• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)

por | |

🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

  • All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
  • Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
  • Pending report limits are increased for all
  • It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 223 vulnerabilities disclosed in 207 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-756 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 97
Unpatched 126

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 152
High Severity 39
Critical Severity 32

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 100
Cross-Site Request Forgery (CSRF) 32
Unrestricted Upload of File with Dangerous Type 17
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 15
Missing Authorization 12
Deserialization of Untrusted Data 10
Exposure of Sensitive Information to an Unauthorized Actor 7
Improper Control of Generation of Code (‘Code Injection’) 5
Authentication Bypass Using an Alternate Path or Channel 4
Authorization Bypass Through User-Controlled Key 4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 4
Incorrect Privilege Assignment 4
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 3
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) 1
Improper Check or Handling of Exceptional Conditions 1
Improper Privilege Management 1
Reliance on Cookies without Validation and Integrity Checking in a Security Decision 1
Server-Side Request Forgery (SSRF) 1
Weak Password Recovery Mechanism for Forgotten Password 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

João Pedro Soares de Alcântara

24

stealthcopter

22

SOPROBRO

18

Francesco Carlucci

16

vgo0

13

István Márton

12

LVT-tholv2k

8

Khalid Yusuf

6

theviper17y

6

Mika

6

Peter Thaleikis

6

Trương Hữu Phúc (truonghuuphuc)

5

Robert DeVore

4

TANG Cheuk Hei (siunam)

4

wesley (wcraft)

4

Colin Xu

4

Rafie Muhammad

4

Le Ngoc Anh

4

Joshua Chan

4

akas wisnu aji

3

RE-ALTER

3

Gab

3

Muhammad Daffa

3

Marek Mikita

2

Jeewan Kumar Bhatta

2

Bilal Chawich (Duke)

2

Vijaysimha Reddy (vijaysimha)

2

ghsinfosec

2

Phill Sav (Savphill)

2

Nishiv

2

Hakiduck

2

Ala Arfaoui

1

Sharanabasappa

1

shaman0x01

1

C_T_R_L

1

Bikram Kharal

1

Noah Stead (TurtleBurg)

1

Nguyễn Trung Kiên

1

Tieu Pham Trong Nhan

1

Ananda Dhakal

1

Muhammad Adel (ItsFadinG)

1

Ankit Patel

1

Dimas Maulana

1

kayge

1

Duc Luong Tran

1

drop

1

Michael

1

lefab

1

Bob Matyas

1

UKO

1

Abdi Pranata

1

Max Boll (_b0lli)

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
AADMY – Add Auto Date Month Year Into Posts auto-date-year-month
AB Categories Search Widget ab-categories-search-widget
Accordion Slider accordion-slider
Ad Inserter – Ad Manager & AdSense Ads ad-inserter
Add Categories Post Footer add-categories-post-footer
Add Widget After Content add-widget-after-content
Adding drop down roles in registration user-drop-down-roles-in-registration
ADIF Log Search Widget adif-log-search-widget
Admin Management Xtended admin-management-xtended
Advanced Advertising System advanced-advertising-system
Advanced Category and Custom Taxonomy Image advanced-category-and-custom-taxonomy-image
Advanced Custom Fields advanced-custom-fields
Advanced Custom Fields Pro advanced-custom-fields-pro
Affiliator affiliator-lite
Ahime Image Printer ahime-image-printer
Ahmeti Wp Timeline ahmeti-wp-timeline
Ajax Custom CSS/JS ajax-awesome-css
Ajax Rating with Custom Login ajax-rating-with-custom-login
ajax-extend ajax-extend
Akismet htaccess writer akismet-htaccess-writer
Analyse Uploads analyse-uploads
Animator – Scroll Triggered Animations scroll-triggered-animations
Apa Banner Slider apa-banner-slider
APA Register Newsletter Form apa-register-newsletter-form
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments
AppPresser – Mobile App Framework apppresser
Arconix Shortcodes arconix-shortcodes
Arkhe Blocks arkhe-blocks
Author Discussion author-discussion
Awesome Contact Form7 for Elementor awesome-contact-form7-for-elementor
Azz Anonim Posting azz-anonim-posting
Back Link Tracker back-link-tracker
Better Author Bio better-author-bio
Booking.com Banner Creator bookingcom-banner-creator
Branding branding
BuddyPress Better Registration better-bp-registration
Bulk images optimizer: Resize, optimize, convert to webp, rename … bulk-image-resizer
bVerse Convert bverse-convert
Calculated Fields Form calculated-fields-form
CJ Change Howdy cj-change-howdy
Click to Chat – WP Support All-in-One Floating Widget support-chat
Clio Grow Form clio-grow-form
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors publishpress-authors
Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App peepso-core
Community Lite Video Chat avchat-3
Contact Form by Supsystic contact-form-by-supsystic
Contact Forms, Live Support, CRM, Video Messages live-support-tickets
Cooked Pro cooked-pro
Cookie Scanner – automated cookie list cookie-scanner
Country Flags for Elementor country-flags-for-elementor
Crazy Call To Action Box crazy-call-to-action-box
cSlider cslider
CSV Product Import Export for WooCommerce csv-wc-product-import-export
CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x woo-multi-currency
Custom Add to Cart Button Label and Link woo-custom-cart-button
Customer Email Verification for WooCommerce emails-verification-for-woocommerce
Da Reactions da-reactions
Debrandify · Remove or Replace WordPress Branding debrandify
Digital Lottery digital-lottery
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons woo-discount-rules
DPD Baltic Shipping woo-shipping-dpd-baltic
Duplicate Title Validate duplicate-title-validate
Dynamic Elementor Addons dynamic-elementor-addons
Easy Addons for Elementor easy-addons-for-elementor
Easy Menu Manager | WPZest easy-menu-manager-wpzest
Edit WooCommerce Templates woo-edit-templates
Edwiser Bridge – WordPress Moodle LMS Integration edwiser-bridge
El mejor Cluster mejorcluster
Elemenda elemenda
ElementInvader Addons for Elementor elementinvader-addons-for-elementor
Elementor Website Builder – More than Just a Page Builder elementor
ElementsReady Addons for Elementor element-ready-lite
Email Template Customizer for WooCommerce email-template-customizer-for-woo
Encyclopedia / Glossary / Wiki encyclopedia-lexicon-glossary-wiki-dictionary
Endless Posts Navigation endless-posts-navigation
EventON Pro eventon
Events Addon for Elementor events-addon-for-elementor
Exclusive Addons for Elementor exclusive-addons-for-elementor
Feed Comments Number feed-comments-number
FERMA.ru.net ferma-ru-net-checkout
File Manager Pro wp-file-manager-pro
Flat UI Button flat-ui-button
Flexmls® IDX Plugin flexmls-idx
Fonto – Custom Web Fonts Manager fonto
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
FREE DOWNLOAD MANAGER free-download-manager
Free Stock Photos Foter free-stock-photos-foter
G Meta Keywords g-meta-keywords
Gantry 4 Framework gantry
GERRYWORKS Post by Mail gerryworks-post-by-mail
GetResponse Forms by Optin Cat getresponse
Giveaway Boost giveaway-boost
GiveWP – Donation Plugin and Fundraising Platform give
Google Map Locations google-map-locations
GoogleDrive folder list googledrive-folder-list
Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file htaccess-file-editor
Hyperlink Group Block hyperlink-group-block
IdeaPush ideapush
Infinite-Scroll infinite-scroll
Jetpack – WP Security, Backup, Speed, & Growth jetpack
JiangQie Free Mini Program jiangqie-free-mini-program
Job Board Manager for WordPress jemployee
Kama SpamBlock kama-spamblock
Leyka leyka
Lightbox slider – Responsive Lightbox Gallery simple-lightbox-gallery
Limb Gallery | Create Beautiful Image & Video Galleries limb-gallery
Linked Variation for WooCommerce linked-variation-for-woocommerce
Locatoraid Store Locator locatoraid
Maan Addons For Elementor maan-elementor-addons
MAS Companies For WP Job Manager mas-wp-job-manager-company
MAS Elementor mas-addons-for-elementor
Mighty Builder – Drag & Drop WordPress Page Builder mighty-builder
Miniorange OTP Verification with Firebase miniorange-firebase-sms-otp-verification
Mitm Bug Tracker mitm-bug-tracker
Most And Least Read Posts Widget most-and-least-read-posts-widget
Multiline files upload for contact form 7 multiline-files-for-contact-form-7
My Favorites my-favorites
My Reading Library my-reading-library
MyTweetLinks mytweetlinks
Nextend Social Login Pro nextend-social-login-pro
Nice Backgrounds nicebackgrounds
Omnipress omnipress
Parallax Image parallax-image
Parcel Pro woo-parcel-pro
PeproDev Ultimate Invoice pepro-ultimate-invoice
Photo Gallery Builder photo-gallery-builder
Photo Gallery Slideshow & Masonry Tiled Gallery wp-responsive-photo-gallery
photokit photokit
Pinpoint Booking System – #1 WordPress Booking Plugin booking-system
Plexx Elementor Extension plexx-elementor-extension
Plugin Name: Sovratec Case Management sovratec-case-management
Point Maker point-maker
Post From Frontend post-from-frontend
Primary Addon for Elementor primary-addon-for-elementor
Product Customizer Light product-customizer-light
Product Website Showcase product-websites-showcase
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Property Lot Management System plms
Rate Own Post rate-own-post
Recently – Viewed, Most Viewed and Sold Products for WooCommerce recently-viewed-most-viewed-and-sold-products-for-woocommerce
ReDi Restaurant Reservation redi-restaurant-reservation
Responsive Lightbox & Gallery responsive-lightbox
Responsive Pricing Table Builder – wpPricing Builder wppricing-builder-lite-responsive-pricing-table-builder
Royal Elementor Addons and Templates royal-elementor-addons
RS-Members rs-members
RSS Feed Widget rss-feed-widget
SafetyForms – Create forms with Real-time Email Validation safetymails-forms
Secure Custom Fields advanced-custom-fields
SendGrid for WordPress wp-sendgrid-mailer
SendPulse Free Web Push sendpulse-web-push
SEO Manager seo-manager
SermonAudio Widgets sermonaudio-widgets
Shipyaari Shipping Management shipyaari-shipping-managment
Simple Code Insert Shortcode simple-code-insert-shortcode
Simple Custom Post Order simple-custom-post-order
Simple Testimonials Showcase simple-testimonials-showcase
Simple User Registration wp-registration
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) sina-extension-for-elementor
SiteBuilder Dynamic Components sitebuilder-dynamic-components
SlimStat Analytics wp-slimstat
Smart Blocks smart-blocks
Smart Online Order for Clover clover-online-orders
Social Auto Poster social-auto-poster
Social Link Groups social-link-groups
Social Share With Floating Bar social-share-with-floating-bar
StreamWeasels Twitch Integration streamweasels-twitch-integration
Suki Sites Import suki-sites-import
Surfer – WordPress Plugin surferseo
SW Contact Form sw-contact-form
Table of Contents Plus table-of-contents-plus
TAKETIN To WP Membership taketin-to-wp-membership
The Ultimate WordPress Toolkit – WP Extended wpextended
Themesflat Addons For Elementor themesflat-addons-for-elementor
Time Clock Pro time-clock-pro
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin time-clock
Tito tito
Ultimate AI Ultimate_AI
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) ultraaddons-elementor-lite
Unlimited Addon For Elementor unlimited-addon-for-elementor
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor
VKontakte Wall Post vkontakte-wall-post
VOD Infomaniak vod-infomaniak
Woo Manage Fraud Orders woo-manage-fraud-orders
WooCommerce woocommerce
Woostagram Connect woostagram-connect
WordPress Image SEO wp-image-seo
WordPress Portfolio Builder – Portfolio Gallery uber-grid
WordPress Social Share Buttons share-button
WordPress Video wordpress-video
WP 2FA with Telegram two-factor-login-telegram
WP Content Copy Protection & No Right Click wp-content-copy-protector
WP Dropbox Dropins wp-dropbox-dropins
WP Easy Post Types easy-post-types
WP Education – Education WordPress Plugin for Elementor wp-education
WP Photo Album Plus wp-photo-album-plus
WP Popup Builder – Popup Forms and Marketing Lead Generation wp-popup-builder
WP REST API FNS Plugin rest-api-fns
WP SendFox wp-sendfox
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin timetics
WP ULike – All-in-One Engagement Toolkit wp-ulike
WP VR – 360 Panorama and Virtual Tour Builder For WordPress wpvr
WP-Spreadplugin wp-spreadplugin
WPIDE – File Manager & Code Editor wpide
Wsify widget wsify-widget
Zita Elementor Site Library zita-site-library
Zoho CRM Lead Magnet zoho-crm-forms
افزونه پیامک ووکامرس Persian WooCommerce SMS persian-woocommerce-sms

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Digitally digitally
Disconnected disconnected
my flatonica my-flatonica
my wooden under construction my-wooden-under-construction

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Adding drop down roles in registration <= 1.1 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49217
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Adding drop down roles in registration
Researcher

João Pedro Soares de Alcântara

More Details >

Advanced Advertising System <= 1.3.1 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49624
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Advanced Advertising System
Researcher

Mika

More Details >

Affiliator <= 2.1.3 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49326
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Affiliator
Researcher

João Pedro Soares de Alcântara

More Details >

Ahime Image Printer <= 1.0.0 – Unauthenticated Arbitrary File Download

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49245
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Ahime Image Printer
Researcher

stealthcopter

More Details >

ajax-extend <= 1.0 – Unauthenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49254
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
ajax-extend
Researcher

stealthcopter

More Details >

Analyse Uploads <= 0.5 – Unauthenticated Arbitrary File Deletion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49253
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Analyse Uploads
Researcher

stealthcopter

More Details >

Azz Anonim Posting <= 0.9 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49257
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Azz Anonim Posting
Researcher

stealthcopter

More Details >

BuddyPress Better Registration <= 1.6 – Authentication Bypass to Administrator

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49247
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
BuddyPress Better Registration
Researcher

stealthcopter

More Details >

Cooked Pro < 1.8.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49291
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Cooked Pro
Researcher

RE-ALTER

More Details >

Digital Lottery <= 3.0.5 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49242
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Digital Lottery
Researcher

stealthcopter

More Details >

Feed Comments Number <= 0.2.1 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49216
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Feed Comments Number
Researcher

stealthcopter

More Details >

Giveaway Boost <= 2.1.4 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49332
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Giveaway Boost
Researcher

Mika

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3 – Unauthenticated PHP Object Injection to Remote Code Execution

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9634
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher

lefab

More Details >

JiangQie Free Mini Program <= 2.5.2 – Unauthenticated Arbitrary File Uplaod

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49314
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
JiangQie Free Mini Program
Researcher

stealthcopter

More Details >

Job Board Manager for WordPress <= 1.0 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49322
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Job Board Manager for WordPress
Researcher

João Pedro Soares de Alcântara

More Details >

Miniorange OTP Verification with Firebase <= 3.6.0 – Privilege Escalation via Registration due to Administrator Default User Role Value

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9863
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Miniorange OTP Verification with Firebase
Researcher

István Márton

More Details >

Miniorange OTP Verification with Firebase <= 3.6.0 – Unauthenticated Arbitrary User Password Change

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9862
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Miniorange OTP Verification with Firebase
Researcher

István Márton

More Details >

My Reading Library <= 1.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49318
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
My Reading Library
Researcher

LVT-tholv2k

More Details >

Nextend Social Login Pro <= 3.1.14 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9893
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Nextend Social Login Pro
Researcher

wesley (wcraft)

More Details >

photokit <= 1.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49610
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
photokit
Researcher

stealthcopter

More Details >

Product Website Showcase <= 1.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49611
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Product Website Showcase
Researcher

stealthcopter

More Details >

Recently <= 1.1 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49218
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Recently – Viewed, Most Viewed and Sold Products for WooCommerce
Researcher

LVT-tholv2k

More Details >

Shipyaari Shipping Management <= 1.2 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49626
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Shipyaari Shipping Management
Researcher

Mika

More Details >

Simple User Registration <= 5.5 – Missing Authorization

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49604
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Simple User Registration
Researcher

stealthcopter

More Details >

SiteBuilder Dynamic Components <= 1.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49625
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
SiteBuilder Dynamic Components
Researcher

Mika

More Details >

Sovratec Case Management <= 1.0.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49324
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Plugin Name: Sovratec Case Management
Researcher

stealthcopter

More Details >

UltimateAI <= 2.8.3 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9105
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Ultimate AI
Researcher

István Márton

More Details >

Woostagram Connect <= 1.0.2 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49327
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Woostagram Connect
Researcher

João Pedro Soares de Alcântara

More Details >

WP Dropbox Dropins <= 1.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49607
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
WP Dropbox Dropins
Researcher

stealthcopter

More Details >

WP REST API FNS <= 1.0.0 – Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49328
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
WP REST API FNS Plugin
Researcher

stealthcopter

More Details >

WP REST API FNS <= 1.0.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49329
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
WP REST API FNS Plugin
Researcher

stealthcopter

More Details >

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 – Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9263
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin
Researcher

wesley (wcraft)

More Details >

Apa Banner Slider <= 1.0.0 – Cross-Site Request Forgery to SLQ Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49622
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Apa Banner Slider
Researcher

João Pedro Soares de Alcântara

More Details >

APA Register Newsletter Form <= 1.0.0 – Cross-Site Request Forgery to SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49621
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
APA Register Newsletter Form
Researcher

João Pedro Soares de Alcântara

More Details >

Back Link Tracker <= 1.0.0 – Cross-Site Request Forgery to SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49617
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Back Link Tracker
Researcher

João Pedro Soares de Alcântara

More Details >

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 – Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9215
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Researcher

wesley (wcraft)

More Details >

Duplicate Title Validate <= 1.0 – Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49623
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Duplicate Title Validate
Researcher(s): Unknown

More Details >

Dynamic Elementor Addons <= 1.0.0 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49243
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Dynamic Elementor Addons
Researcher

João Pedro Soares de Alcântara

More Details >

FERMA.ru.net <= 1.3.3 – Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49620
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
FERMA.ru.net
Researcher

LVT-tholv2k

More Details >

File Manager Pro <= 8.3.9 – Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-8507
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
File Manager Pro
Researcher

TANG Cheuk Hei (siunam)

More Details >

Free Stock Photos Foter <= 1.5.4 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49227
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Free Stock Photos Foter
Researcher

LVT-tholv2k

More Details >

GERRYWORKS Post by Mail <= 1.0 – Contributor+ Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49608
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
GERRYWORKS Post by Mail
Researcher

Mika

More Details >

Maan Addons For Elementor <= 1.0.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49251
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Maan Addons For Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

MyTweetLinks <= 1.1.1 – Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49618
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
MyTweetLinks
Researcher

João Pedro Soares de Alcântara

More Details >

Nice Backgrounds <= 1.0 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49330
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Nice Backgrounds
Researcher

stealthcopter

More Details >

Point Maker <= 0.1.4 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49317
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Point Maker
Researcher

theviper17y

More Details >

Rate Own Post <= 1.0 – Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49616
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Rate Own Post
Researcher

João Pedro Soares de Alcântara

More Details >

RS-Members <= 1.0.3 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49219
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
RS-Members
Researcher

João Pedro Soares de Alcântara

More Details >

SafetyForms <= 1.0.0 – Cross-Site Request Forgery

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49615
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
SafetyForms – Create forms with Real-time Email Validation
Researcher

João Pedro Soares de Alcântara

More Details >

SermonAudio Widgets <= 1.9.3 – Authenticated (Contributor+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49614
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
SermonAudio Widgets
Researcher

João Pedro Soares de Alcântara

More Details >

Simple Code Insert Shortcode <= 1.0 – Authenticated (Contributor+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49613
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Simple Code Insert Shortcode
Researcher

João Pedro Soares de Alcântara

More Details >

Social Link Groups <= 1.1.0 – Authenticated (Contributor+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49619
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Social Link Groups
Researcher

LVT-tholv2k

More Details >

SW Contact Form <= 1.0 – Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49612
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
SW Contact Form
Researcher

João Pedro Soares de Alcântara

More Details >

TAKETIN To WP Membership <= 2.8.1 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49226
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
TAKETIN To WP Membership
Researcher

LVT-tholv2k

More Details >

WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49260
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Limb Gallery | Create Beautiful Image & Video Galleries
Researcher

stealthcopter

More Details >

WP 2FA with Telegram <= 3.0 – Authenticated (Subscriber+) Authentication Bypass

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9687
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
WP 2FA with Telegram
Researcher

István Márton

More Details >

WP Easy Post Types <= 1.4.4 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-10079
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
WP Easy Post Types
Researcher

István Márton

More Details >

Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 – Unauthenticated (Limited) Remote Code Execution

8.3

CVSS Rating
High (8.3)
CVE-ID
CVE-2024-9593
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
Time Clock Pro
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin
Researcher

István Márton

More Details >

AppPresser – Mobile App Framework <= 4.4.4 – Privilege Escalation and Account Takeover via Weak OTP

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-9305
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
AppPresser – Mobile App Framework
Researcher

wesley (wcraft)

More Details >

Miniorange OTP Verification with Firebase <= 3.6.0 – Authentication Bypass

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-9861
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Miniorange OTP Verification with Firebase
Researcher

István Márton

More Details >

Ajax Rating with Custom Login <= 1.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-49246
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Ajax Rating with Custom Login
Researcher

stealthcopter

More Details >

Email Verification for WooCommerce <= 2.8.10 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-49305
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Customer Email Verification for WooCommerce
Researcher

shaman0x01

More Details >

File Manager Pro <= 8.3.9 – Unauthenticated Backup File Download and Upload

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-8746
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
File Manager Pro
Researcher

TANG Cheuk Hei (siunam)

More Details >

FREE DOWNLOAD MANAGER <= 1.0.0 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-49315
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
FREE DOWNLOAD MANAGER
Researcher

stealthcopter

More Details >

File Manager Pro <= 8.3.9 – Unauthenticated Limited JavaScript File Upload

7.4

CVSS Rating
High (7.4)
CVE-ID
CVE-2024-8918
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
File Manager Pro
Researcher

TANG Cheuk Hei (siunam)

More Details >

AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-9837
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
AADMY – Add Auto Date Month Year Into Posts
Researcher

Francesco Carlucci

More Details >

WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 – Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-9061
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
WP Popup Builder – Popup Forms and Marketing Lead Generation
Researcher

Francesco Carlucci

More Details >

Property Lot Management System <= 1.0 – Authenticated (Salesman+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-49331
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Property Lot Management System
Researcher

C_T_R_L

More Details >

SendPulse Free Web Push <= 1.3.6 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-9184
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
SendPulse Free Web Push
Researcher

Francesco Carlucci

More Details >

Slimstat Analytics <= 5.2.6 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-9548
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
SlimStat Analytics
Researcher

Bilal Chawich (Duke)

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.121 – Authenticated (Editor+) Remote Code Execution

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-49271
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Researcher

Hakiduck

More Details >

Author Discussion <= 0.2.2 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-49609
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Author Discussion
Researcher(s): Unknown

More Details >

CSV Product Import Export for WooCommerce <= 1.0.0 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-49244
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
CSV Product Import Export for WooCommerce
Researcher

Hakiduck

More Details >

WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 – Authenticated (Subscriber+) Arbitrary File Download

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-49258
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Limb Gallery | Create Beautiful Image & Video Galleries
Researcher

stealthcopter

More Details >

WP 2FA with Telegram <= 3.0 – Two-Factor Authentication Bypass

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-9820
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
WP 2FA with Telegram
Researcher

István Márton

More Details >

Zoho CRM Lead Magnet <= 1.7.9.4 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-49297
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Zoho CRM Lead Magnet
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Accordion Slider <= 1.9.11 – Authenticted (Contributor+) Stored Cross-Site Scripting via HTML Attribute

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9582
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Accordion Slider
Researcher

Muhammad Adel (ItsFadinG)

More Details >

Admin Management Xtended <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49307
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Admin Management Xtended
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Advanced Category and Custom Taxonomy Image <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9425
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
Advanced Category and Custom Taxonomy Image
Researcher

theviper17y

More Details >

Arconix Shortcodes <= 2.1.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9703
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
Arconix Shortcodes
Researcher

Peter Thaleikis

More Details >

Arkhe Blocks <= 2.23.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49261
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Arkhe Blocks
Researcher

João Pedro Soares de Alcântara

More Details >

Awesome Contact Form7 for Elementor <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49319
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Awesome Contact Form7 for Elementor
Researcher

ghsinfosec

More Details >

Booking.com Banner Creator <= 1.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49265
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Booking.com Banner Creator
Researcher

theviper17y

More Details >

Branding <= 1.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9452
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Branding
Researcher

Francesco Carlucci

More Details >

bVerse Convert <= 1.3.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49228
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
bVerse Convert
Researcher

SOPROBRO

More Details >

Click to Chat – WP Support All-in-One Floating Widget <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10055
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
Click to Chat – WP Support All-in-One Floating Widget
Researcher

Peter Thaleikis

More Details >

Cooked Pro < 1.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49289
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Cooked Pro
Researcher

RE-ALTER

More Details >

Country Flags for Elementor <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49262
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Country Flags for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Crazy Call To Action Box <= 1.05 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49236
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Crazy Call To Action Box
Researcher

SOPROBRO

More Details >

Custom Add to Cart Button Label and Link <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49296
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Custom Add to Cart Button Label and Link
Researcher

LVT-tholv2k

More Details >

Da Reactions <= 5.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49255
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Da Reactions
Researcher

Khalid Yusuf

More Details >

Debrandify · Remove or Replace WordPress Branding <= 1.1.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9674
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
Debrandify · Remove or Replace WordPress Branding
Researcher

Francesco Carlucci

More Details >

Easy Addons for Elementor <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49631
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Easy Addons for Elementor
Researcher

Gab

More Details >

Easy Menu Manager | WPZest <= 1.0.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9366
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Easy Menu Manager | WPZest
Researcher

Francesco Carlucci

More Details >

Edwiser Bridge <= 3.0.7 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49312
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Edwiser Bridge – WordPress Moodle LMS Integration
Researcher

Muhammad Daffa

More Details >

El mejor Cluster <= 1.1.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49232
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
El mejor Cluster
Researcher

Khalid Yusuf

More Details >

Elemenda <= 0.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9373
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Elemenda
Researcher

Francesco Carlucci

More Details >

ElementsReady Addons for Elementor <= 6.4.3 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9444
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
ElementsReady Addons for Elementor
Researcher

Francesco Carlucci

More Details >

Events Addon for Elementor <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49264
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Events Addon for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Exclusive Addons Elementor <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49292
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Exclusive Addons for Elementor
Researcher

Robert DeVore

More Details >

Flat UI Button <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via flatbtn Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10014
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Flat UI Button
Researcher

Francesco Carlucci

More Details >

Fonto – Custom Web Fonts Manager <= 1.2.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8920
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Fonto – Custom Web Fonts Manager
Researcher

Francesco Carlucci

More Details >

G Meta Keywords <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49301
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
G Meta Keywords
Researcher

Robert DeVore

More Details >

Hyperlink Group Block <= 1.17.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49279
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Hyperlink Group Block
Researcher

Khalid Yusuf

More Details >

Lightbox slider – Responsive Lightbox Gallery <= 1.10.1 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49280
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Lightbox slider – Responsive Lightbox Gallery
Researcher

Robert DeVore

More Details >

MAS Elementor <= 1.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49233
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
MAS Elementor
Researcher

Khalid Yusuf

More Details >

Mighty Builder <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-48049
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Mighty Builder – Drag & Drop WordPress Page Builder
Researcher

Gab

More Details >

My Favorites <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49263
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
My Favorites
Researcher

theviper17y

More Details >

Omnipress <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49278
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Omnipress
Researcher

Khalid Yusuf

More Details >

Parallax Image <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9898
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Parallax Image
Researcher

Peter Thaleikis

More Details >

PeproDev Ultimate Invoice <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49298
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
PeproDev Ultimate Invoice
Researcher

LVT-tholv2k

More Details >

Plexx Elementor Extension <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49234
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Plexx Elementor Extension
Researcher

Khalid Yusuf

More Details >

Primary Addon for Elementor <= 1.5.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49259
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Primary Addon for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Product Customizer Light <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9848
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Product Customizer Light
Researcher

Francesco Carlucci

More Details >

Responsive Lightbox <= 2.4.8 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49282
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Responsive Lightbox & Gallery
Researcher

Robert DeVore

More Details >

RSS Feed Widget <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10057
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
RSS Feed Widget
Researcher

Peter Thaleikis

More Details >

SEO Manager <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9521
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
SEO Manager
Researcher

István Márton

More Details >

Smart Blocks <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49270
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Smart Blocks
Researcher

João Pedro Soares de Alcântara

More Details >

Smart Online Order for Clover <= 1.5.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via moo_receipt_link Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9895
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Smart Online Order for Clover
Researcher

Peter Thaleikis

More Details >

StreamWeasels Twitch Integration <= 1.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via sw-twitch-embed Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9897
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
StreamWeasels Twitch Integration
Researcher

Peter Thaleikis

More Details >

Suki Sites Import <= 1.2.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8916
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Suki Sites Import
Researcher

Francesco Carlucci

More Details >

Themesflat Addons For Elementor <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49310
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Themesflat Addons For Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Tito <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49241
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Tito
Researcher

theviper17y

More Details >

UltraAddons Elementor Lite <= 1.1.8 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49277
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Researcher

Michael

More Details >

Unlimited Addon For Elementor <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49267
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Unlimited Addon For Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49302
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
WordPress Portfolio Builder – Portfolio Gallery
Researcher

Muhammad Daffa

More Details >

WordPress Video <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49231
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
WordPress Video
Researcher

SOPROBRO

More Details >

WP Easy Post Types <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10080
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
WP Easy Post Types
Researcher

István Márton

More Details >

WP Education <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via text_html_tag

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49630
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
WP Education – Education WordPress Plugin for Elementor
Researcher

Gab

More Details >

wpPricing Builder <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49225
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Responsive Pricing Table Builder – wpPricing Builder
Researcher

SOPROBRO

More Details >

Zita Elementor Site Library <= 1.6.3 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8921
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Zita Elementor Site Library
Researcher

Francesco Carlucci

More Details >

WP Easy Post Types <= 1.4.4 – Authenticated (Subscriber+) Missing Authorization via Multiple Functions

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-10078
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
WP Easy Post Types
Researcher

István Márton

More Details >

AB Categories Search Widget <= 0.2.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49240
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
AB Categories Search Widget
Researcher

Le Ngoc Anh

More Details >

Ad Inserter <= 2.7.37 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49248
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Ad Inserter – Ad Manager & AdSense Ads
Researcher

Rafie Muhammad

More Details >

Add Categories Post Footer <= 2.2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49239
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Add Categories Post Footer
Researcher

Le Ngoc Anh

More Details >

ADIF Log Search Widget <= 1.0f – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49238
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
ADIF Log Search Widget
Researcher

Le Ngoc Anh

More Details >

Ahmeti Wp Timeline <= 5.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49237
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Ahmeti Wp Timeline
Researcher

SOPROBRO

More Details >

Ajax Custom CSS/JS <= 2.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49230
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Ajax Custom CSS/JS
Researcher

SOPROBRO

More Details >

Akismet htaccess writer <= 1.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49316
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Akismet htaccess writer
Researcher

Le Ngoc Anh

More Details >

Animator <= 3.0.12 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49308
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Animator – Scroll Triggered Animations
Researcher

Abdi Pranata

More Details >

AVChat Video Chat <= 2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49605
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Community Lite Video Chat
Researcher

SOPROBRO

More Details >

CJ Change Howdy <= 3.3.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49223
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
CJ Change Howdy
Researcher

SOPROBRO

More Details >

Clio Grow <= 1.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49276
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Clio Grow Form
Researcher

SOPROBRO

More Details >

Cookie Scanner <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49220
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Cookie Scanner – automated cookie list
Researcher

SOPROBRO

More Details >

cSlider <= 2.4.2 – Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49221
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
cSlider
Researcher

SOPROBRO

More Details >

CURCY <= 2.2.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49283
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 8.x
Researcher

Dimas Maulana

More Details >

Digitally <= 1.0.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49309
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Digitally
Researcher

akas wisnu aji

More Details >

Disconnected <= 1.3.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49268
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Disconnected
Researcher

akas wisnu aji

More Details >

DPD Baltic Shipping <= 1.2.83 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9350
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
DPD Baltic Shipping
Researcher

vgo0

More Details >

Edit WooCommerce Templates <= 1.1.2 – Reflected Cross-Site Scripting via page

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10049
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Edit WooCommerce Templates
Researcher

Colin Xu

More Details >

Encyclopedia / Glossary / Wiki <= 1.7.60 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49320
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Encyclopedia / Glossary / Wiki
Researcher

SOPROBRO

More Details >

Flexmls® IDX Plugin <= 3.14.22 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8719
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Flexmls® IDX Plugin
Researcher

kayge

More Details >

Gantry 4 Framework <= 4.1.21 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9382
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Gantry 4 Framework
Researcher

vgo0

More Details >

GetResponse Forms by Optin Cat <= 2.5.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8740
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
GetResponse Forms by Optin Cat
Researcher

vgo0

More Details >

Google Map Locations <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49606
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
Google Map Locations
Researcher

João Pedro Soares de Alcântara

More Details >

GoogleDrive folder list <= 2.2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49335
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
GoogleDrive folder list
Researcher

SOPROBRO

More Details >

Kama SpamBlock <= 1.8.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9647
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Kama SpamBlock
Researcher

vgo0

More Details >

Locatoraid Store Locator <= 3.9.47 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9652
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Locatoraid Store Locator
Researcher

vgo0

More Details >

MAS Companies For WP Job Manager <= 1.0.13 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9206
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
MAS Companies For WP Job Manager
Researcher

vgo0

More Details >

Mitm Bug Tracker <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49224
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Mitm Bug Tracker
Researcher

Mika

More Details >

my flatonica <= 0.0.8 & my wooden under construction <= 2.0.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49269
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
my flatonica
my wooden under construction
Researcher

akas wisnu aji

More Details >

Parcel Pro <= 1.8.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9383
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
Parcel Pro
Researcher

vgo0

More Details >

Persian WooCommerce SMS <= 7.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9213
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
افزونه پیامک ووکامرس Persian WooCommerce SMS
Researcher

vgo0

More Details >

Pinpoint Booking System <= 2.9.9.5.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49304
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Pinpoint Booking System – #1 WordPress Booking Plugin
Researcher

Muhammad Daffa

More Details >

ReDi Restaurant Reservation <= 24.0902 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9240
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
ReDi Restaurant Reservation
Researcher

vgo0

More Details >

Smart Online Order for Clover <= 1.5.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8787
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Smart Online Order for Clover
Researcher

vgo0

More Details >

Social Share With Floating Bar <= 1.0.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8790
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Social Share With Floating Bar
Researcher

vgo0

More Details >

The Ultimate WordPress Toolkit – WP Extended <= 3.0.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9347
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
The Ultimate WordPress Toolkit – WP Extended
Researcher

vgo0

More Details >

VKontakte Wall Post <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49313
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
VKontakte Wall Post
Researcher

SOPROBRO

More Details >

Woo Manage Fraud Orders <= 6.1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9937
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Woo Manage Fraud Orders
Researcher

Colin Xu

More Details >

WordPress Photo Album Plus <= 8.8.05.003 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9951
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
WP Photo Album Plus
Researcher

Noah Stead (TurtleBurg)

More Details >

WordPress Social Share Buttons <= 1.19 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9219
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
WordPress Social Share Buttons
Researcher

Colin Xu

More Details >

Wsify Widget <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-48048
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Wsify widget
Researcher

Joshua Chan

More Details >

UltimateAI <= 2.8.3 – Limited User Password Change due to Improper Empty and Missing Default Value Check

5.6

CVSS Rating
Medium (5.6)
CVE-ID
CVE-2024-9104
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Ultimate AI
Researcher

István Márton

More Details >

WP-Spreadplugin <= 4.8.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-49266
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
WP-Spreadplugin
Researcher

Sharanabasappa

More Details >

Better Author Bio <= 2.7.10.11 – Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-49229
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Better Author Bio
Researcher

SOPROBRO

More Details >

Community by PeepSo <= 6.4.6.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9873
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App
Researcher

Bikram Kharal

More Details >

ElementInvader Addons for Elementor <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9888
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
ElementInvader Addons for Elementor
Researcher

Colin Xu

More Details >

Calculated Fields Form <= 5.2.45 – HTML Injection

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9940
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Calculated Fields Form
Researcher

Max Boll (_b0lli)

More Details >

Contact Forms, Live Support, CRM, Video Messages <= 1.10.2 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-49235
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Contact Forms, Live Support, CRM, Video Messages
Researcher

Joshua Chan

More Details >

Infinite-Scroll <= 2.6.2 – Cross-Site Request Forgery to Plugin Settings Update

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-10040
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Infinite-Scroll
Researcher

Francesco Carlucci

More Details >

Post From Frontend <= 1.0.0 – Cross-Site Request Forgery to Arbitrary Post Deletion

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9689
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Post From Frontend
Researcher

Bob Matyas

More Details >

WooCommerce <= 9.0.2 – Unauthenticated HTML Injection

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9944
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
WooCommerce
Researcher

drop

More Details >

WP SendFox <= 1.3.1 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-49284
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
WP SendFox
Researcher

Joshua Chan

More Details >

WPIDE <= 3.4.9 – Unauthenticated Full Path Dislcosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9546
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
WPIDE – File Manager & Code Editor
Researcher

TANG Cheuk Hei (siunam)

More Details >

Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.3 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2019-25218
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
Photo Gallery Slideshow & Masonry Tiled Gallery
Researcher

Ala Arfaoui

More Details >

Surfer <= 1.5.0.502 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-49299
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Surfer – WordPress Plugin
Researcher

Nguyễn Trung Kiên

More Details >

Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons <= 2.6.5 – Reflected Cross-Site Scripting

4.7

CVSS Rating
Medium (4.7)
CVE-ID
CVE-2024-8541
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons
Researcher

vgo0

More Details >

Add Widget After Content <= 2.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-9892
Patch Status
Patched
Published
Oct 17, 2024

Affected Software
Add Widget After Content
Researcher

ghsinfosec

More Details >

Advanced Custom Fields <= 6.3.8 & Secure Custom Fields <= 6.3.6.2 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-49593
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Secure Custom Fields
Advanced Custom Fields
Advanced Custom Fields Pro
Researcher

Duc Luong Tran

More Details >

Appointment Booking Calendar <= – Authenticated (Admin+) Stored Cross-Site Scripting via Notification Settings

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-7877
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Researcher

Jeewan Kumar Bhatta

More Details >

Appointment Booking Calendar <= 1.6.7.53 – Authenticated (Admin+) Stored Cross-Site Scripting via Appointment Settings

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-7876
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Researcher

Jeewan Kumar Bhatta

More Details >

Contact Form by Supsystic <= 1.7.28 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-48046
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Contact Form by Supsystic
Researcher

UKO

More Details >

Email Template Customizer for WooCommerce <= 1.2.5 – Authenticated (Shop manager+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-49288
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Email Template Customizer for WooCommerce
Researcher

Phill Sav (Savphill)

More Details >

Simple Testimonials Showcase <= 1.1.6 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-49295
Patch Status
Unpatched
Published
Oct 15, 2024

Affected Software
Simple Testimonials Showcase
Researcher

SOPROBRO

More Details >

Bulk images optimizer: Resize, optimize, convert to webp, rename … <= 2.0.1 – Missing Authorization to Authenticated (Subscriber+) Plugin Options Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9361
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Bulk images optimizer: Resize, optimize, convert to webp, rename …
Researcher

Francesco Carlucci

More Details >

Cooked Pro < 1.8.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49290
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Cooked Pro
Researcher

RE-ALTER

More Details >

ElementInvader Addons for Elementor <= 1.2.9 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9889
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
ElementInvader Addons for Elementor
Researcher

Ankit Patel

More Details >

Elementor <= 3.23.5 – Authenticated (Contributor+) Basic Information Exposure via get_image_alt Function

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-6757
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Elementor Website Builder – More than Just a Page Builder
Researcher

stealthcopter

More Details >

Endless Posts Navigation <= 2.2.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49629
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
Endless Posts Navigation
Researcher

SOPROBRO

More Details >

EventON PRO – WordPress Virtual Event Calendar Plugin <= 4.6.8 – Cross-Site Request Forgery via admin_test_email

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2023-6243
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
EventON Pro
Researcher

Francesco Carlucci

More Details >

Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 – Cross-Site Request Forgery to Draft Custom Form Creation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9352
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

Vijaysimha Reddy (vijaysimha)

More Details >

Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 – Cross-Site Request Forgery to Draft Quiz Creation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9351
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

Vijaysimha Reddy (vijaysimha)

More Details >

Htaccess File Editor <= 1.0.18 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49256
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Htaccess File Editor – Easily Edit, Backup, Restore .htaccess file
Researcher

Phill Sav (Savphill)

More Details >

IdeaPush <= 8.69 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49275
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
IdeaPush
Researcher

theviper17y

More Details >

Jetpack < 13.9.1 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
Unknown
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Jetpack – WP Security, Backup, Speed, & Growth
Researcher(s): Unknown

More Details >

Leyka <= 3.31.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49252
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Leyka
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Linked Variation for WooCommerce <= 1.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-48047
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Linked Variation for WooCommerce
Researcher

Marek Mikita

More Details >

Most And Least Read Posts Widget <= 2.5.18 – Cross-Site Request Forgery via most_and_least_read_posts_options

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49628
Patch Status
Patched
Published
Oct 18, 2024

Affected Software
Most And Least Read Posts Widget
Researcher(s): Unknown

More Details >

Multiline files upload for contact form 7 <= 2.8.1 – Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9891
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Multiline files upload for contact form 7
Researcher

Tieu Pham Trong Nhan

More Details >

Photo Gallery Builder <= 3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49325
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
Photo Gallery Builder
Researcher

Marek Mikita

More Details >

ProfileGrid <= 5.9.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49273
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Royal Elementor Addons and Templates <= 1.3.986 – Authenticated (Subscriber+) Private Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-7417
Patch Status
Patched
Published
Oct 16, 2024

Affected Software
Royal Elementor Addons and Templates
Researcher

stealthcopter

More Details >

SendGrid for WordPress <= 1.4 – Missing Authorization to Authenticated (Subscriber+) Log Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9364
Patch Status
Unpatched
Published
Oct 17, 2024

Affected Software
SendGrid for WordPress
Researcher

Nishiv

More Details >

Simple Custom Post Order <= 2.5.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49321
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Simple Custom Post Order
Researcher

Rafie Muhammad

More Details >

Sina Extension for Elementor <= 3.5.7 – Authenticated (Contributor+) Sensitive Information Exposure via Sina Modal Box Widget Elementor Template

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9540
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)
Researcher

Nishiv

More Details >

Social Auto Poster <= 5.3.15 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49272
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
Social Auto Poster
Researcher

Ananda Dhakal

More Details >

Table of Contents Plus <= 2408 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49250
Patch Status
Unpatched
Published
Oct 14, 2024

Affected Software
Table of Contents Plus
Researcher

Rafie Muhammad

More Details >

VOD Infomaniak <= 1.5.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49274
Patch Status
Patched
Published
Oct 14, 2024

Affected Software
VOD Infomaniak
Researcher

Joshua Chan

More Details >

WordPress Image SEO <= 1.1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49627
Patch Status
Unpatched
Published
Oct 18, 2024

Affected Software
WordPress Image SEO
Researcher

SOPROBRO

More Details >

WP Content Copy Protection & No Right Click <= 3.5.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49306
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
WP Content Copy Protection & No Right Click
Researcher

Rafie Muhammad

More Details >

WP ULike <= 4.7.4 – Cross-Site Request Forgery to Statistic Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9649
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
WP ULike – All-in-One Engagement Toolkit
Researcher

Bilal Chawich (Duke)

More Details >

WP VR <= 8.5.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49293
Patch Status
Patched
Published
Oct 15, 2024

Affected Software
WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.