• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024)

por | |

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with >=1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 184 vulnerabilities disclosed in 162 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 71 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 18,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • Wechat Social login <= 1.3.0 – Authentication Bypass
  • Wechat Social login <= 1.3.0 – Unauthenticated Arbitrary File Upload
  • Echo RSS Feed Post Generator <= 5.4.6 – Unauthenticated Privilege Escalation
  • WordPress & WooCommerce Affiliate Program <= 8.4.1 – Authentication Bypass to Account Takeover and Privilege Escalation
  • WAF-RULE-748 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-749 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-750 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-752 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 144
Unpatched 40

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 136
High Severity 23
Critical Severity 23

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 95
Missing Authorization 25
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 15
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 14
Cross-Site Request Forgery (CSRF) 7
Exposure of Sensitive Information to an Unauthorized Actor 6
Authorization Bypass Through User-Controlled Key 4
Deserialization of Untrusted Data 4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 4
Unrestricted Upload of File with Dangerous Type 3
Authentication Bypass Using an Alternate Path or Channel 2
Improper Control of Generation of Code (‘Code Injection’) 2
Exposure of Sensitive Information Through Metadata 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
Unverified Password Change 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

Francesco Carlucci

19

vgo0

12

tahu.datar

11

João Pedro Soares de Alcântara

10

wesley (wcraft)

8

Le Ngoc Anh

5

SOPROBRO

5

Krzysztof Zając

5

Lucio Sá

5

Peter Thaleikis

5

stealthcopter

5

Trương Hữu Phúc (truonghuuphuc)

5

Abdi Pranata

4

Robert DeVore

4

zer0gh0st

3

Webbernaut

3

Hakiduck

3

Bonds

3

TANG Cheuk Hei (siunam)

3

Joshua Chan

3

Jorge Diaz (ddiax)

3

Dmitrii Ignatyev

3

Khalid Yusuf

2

Ankit Patel

2

Michelle Porter

2

Dimas Maulana

2

Mika

2

jsjp

2

Rafie Muhammad

2

Karl Emil Nikka

2

Certus Cybersecurity

2

Sharanabasappa

2

hunter85

2

Islam Rafei (Zika)

1

Jonas Benjamin Friedli

1

Muhammad Adel (ItsFadinG)

1

Rein Daelman (trein)

1

Joel Indra

1

Ivan Kuzymchak

1

mohamed hamadou (ZoeniX)

1

akas wisnu aji

1

Manab Jyoti Dowarah

1

Jorgson

1

Tonn

1

Lesor101

1

Leo

1

Guru Raghav Saravanan (SGR)

1

Majed Refaea

1

GoatSniff

1

Rasoul Jahanshahi

1

ardias

1

Jonas Höbenreich

1

Dmitry Derr

1

Thies Lukas

1

Phill Sav (Savphill)

1

theviper17y

1

emad

1

Brian Sans-Souci (liardom)

1

ghsinfosec

1

h0j3n

1

István Márton

1

cuokon

1

Amandeep Singh Banga

1

Michael

1

shaman0x01

1

Geo Void

1

Nguyễn Trung Kiên

1

Foxyyy

1

LVT-tholv2k

1

rezaduty

1

bugcraftx

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
012 Ps Multi Languages 012-ps-multi-languages
ABC APP CREATOR abcapp-creator
Absolute Reviews absolute-reviews
Accordion accordions
Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads quick-adsense-reloaded
Advanced File Manager file-manager-advanced
AnWP Football Leagues football-leagues-by-anwppro
Appointment & Event Booking Calendar Plugin – Webba Booking webba-booking-lite
ARI Fancy Lightbox – Popup for WordPress ari-fancy-lightbox
BA Book Everything ba-book-everything
Beam me up Scotty – Back to Top Button beam-me-up-scotty
Beaver Builder – WordPress Page Builder beaver-builder-lite-version
Bold Page Builder bold-page-builder
Bulk NoIndex & NoFollow Toolkit bulk-noindex-nofollow-toolkit-by-mad-fish
Category Dropdown by GCS Design wp-category-dropdown
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More charitable
Charity Addon for Elementor charity-addon-for-elementor
Chartify – WordPress Chart Plugin chart-builder
Checkout Mestres do WP for WooCommerce checkout-mestres-wp
Cities Shipping Zones for WooCommerce cities-shipping-zones-for-woocommerce
Classic Editor and Classic Widgets classic-editor-and-classic-widgets
ClickSold IDX clicksold-wordpress-plugin
Common Tools for Site common-tools-for-site
Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App peepso-core
Confetti Fall Animation confetti-fall-animation
Contact Form 7 Campaign Monitor Extension contact-form-7-campaign-monitor-extension
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder bit-form
Contact Form to Any API contact-form-to-any-api
Crowdsignal Dashboard – Polls, Surveys & more polldaddy
CSS JS Files css-js-files
CubeWP Forms – All-in-One Form Builder cubewp-forms
Daily Prayer Time daily-prayer-time-for-mosques
Directory Listings WordPress plugin – uListing ulisting
Download Manager download-manager
Download Monitor download-monitor
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy easy-digital-downloads
Easy Mega Menu Plugin for WordPress – ThemeHunk themehunk-megamenu-plus
Easy PayPal Events easy-paypal-events-tickets
Elementor Addons by Livemesh addons-for-elementor
ElementsKit Elementor addons elementskit-lite
ElementsReady Addons for Elementor element-ready-lite
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce email-subscribers
EU/UK VAT Manager for WooCommerce eu-vat-for-woocommerce
Event Manager, Events Calendar, Tickets, Registrations – Eventin wp-event-solution
Fluent Support – Helpdesk & Customer Support Ticket System fluent-support
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder form-maker
Garden Gnome Package garden-gnome-package
GEO my WP geo-my-wp
GF Custom Style gf-custom-style
GiveWP – Donation Plugin and Fundraising Platform give
Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery ) graphicsly
GTM Server Side gtm-server-side
Gum Elementor Addon gum-elementor-addon
GutenGeek Free Gutenberg Blocks for WordPress gtg-advanced-blocks
Happy Addons for Elementor happy-elementor-addons
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
HUSKY – Products Filter Professional for WooCommerce woocommerce-products-filter
IdeaPush ideapush
Instant Chat Floating Button for WordPress Websites instant-chat-wp
JoomSport – for Sports: Team & League, Football, Hockey & more joomsport-sports-league-results-management
Joy Of Text Lite – SMS messaging for WordPress. joy-of-text
Jupiter X Core jupiterx-core
king_IE king-ie
Kodex Posts likes kodex-posts-likes
Koko Analytics koko-analytics
LatePoint Plugin latepoint
LiteSpeed Cache litespeed-cache
Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider WordPress Plugin logo-slider-wp
Loops & Logic tangible-loops-and-logic
Mail logging – WP Mail Catcher wp-mail-catcher
Mapplic Lite mapplic-lite
MAS Static Content mas-static-content
Material Design Icons material-design-icons
MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter
Medical Addon for Elementor medical-addon-for-elementor
Mega Elements – Addons for Elementor mega-elements-addons-for-elementor
Meta Slider and Carousel with Lightbox meta-slider-and-carousel-with-lightbox
MH Board mh-board
Move Addons for Elementor move-addons
Multi Step for Contact Form 7 cf7-multi-step
Multiple Page Generator Plugin – MPG multiple-pages-generator-by-porthas
Multipurpose Ticket Booking Manager (Bus/Train/Ferry/Boat/Shuttle) | WpTicketly bus-booking-manager
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification mycred
Newsletters newsletters-lite
NiceJob nicejob
Ninja Forms – The Contact Form Builder That Grows With You ninja-forms
OneElements – Best Elementor Addons oneelements-ultimate-addons-for-elementor
OSM – OpenStreetMap osm
Photo Gallery by 10Web – Mobile-Friendly Image Gallery photo-gallery
Pixel Cat – Conversion Pixel Manager facebook-conversion-pixel
Podiant podiant
Polls CP cp-polls
Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin mailoptin
Post Grid and Gutenberg Blocks post-grid
Premium Addons for Elementor premium-addons-for-elementor
Premium Packages – Sell Digital Products Securely wpdm-premium-packages
Primary Addon for Elementor primary-addon-for-elementor
Prisna GWT – Google Website Translator google-website-translator
Product Enquiry for WooCommerce, WooCommerce product catalog enquiry-quotation-for-woocommerce
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
PWA for WP & AMP pwa-for-wp
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress radio-player
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit wp-marketing-automations
REST API TO MiniProgram rest-api-to-miniprogram
Restaurant & Cafe Addon for Elementor restaurant-cafe-addon-for-elementor
Review & testimonial widgets trustmary
Revolut Gateway for WooCommerce revolut-gateway-for-woocommerce
Salon Booking System salon-booking-system
Secure Copy Content Protection and Content Locking secure-copy-content-protection
Seriously Simple Stats seriously-simple-stats
Share This Image share-this-image
ShiftController Employee Shift Scheduling shiftcontroller
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) woolentor-addons
Sight – Professional Image Gallery and Portfolio sight
Simple Calendar – Google Calendar Plugin google-calendar-events
Simple LDAP Login simple-ldap-login
Simple Popup Plugin simple-popup-plugin
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs) sky-elementor-addons
Special Text Boxes wp-special-textboxes
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. wpgsi
Starter Templates — Elementor, WordPress & Beaver Builder Templates astra-sites
Store Hours for WooCommerce order-hours-scheduler-for-woocommerce
Sunshine Photo Cart: Free Client Photo Galleries for Photographers sunshine-photo-cart
Super Testimonials sola-testimonials
Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud! templately
Terms descriptions terms-descriptions
Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam bck-tu-dong-xac-nhan-thanh-toan-chuyen-khoan-ngan-hang
The Events Calendar the-events-calendar
Themedy Toolbox themedy-toolbox
Themesflat Addons For Elementor themesflat-addons-for-elementor
Themify – WooCommerce Product Filter themify-wc-product-filter
Truepush – Most Affordable Web Push Notifications truepush-free-web-push-notifications
Uncanny Groups for LearnDash uncanny-learndash-groups
Use Any Font | Custom Font Uploader use-any-font
UsersControl – Users Profile, Free or Paid Subscriptions, User Access Restriction & Members Directory users-control
Vmax Project Manager vmax-project-manager
VR Calendar vr-calendar-sync
W3 Total Cache w3-total-cache
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible wc-frontend-manager
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode coming-soon
Wheel of Life: Coaching and Assessment Tool for Life Coach wheel-of-life
WooEvents – Calendar and Event Booking woo-events
WordPress Simple HTML Sitemap wp-simple-html-sitemap
WordPress Visitors nm-visitors
WP Abstracts wp-abstracts-manuscripts-manager
WP Datepicker wp-datepicker
WP Easy Gallery – WordPress Gallery Plugin wp-easy-gallery
WP Free SSL – Free SSL Certificate for WordPress and force HTTPS wp-free-ssl
WP GPX Maps wp-gpx-maps
WP MultiTasking – WP Utilities wp-multitasking
WP Newsletter Subscription wp-newsletter-subscription
WP Ticket Ultra Help Desk & Support Plugin wp-ticket-ultra
WP Timeline – Vertical and Horizontal timeline plugin wp-timelines
WP Travel – Ultimate Travel Booking System, Tour Management Engine wp-travel
WP-DownloadManager wp-downloadmanager
WP-WebAuthn wp-webauthn
WPExperts Square For GiveWP wpexperts-square-for-give
WPSPX wpspx
WPZOOM Shortcodes wpzoom-shortcodes
WS Form LITE – Drag & Drop Contact Form Builder for WordPress ws-form
XT Ajax Add To Cart for WooCommerce xt-woo-ajax-add-to-cart
Zoho Flow for WordPress zoho-flow

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Catch Base catch-base
Viala viala

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 – Unauthenticated PHP Object Injection

10.0

CVSS Rating
Critical (10.0)
CVE-ID
CVE-2024-8353
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher

cuokon

More Details >

Daily Prayer Time <= 2024.08.26 – Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)
CVE-ID
CVE-2024-8621
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Daily Prayer Time
Researcher

Krzysztof Zając

More Details >

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 – Authenticated (Contributor+) SQL Injection

9.9

CVSS Rating
Critical (9.9)
CVE-ID
CVE-2024-8624
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
MDTF – Meta Data and Taxonomies Filter
Researcher

Krzysztof Zając

More Details >

WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 – Authenticated (Subscriber+) SQL Injection

9.9

CVSS Rating
Critical (9.9)
CVE-ID
CVE-2024-8436
Patch Status
Unpatched
Published
Sep 23, 2024

Affected Software
WP Easy Gallery – WordPress Gallery Plugin
Researcher

Lucio Sá

More Details >

ABCApp Creator <= 1.1.2 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44023
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
ABC APP CREATOR
Researcher

tahu.datar

More Details >

Contact Form 7 Campaign Monitor Extension <= 0.4.67 – Missing Authorization to Unauthenticated Arbitrary File Deletion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44019
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Contact Form 7 Campaign Monitor Extension
Researcher

Abdi Pranata

More Details >

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress <= 1.8.1.14 – Insecure Direct Object Reference to Account Takeover and Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-8791
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More
Researcher

wesley (wcraft)

More Details >

Instant Chat Floating Button for WordPress Websites <= 1.0.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44018
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Instant Chat Floating Button for WordPress Websites
Researcher

tahu.datar

More Details >

LatePoint <= 5.0.12 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-8943
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
LatePoint Plugin
Researcher

István Márton

More Details >

MH Board <= 1.3.2.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44017
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
MH Board
Researcher

tahu.datar

More Details >

Podiant <= 1.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44016
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Podiant
Researcher

tahu.datar

More Details >

REST API TO MiniProgram <= 4.7.1 – Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-8485
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
REST API TO MiniProgram
Researcher

wesley (wcraft)

More Details >

The Events Calendar <= 6.6.4 – Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-8275
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
The Events Calendar
Researcher

Foxyyy

More Details >

Users Control <= 1.0.16 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44015
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
UsersControl – Users Profile, Free or Paid Subscriptions, User Access Restriction & Members Directory
Researcher

tahu.datar

More Details >

Vmax Project Manager <= 1.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44014
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Vmax Project Manager
Researcher

tahu.datar

More Details >

VR Calendar <= 2.4.4 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44013
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
VR Calendar
Researcher

tahu.datar

More Details >

WP Newsletter Subscription <= 1.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44012
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
WP Newsletter Subscription
Researcher

tahu.datar

More Details >

WP Ticket Ultra Help Desk & Support Plugin <= 1.0.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44011
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
WP Ticket Ultra Help Desk & Support Plugin
Researcher

tahu.datar

More Details >

WP Timeline – Vertical and Horizontal timeline plugin <= 3.6.7 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-47323
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
WP Timeline – Vertical and Horizontal timeline plugin
Researcher

Bonds

More Details >

WPSPX <= 1.0.2 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-44034
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
WPSPX
Researcher

tahu.datar

More Details >

Prisna GWT – Google Website Translator <= 1.4.11 – Authenticated (Admin+) PHP Object Injection

9.1

CVSS Rating
Critical (9.1)
CVE-ID
CVE-2024-8514
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Prisna GWT – Google Website Translator
Researcher

Lesor101

More Details >

WooEvents <= 4.1.2 – Unauthenticated Arbitrary File Overwrite

9.1

CVSS Rating
Critical (9.1)
CVE-ID
CVE-2024-8671
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
WooEvents – Calendar and Event Booking
Researcher

Tonn

More Details >

WordPress Simple HTML Sitemap <= 3.1 – Authenticated (Admin+) SQL Injection

9.1

CVSS Rating
Critical (9.1)
CVE-ID
CVE-2024-7385
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
WordPress Simple HTML Sitemap
Researcher

Nguyễn Trung Kiên

More Details >

BA Book Everything <= 1.6.20 – Cross-Site Request Forgery to Email Address Update/Account Takeover

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-8795
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
BA Book Everything
Researcher

wesley (wcraft)

More Details >

Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.8 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-7149
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin
Researcher

stealthcopter

More Details >

Product Enquiry for WooCommerce <= 2.2.33.33 – Authenticated (Author+) PHP Object Injection in enquiry_detail.php

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-8922
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Product Enquiry for WooCommerce, WooCommerce product catalog
Researcher

Francesco Carlucci

More Details >

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 – Insecure Direct Object Reference to Account Takeover/Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-8290
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible
Researcher

wesley (wcraft)

More Details >

WP Timeline – Vertical and Horizontal timeline plugin <= 3.6.7 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-47324
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
WP Timeline – Vertical and Horizontal timeline plugin
Researcher

Bonds

More Details >

Jupiter X Core <= 4.7.5 – Limited Unauthenticated Authentication Bypass to Account Takeover

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-7781
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Jupiter X Core
Researcher

Geo Void

More Details >

Advanced File Manager <= 5.2.8 – Authenticated (Subscriber+) Arbitrary File Upload

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-8126
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Advanced File Manager
Researcher

TANG Cheuk Hei (siunam)

More Details >

Multi Step for Contact Form <= 2.7.7 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-47331
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Multi Step for Contact Form 7
Researcher

Hakiduck

More Details >

REST API TO MiniProgram <= 4.7.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-8484
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
REST API TO MiniProgram
Researcher

wesley (wcraft)

More Details >

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-8623
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
MDTF – Meta Data and Taxonomies Filter
Researcher

Krzysztof Zając

More Details >

Special Text Boxes <= 6.2.4 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-8481
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Special Text Boxes
Researcher

Francesco Carlucci

More Details >

Advanced File Manager <= 5.2.8 – Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-8704
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Advanced File Manager
Researcher

TANG Cheuk Hei (siunam)

More Details >

Bit Form – Contact Form Plugin <= 2.13.10 – Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-47319
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Researcher

Certus Cybersecurity

More Details >

Bit Form – Contact Form Plugin <= 2.13.10 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-47301
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Researcher

Manab Jyoti Dowarah

More Details >

Checkout Mestres WP <= 8.6 – Authenticated (Admin+) Local File Inclusion

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-44030
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Checkout Mestres do WP for WooCommerce
Researcher

tahu.datar

More Details >

Cities Shipping Zones for WooCommerce <= 1.2.7 – Authenticated (Shop Manager+) Local File Inclusion

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-47309
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Cities Shipping Zones for WooCommerce
Researcher

h0j3n

More Details >

Contact Form to Any API <= 1.2.4 – Unauthenticated Stored Cross-Site Scripting via Contact Form

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-7617
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Contact Form to Any API
Researcher

Jorgson

More Details >

CubeWP Forms – All-in-One Form Builder <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-47300
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
CubeWP Forms – All-in-One Form Builder
Researcher

hunter85

More Details >

Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 3.3.3 – Authenticated (Admin+) PHAR Deserialization

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2022-2439
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy
Researcher

Rasoul Jahanshahi

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 – Authenticated (GiveWP Manager+) SQL Injection via order Parameter

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-9130
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher

Leo

More Details >

Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam <= 2.0.1 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-8914
Patch Status
Unpatched
Published
Sep 23, 2024

Affected Software
Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam
Researcher

Francesco Carlucci

More Details >

Uncanny Groups for LearnDash <= 6.1.0.1 – Authenticated (Group Leader+) Privilege Escalation

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-8349
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Uncanny Groups for LearnDash
Researcher

Karl Emil Nikka

More Details >

WordPress Visitors <= 1.0 – Unauthenticated Stored Cross-Site Scripting via HTTP Header

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2022-4541
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
WordPress Visitors
Researcher

rezaduty

More Details >

Advanced File Manager <= 5.2.8 – Authenticated (Subscriber+) Limited File Upload

6.8

CVSS Rating
Medium (6.8)
CVE-ID
CVE-2024-8725
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Advanced File Manager
Researcher

TANG Cheuk Hei (siunam)

More Details >

Classic Editor and Classic Widgets <= 1.4.1 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-47312
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Classic Editor and Classic Widgets
Researcher

Hakiduck

More Details >

Fluent Support <= 1.8.0 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-47304
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Fluent Support – Helpdesk & Customer Support Ticket System
Researcher

Khalid Yusuf

More Details >

Multiple Page Generator Plugin – MPG <= 3.4.7 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-47325
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Multiple Page Generator Plugin – MPG
Researcher

LVT-tholv2k

More Details >

012 PS Multi Languages <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8723
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
012 Ps Multi Languages
Researcher

mohamed hamadou (ZoeniX)

More Details >

Absolute Reviews <= 1.1.3 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8965
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Absolute Reviews
Researcher

Muhammad Adel (ItsFadinG)

More Details >

Accordion <= 2.2.99 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47342
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Accordion
Researcher

Robert DeVore

More Details >

AnWP Football Leagues <= 0.16.7 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8917
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
AnWP Football Leagues
Researcher

Francesco Carlucci

More Details >

ARI Fancy Lightbox <= 1.3.17 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47310
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
ARI Fancy Lightbox – Popup for WordPress
Researcher

Robert DeVore

More Details >

Beaver Builder – WordPress Page Builder <= 2.8.3.6 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Button Group Module

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9049
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Beaver Builder – WordPress Page Builder
Researcher

zer0gh0st

More Details >

Bold Page Builder <= 5.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47298
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Bold Page Builder
Researcher

stealthcopter

More Details >

Catch Base <= 3.4.6 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47313
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Catch Base
Researcher

Michael

More Details >

Charity Addon for Elementor <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44026
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Charity Addon for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Common Tools for Site <= 1.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9115
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
Common Tools for Site
Researcher

Francesco Carlucci

More Details >

Confetti Fall Animation <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8919
Patch Status
Unpatched
Published
Sep 23, 2024

Affected Software
Confetti Fall Animation
Researcher

Peter Thaleikis

More Details >

Elementor Addons by Livemesh <= 8.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via piechart_settings Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8858
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Elementor Addons by Livemesh
Researcher

stealthcopter

More Details >

ElementsKit Elementor addons <= 3.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8546
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
ElementsKit Elementor addons
Researcher

zer0gh0st

More Details >

ElementsReady Addons for Elementor <= 6.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47329
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
ElementsReady Addons for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Garden Gnome Package <= 2.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8657
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Garden Gnome Package
Researcher

Rein Daelman (trein)

More Details >

GF Custom Style <= 2.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9173
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
GF Custom Style
Researcher

Francesco Carlucci

More Details >

Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery ) <= 1.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9069
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery )
Researcher

Francesco Carlucci

More Details >

Gum Elementor Addon <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44027
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Gum Elementor Addon
Researcher

João Pedro Soares de Alcântara

More Details >

Gum Elementor Addon <= 1.3.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44035
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Gum Elementor Addon
Researcher

ghsinfosec

More Details >

GutenGeek Free Gutenberg Blocks for WordPress <= 1.1.3 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9073
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
GutenGeek Free Gutenberg Blocks for WordPress
Researcher

Francesco Carlucci

More Details >

king_IE <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9125
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
king_IE
Researcher

Francesco Carlucci

More Details >

Logo Slider <= 4.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5429
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider WordPress Plugin
Researcher

Dmitrii Ignatyev

More Details >

Mapplic Lite <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9117
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
Mapplic Lite
Researcher

Francesco Carlucci

More Details >

Material Design Icons <= 0.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via mdi-icon Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9024
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Material Design Icons
Researcher

Brian Sans-Souci (liardom)

More Details >

Medical Addon for Elementor <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44024
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Medical Addon for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Mega Elements <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47343
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Mega Elements – Addons for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Meta slider and carousel with lightbox <= 2.0.1 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47307
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Meta Slider and Carousel with Lightbox
Researcher

Robert DeVore

More Details >

Move Addons for Elementor <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47396
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Move Addons for Elementor
Researcher

GoatSniff

More Details >

NiceJob <= 3.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44025
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
NiceJob
Researcher

stealthcopter

More Details >

OneElements – Best Elementor Addons <= 1.3.7 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9068
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
OneElements – Best Elementor Addons
Researcher

Francesco Carlucci

More Details >

OSM <= 6.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8991
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
OSM – OpenStreetMap
Researcher

Peter Thaleikis

More Details >

Post Grid and Gutenberg Blocks <= 2.2.89 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47340
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Post Grid and Gutenberg Blocks
Researcher

João Pedro Soares de Alcântara

More Details >

Premium Addons for Elementor <= 4.10.52 – Authenticated (Contributor+) Stored Cross-Site Scripting via Media Grid Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8681
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Premium Addons for Elementor
Researcher

zer0gh0st

More Details >

Primary Addon for Elementor <= 1.5.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44033
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Primary Addon for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8861
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher

Francesco Carlucci

More Details >

Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress <= 2.0.78 – Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8267
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress
Researcher

Francesco Carlucci

More Details >

Restaurant & Cafe Addon for Elementor <= 1.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44032
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Restaurant & Cafe Addon for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Review & testimonial widgets <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-44022
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Review & testimonial widgets
Researcher

theviper17y

More Details >

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) <= 2.9.7 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8668
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)
Researcher

Webbernaut

More Details >

Simple Popup Plugin <= 4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8547
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Simple Popup Plugin
Researcher

Krzysztof Zając

More Details >

Sky Addons for Elementor <= 2.5.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47332
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)
Researcher

João Pedro Soares de Alcântara

More Details >

Starter Templates <= 4.4.0 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-47345
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Starter Templates — Elementor, WordPress & Beaver Builder Templates
Researcher

wesley (wcraft)

More Details >

Super Testimonials <= 3.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9127
Patch Status
Unpatched
Published
Sep 25, 2024

Affected Software
Super Testimonials
Researcher

Francesco Carlucci

More Details >

Themedy Toolbox <= 1.0.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9177
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Themedy Toolbox
Researcher

Francesco Carlucci

More Details >

Themesflat Addons For Elementor <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8515
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Themesflat Addons For Elementor
Researcher

Webbernaut

More Details >

WP Category Dropdown <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8103
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Category Dropdown by GCS Design
Researcher

Francesco Carlucci

More Details >

WP GPX Maps <= 1.7.08 – Authenticated (Contributor+) Stored Cross-Site Scripting via sgpx Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9028
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
WP GPX Maps
Researcher

Peter Thaleikis

More Details >

WP-WebAuthn <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wwa_login_form Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9023
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
WP-WebAuthn
Researcher

Peter Thaleikis

More Details >

WPZOOM Shortcodes <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9027
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
WPZOOM Shortcodes
Researcher

Peter Thaleikis

More Details >

Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. <= 3.8.0 – Missing Authorization to Authenticated (Subscriber+) Settings Update

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-6590
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Researcher

Lucio Sá

More Details >

Beam me up Scotty – Back to Top Button <= 1.0.21 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8741
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Beam me up Scotty – Back to Top Button
Researcher

vgo0

More Details >

Bulk NoIndex & NoFollow Toolkit <= 2.15 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8803
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Bulk NoIndex & NoFollow Toolkit
Researcher

vgo0

More Details >

Chartify <= 2.7.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47347
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Chartify – WordPress Chart Plugin
Researcher

Le Ngoc Anh

More Details >

CP Polls <= 1.0.74 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47297
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Polls CP
Researcher

ardias

More Details >

EU/UK VAT Manager for WooCommerce <= 2.12.12 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8788
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
EU/UK VAT Manager for WooCommerce
Researcher

vgo0

More Details >

GEO my WordPress <= 4.5.0.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47327
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
GEO my WP
Researcher

Le Ngoc Anh

More Details >

GTM Server Side <= 2.1.19 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8712
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
GTM Server Side
Researcher

vgo0

More Details >

Kodex Posts likes <= 2.5.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8713
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Kodex Posts likes
Researcher

vgo0

More Details >

Koko Analytics <= 1.3.12 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8662
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Koko Analytics
Researcher

vgo0

More Details >

Loops & Logic <= 4.1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47333
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Loops & Logic
Researcher

Dimas Maulana

More Details >

Newsletters <= 4.9.9.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47346
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Newsletters
Researcher

Le Ngoc Anh

More Details >

NiceJob <= 3.6.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-44028
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
NiceJob
Researcher

SOPROBRO

More Details >

Pixel Cat – Conversion Pixel Manager <= 3.0.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8544
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Pixel Cat – Conversion Pixel Manager
Researcher

vgo0

More Details >

Secure Copy Content Protection and Content Locking <= 4.2.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47306
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Secure Copy Content Protection and Content Locking
Researcher

Hakiduck

More Details >

Seriously Simple Stats <= 1.6.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8738
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Seriously Simple Stats
Researcher

vgo0

More Details >

Share This Image <= 2.01 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47326
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Share This Image
Researcher

Dimas Maulana

More Details >

Simple Calendar – Google Calendar Plugin <= 3.4.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8549
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Simple Calendar – Google Calendar Plugin
Researcher

vgo0

More Details >

Simple LDAP Login <= 1.6.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8715
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Simple LDAP Login
Researcher

vgo0

More Details >

Store Hours for WooCommerce <= 4.3.20 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8872
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Store Hours for WooCommerce
Researcher

vgo0

More Details >

Viala <= 1.3.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-44029
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Viala
Researcher

akas wisnu aji

More Details >

WP Mail Catcher <= 2.1.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47339
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Mail logging – WP Mail Catcher
Researcher

Le Ngoc Anh

More Details >

WP Timeline – Vertical and Horizontal timeline plugin <= 3.6.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47322
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
WP Timeline – Vertical and Horizontal timeline plugin
Researcher

Bonds

More Details >

WP-DownloadManager <= 1.68.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47341
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
WP-DownloadManager
Researcher

Le Ngoc Anh

More Details >

WS Form LITE <= 1.9.238 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47320
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Researcher

Phill Sav (Savphill)

More Details >

XT Ajax Add To Cart for WooCommerce <= 1.1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8716
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
XT Ajax Add To Cart for WooCommerce
Researcher

vgo0

More Details >

Form Maker <= 1.15.27 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-8633
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
Researcher

Joel Indra

More Details >

litespeed cache <= 6.4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-9169
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
LiteSpeed Cache
Researcher

Islam Rafei (Zika)

More Details >

Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin <= 1.2.70.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-8628
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin
Researcher

Francesco Carlucci

More Details >

BA Book Everything <= 1.6.20 – Unauthenticated Arbitrary User Password Reset

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-8794
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
BA Book Everything
Researcher

wesley (wcraft)

More Details >

Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.6.0 – Unauthenticated Full Path Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-7426
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App
Researcher

stealthcopter

More Details >

EU/UK VAT Manager for WooCommerce <= 2.12.12 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9189
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
EU/UK VAT Manager for WooCommerce
Researcher

Francesco Carlucci

More Details >

Fluent Support <= 1.8.0 – Insufficient Authorization on Email Verification

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-47302
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Fluent Support – Helpdesk & Customer Support Ticket System
Researcher

Khalid Yusuf

More Details >

HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.1 – Insecure Direct Object Reference to Unsubscribe

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-7491
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
HUSKY – Products Filter Professional for WooCommerce
Researcher

shaman0x01

More Details >

myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification <= 2.7.3 – Missing Authorization to Unauthenticated Database Upgrade

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-8658
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification
Researcher

Mika

More Details >

Revolut Gateway for WooCommerce <= 4.17.3 – Missing Authorization to Unauthenticated Order Status Update

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-8678
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Revolut Gateway for WooCommerce
Researchers

Jonas Höbenreich
Dmitry Derr
Thies Lukas

More Details >

Sight – Professional Image Gallery and Portfolio <= 1.1.2 – Missing Authorization to Sensitive Information Exposure in handler_post_title

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9025
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Sight – Professional Image Gallery and Portfolio
Researcher

Francesco Carlucci

More Details >

Sunshine Photo Cart <= 3.2.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-44038
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Researcher

Majed Refaea

More Details >

Templately <= 3.1.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-47308
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!
Researcher

Joshua Chan

More Details >

Truepush <= 1.0.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-44021
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Truepush – Most Affordable Web Push Notifications
Researcher

Abdi Pranata

More Details >

uListing <= 2.1.5 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-47344
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
Directory Listings WordPress plugin – uListing
Researcher

Joshua Chan

More Details >

Wheel of Life <= 1.1.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-47311
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Wheel of Life: Coaching and Assessment Tool for Life Coach
Researcher

hunter85

More Details >

Automation By Autonami <= 3.1.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-47328
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit
Researcher

SOPROBRO

More Details >

Bit Form – Contact Form Plugin <= 2.13.11 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-47335
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Researcher

Certus Cybersecurity

More Details >

CSS JS Files <= 1.5.0 – Authenticated (Admin+) Arbitrary File Read

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-9146
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
CSS JS Files
Researcher

jsjp

More Details >

WPExperts Square For GiveWP <= 1.3 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-47338
Patch Status
Unpatched
Published
Sep 26, 2024

Affected Software
WPExperts Square For GiveWP
Researcher

Jorge Diaz (ddiax)

More Details >

Zoho Flow for WordPress <= 2.8.0 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-47334
Patch Status
Patched
Published
Sep 26, 2024

Affected Software
Zoho Flow for WordPress
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Ninja Forms Contact Form <= 3.8.15 – Reflected Self-Based Cross-Site Scripting via Referer

4.7

CVSS Rating
Medium (4.7)
CVE-ID
CVE-2024-3866
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Ninja Forms – The Contact Form Builder That Grows With You
Researcher

wesley (wcraft)

More Details >

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd <= 6.17.4 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-47299
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Researcher

João Pedro Soares de Alcântara

More Details >

Download Manager <= 3.2.98 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-8284
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Download Manager
Researcher

Dmitrii Ignatyev

More Details >

IdeaPush <= 8.66 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44041
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
IdeaPush
Researcher

SOPROBRO

More Details >

Kodex Posts likes <= 2.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44036
Patch Status
Unpatched
Published
Sep 23, 2024

Affected Software
Kodex Posts likes
Researcher

SOPROBRO

More Details >

Multipurpose Ticket Booking Manager <= 4.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44037
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Multipurpose Ticket Booking Manager (Bus/Train/Ferry/Boat/Shuttle) | WpTicketly
Researcher

Jorge Diaz (ddiax)

More Details >

Photo Gallery by 10Web <= 1.8.27 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44043
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Researchers

Robert DeVore
Dmitrii Ignatyev

More Details >

ShiftController Employee Shift Scheduling <= 4.9.64 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44040
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
ShiftController Employee Shift Scheduling
Researcher

SOPROBRO

More Details >

Terms descriptions <= 3.4.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-47336
Patch Status
Unpatched
Published
Sep 26, 2024

Affected Software
Terms descriptions
Researcher

Jorge Diaz (ddiax)

More Details >

Themify – WooCommerce Product Filter <= 1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44046
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Themify – WooCommerce Product Filter
Researcher

bugcraftx

More Details >

WordPress Clicksold IDX Plugin <= 1.90 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-7769
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
ClickSold IDX
Researcher

Amandeep Singh Banga

More Details >

WP Abstracts <= 2.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44045
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
WP Abstracts
Researcher

jsjp

More Details >

WP Datepicker <= 2.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44042
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
WP Datepicker
Researcher

Mika

More Details >

WP MultiTasking – WP Utilities <= 0.1.17 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-8189
Patch Status
Patched
Published
Sep 27, 2024

Affected Software
WP MultiTasking – WP Utilities
Researcher

Michelle Porter

More Details >

WP Travel <= 9.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-44039
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
WP Travel – Ultimate Travel Booking System, Tour Management Engine
Researcher

Sharanabasappa

More Details >

Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads <= 2.0.84 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47317
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 – Missing Authorization to Authenticated (Subscriber+) CSS Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8432
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Appointment & Event Booking Calendar Plugin – Webba Booking
Researcher

Lucio Sá

More Details >

Crowdsignal Dashboard – Polls, Surveys & more <= 3.1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-43338
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
Crowdsignal Dashboard – Polls, Surveys & more
Researcher

Rafie Muhammad

More Details >

Download Monitor <= 5.0.9 – Missing Authorization to Authenticated (Subscriber+) Shop Enable

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8552
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Download Monitor
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 – Missing Authorization to Authenticated (Subscriber+) Settings Updates

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8434
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Easy Mega Menu Plugin for WordPress – ThemeHunk
Researcher

Lucio Sá

More Details >

Easy PayPal Events <= 1.2.1 – Cross-Site Request Forgery to Arbitrary Post Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8476
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Easy PayPal Events
Researcher

Krzysztof Zając

More Details >

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8771
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
Researcher

Michelle Porter

More Details >

GiveWP <= 3.15.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47315
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher

Joshua Chan

More Details >

Happy Addons for Elementor <= 3.12.2 – Authenticated (Contributor+) Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8801
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
Happy Addons for Elementor
Researcher

Ankit Patel

More Details >

HT Mega – Absolute Addons For Elementor <= 2.6.5 – Authenticated (Contributor+) Sensitive Information Exposure via template_id

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8910
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
HT Mega – Absolute Addons For Elementor
Researcher

Ankit Patel

More Details >

JoomSport <= 5.6.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-44031
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
JoomSport – for Sports: Team & League, Football, Hockey & more
Researcher

Abdi Pranata

More Details >

Joy Of Text Lite <= 2.3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47337
Patch Status
Unpatched
Published
Sep 26, 2024

Affected Software
Joy Of Text Lite – SMS messaging for WordPress.
Researcher

Guru Raghav Saravanan (SGR)

More Details >

MAS Static Content <= 1.0.8 – Authenticated (Contributor+) Private Static Content Page Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8483
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
MAS Static Content
Researcher

emad

More Details >

Premium Packages – Sell Digital Products Securely <= 5.9.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-7386
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Premium Packages – Sell Digital Products Securely
Researcher

Jonas Benjamin Friedli

More Details >

PWA for WP & AMP <= 1.7.72 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47318
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
PWA for WP & AMP
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Salon booking system <= 10.9 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47316
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Salon Booking System
Researcher

Sharanabasappa

More Details >

Sunshine Photo Cart <= 3.2.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47314
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Themesflat Addons For Elementor <= 2.2.1 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8516
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Themesflat Addons For Elementor
Researcher

Webbernaut

More Details >

Use Any Font <= 6.3.08 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-47305
Patch Status
Patched
Published
Sep 25, 2024

Affected Software
Use Any Font | Custom Font Uploader
Researcher

Rafie Muhammad

More Details >

WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 – Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8437
Patch Status
Unpatched
Published
Sep 23, 2024

Affected Software
WP Easy Gallery – WordPress Gallery Plugin
Researcher

Lucio Sá

More Details >

WP Free SSL – Free SSL Certificate for WordPress and force HTTPS <= 1.2.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-44020
Patch Status
Unpatched
Published
Sep 24, 2024

Affected Software
WP Free SSL – Free SSL Certificate for WordPress and force HTTPS
Researcher

Abdi Pranata

More Details >

W3 Total Cache <= 2.7.5 – Sensitive Credentials Stored in Plaintext

3.7

CVSS Rating
Low (3.7)
CVE-ID
CVE-2023-5359
Patch Status
Patched
Published
Sep 23, 2024

Affected Software
W3 Total Cache
Researcher

Ivan Kuzymchak

More Details >

Uncanny Groups for LearnDash <= 6.1.0.1 – Missing Authorization to Authenticated (Group Leader+) User Group Add

2.7

CVSS Rating
Low (2.7)
CVE-ID
CVE-2024-8350
Patch Status
Patched
Published
Sep 24, 2024

Affected Software
Uncanny Groups for LearnDash
Researcher

Karl Emil Nikka

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.