a local authenticated attacker to perform a privileged escalation via crafted use of the portcfg command. This specific exploitation is only possible on IP Extensionโฆ
5.9
CVE-2024-10403 - SFTP/FTP password could be captured in plain text in Supportsave generated from SANnav
Brocade Fabric OS versions before 8.2.3e2, versions 9.0.0 through 9.2.0c, and 9.2.1 through 9.2.1a can capture the SFTP/FTP server password used for a firmware download operation initiated by SANnav or through WebEM in a weblinker core dump that is later captured via supportsave.
4.3
CVE-2024-10671 - Button Block โ Get fully customizable & multi-functional buttons <= 1.1.4 - Authenticated (Contribuโฆ
The Button Block โ Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.4 via the [btn_block] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for autheโฆ
4.3
CVE-2024-11334 - My Contador lesr <= 2.0 - Missing Authorization to Unauthenticated User Registration CSV Export
The My Contador lesr plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportar_registros() function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to export user data.
7.2
CVE-2024-10788 - Activity Log โ Monitor & Record User Changes <= 2.11.1 - Unauthenticated Stored Cross-Site Scriptinโฆ
The Activity Log โ Monitor & Record User Changes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event parameters in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers tโฆ
4.3
CVE-2024-10782 - Theme Builder For Elementor <= 1.2.2 - Authenticated (Contributor+) Post Disclosure
The Theme Builder For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Conโฆ
6.4
CVE-2024-11438 - StreamWeasels Online Status Bar <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
The StreamWeasels Online Status Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sw-status-bar' shortcode in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibleโฆ
4.3
CVE-2024-10528 - Ultimate Member <= 2.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profโฆ
The Ultimate Member โ User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all vโฆ
6.1
CVE-2024-9371 - Branda โ White Label & Branding, Custom Login Page Customizer <= 3.4.19 - Reflected Cross-Site Scriโฆ
The Branda โ White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.19. This makes it possible for unauthenticated โฆ