9.9
CVE-2024-8614 - WP JobSearch <= 2.6.7 - Authenticated (Subscriber+) Arbitrary File Upload
The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and including, 2.6.7. This makes it possible for authenticated attackers, with subscriber-level access and …
6.9
CVE-2024-52043 - User enumeration in HubHub
Generation of Error Message Containing Sensitive Information in HumHub GmbH & Co. KG - HumHub on Linux allows: Excavation (user enumeration).This issue affects all released HumHub versions: through 1.16.2.
5.3
CVE-2024-6626 - EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.9 - Missing Authorization
The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several functions in all versions up to, and including, 2.9.9.9. This makes it possible for unauthenticated attackers to view …
8.1
CVE-2024-9946 - Social Share, Social Login and Social Comments Plugin – Super Socializer <= 7.13.68 - Authenticatio…
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. This is due to insufficient verification on the user being returned by the social login token. This makes it possib…
4.3
CVE-2024-10543 - Tumult Hype Animations <= 1.9.14 - Missing Authorization
The Tumult Hype Animations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hypeanimations_getcontent function in all versions up to, and including, 1.9.14. This makes it possible for authenticated attackers, with Subscriber-level access and…
8.1
CVE-2024-10020 - Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass via Disqus OAuth provider
The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in …
5.3
CVE-2024-10535 - Video Gallery for WooCommerce <= 1.31 - Missing Authorization to Unauthenticated Limited File Delet…
The Video Gallery for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the remove_unused_thumbnails() function in all versions up to, and including, 1.31. This makes it possible for unauthenticated attackers to delete thumbnail…
9.9
CVE-2024-9307 - mFolio Lite <= 1.2.1 - Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG…
The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenev…
6.3
CVE-2024-9902 - Ansible-core: ansible-core user may read/write unauthorized content
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unpr…
6.1
CVE-2024-9934 - Wp-ImageZoom <= 1.1.0 - Reflected XSS
The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin