• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)

por | |

🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024:

  • All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
  • Top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions
  • Pending report limits are increased for all
  • It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 234 vulnerabilities disclosed in 206 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 56 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 19,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-757 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-758 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 133
Unpatched 101

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 165
High Severity 35
Critical Severity 34

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 116
Missing Authorization 37
Unrestricted Upload of File with Dangerous Type 18
Authentication Bypass Using an Alternate Path or Channel 13
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 9
Cross-Site Request Forgery (CSRF) 8
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 7
Exposure of Sensitive Information to an Unauthorized Actor 6
Improper Control of Generation of Code (‘Code Injection’) 5
Deserialization of Untrusted Data 3
Improper Authentication 2
Improper Authorization 2
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
URL Redirection to Untrusted Site (‘Open Redirect’) 2
Authorization Bypass Through User-Controlled Key 1
Improper Restriction of XML External Entity Reference 1
Incorrect Privilege Assignment 1
Weak Password Recovery Mechanism for Forgotten Password 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

João Pedro Soares de Alcântara

25

Mika

23

stealthcopter

22

István Márton

22

SOPROBRO

13

Francesco Carlucci

10

wesley (wcraft)

8

Trương Hữu Phúc (truonghuuphuc)

8

Peter Thaleikis

7

Rafie Muhammad

7

theviper17y

5

tahu.datar

5

UKO

5

vgo0

5

Hakiduck

5

ardias

4

Le Ngoc Anh

4

ghsinfosec

4

zer0gh0st

3

Bonds

3

Webbernaut

3

LVT-tholv2k

3

David Gallagher (BatFeats)

2

Michael

2

Ankit Patel

2

Joshua Chan

2

Gab

2

Robert DeVore

2

Aitor F (kr0no)

1

incognito

1

Hazem Brini

1

Sc1duck

1

akas wisnu aji

1

Dominik Dziura (Domons)

1

C_T_R_L

1

Tieu Pham Trong Nhan

1

paulmockford

1

Noah Stead (TurtleBurg)

1

Krzysztof Zając

1

Ivan Kuzymchak

1

Dimas Maulana

1

Ananda Dhakal

1

Jonas Benjamin Friedli

1

Marek Mikita

1

Thanayut Maktheppongt

1

Sean Murphy

1

Fariq Fadillah Gusti Insani (fariqfgi)

1

villu164

1

theop

1

Ryan Kozak

1

Brian Sans-Souci (liardom)

1

sav4n

1

Phill Sav (Savphill)

1

Felipe Alcantara

1

Hwang Se-yeon

1

Nishiv

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
1-Click Login: Passwordless Authentication swoop-password-free-authentication
10Web Social Post Feed wd-facebook-feed
3D Work In Progress renee-work-in-progress
Accept Stripe Donation and Payments – AidWP wp-stripe-donation
ACL Floating Cart for WooCommerce acl-floating-cart-for-woocommerce
Acnoo Flutter API acnoo-flutter-api
aDirectory – Directory Listing WordPress Plugin adirectory
Ads.txt & App-ads.txt Manager for WordPress app-ads-txt
Advanced Online Ordering and Delivery Platform advanced-online-ordering-and-delivery-platform
Advanced Sermons advanced-sermons
Affiliate Platform smdp-affiliate-platform
AffiliateX – Affiliate Blocks for WordPress, Amazon, eBay, AliExpress Affiliates affiliatex
Agile Video Player Lite agile-video-player
AI Image Generator for Your Content & Featured Images – AI Postpix ai-postpix
Ajar in5 Embed ajar-productions-in5-embed
All-in-One WP Migration and Backup all-in-one-wp-migration
Amilia Store amilia-store
AMP for WP – Accelerated Mobile Pages accelerated-mobile-pages
Anchor Episodes Index (Spotify for Podcasters) anchor-episodes-index
App Builder – Create Native Android & iOS Apps On The Flight app-builder
AR For WordPress ar-for-wordpress
Astra Widgets astra-widgets
Auto Login using a secure tokenized url. Role wise login restriction. token-login
Automatic Translation automatic-translation
Awesome buttons wp-awesome-buttons
Backup and Staging by WP Time Capsule wp-time-capsule
Bamazoo – Button Generator bamazoo-button-generator
Banner Slider banner-slider
Beaver Builder – WordPress Page Builder beaver-builder-lite-version
Beek Widget Extention beek-widget-extention
Bet WC 2018 Russia bet-wc-2018-russia
Bold Page Builder bold-page-builder
Booking Plugin for Your WordPress Appointments – Time Slot timeslot
BP Member Type Manager bp-member-type-manager
Breeze – WordPress Cache Plugin breeze
Bstone Demo Importer bstone-demo-importer
BuddyPress buddypress
BuddyPress Greeting Message bp-greeting-message
Call / Contact Button button-contact-vr
Campus Explorer Widget campus-explorer-widget
Category and Taxonomy Image wp-custom-taxonomy-image
Category and Taxonomy Meta Fields wp-custom-taxonomy-meta
chatplusjp chatplusjp
Church Admin church-admin
Clever Addons for Elementor cafe-lite
Client Power Tools Portal client-power-tools
Code Generate code-generator
CodePen Embedded Pens Shortcode codepen-embedded-pen-shortcode
Comments – wpDiscuz wpdiscuz
Compact WP Audio Player compact-wp-audio-player
Conditional Fields for Contact Form 7 cf7-conditional-fields
Contact Form 7 + Telegram cf7-telegram
Contact Form 7 – Repeatable Fields cf7-repeatable-fields
Coub coub
Cozy Blocks – Page Builder for Gutenberg & Site Editor, Post Blocks, WooCommerce Blocks, Magazine Blocks, WordPress Gutenberg Blocks, Patterns and Templates Library cozy-addons
Custom Icons for Elementor custom-icons-for-elementor
Custom Twitter Feeds – A Tweets Widget or X Feed Widget custom-twitter-feeds
CWD 3D Image Gallery cwd-3d-image-gallery
DarkMySite – Advanced Dark Mode Plugin for WordPress darkmysite
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 3d-flipbook-dflip-lite
DocumentPress documentpress-display-any-document-on-your-site
Download Monitor download-monitor
Download Plugin download-plugin
Editor Custom Color Palette editor-custom-color-palette
Editorial Assistant by Sovrn zemanta
EKC Tournament Manager ekc-tournament-manager
ElementsKit Elementor addons elementskit-lite
EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor embedpress
Envo’s Elementor Templates & Widgets for WooCommerce envo-elementor-for-woocommerce
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin mage-eventpress
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
Exam Matrix exam-matrix
Extensions by HocWP Team sb-core
Extra Privacy for Elementor extra-privacy-for-elementor
Extra Product Options Builder for WooCommerce additional-product-fields-for-woocommerce
File Upload Types by WPForms file-upload-types
Firelight Lightbox easy-fancybox
FormFacade – WordPress plugin for Google Forms formfacade
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List mailchimp-wp
Futurio Extra futurio-extra
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory geodirectory
Google Docs RSVP, WordPress Plugin google-docs-rsvp-guestlist
Great Restaurant Menu WP best-restaurant-menu-by-pricelisto
Greenshift – animation and page builder blocks greenshift-animation-and-page-builder-blocks
GRÜN spendino Spendenformular – Mehr Spenden! Weniger Arbeit! spendino
HD Quiz – Save Results Light hd-quiz-save-results-light
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce hurrytimer
ID-SK Toolkit idsk-toolkit
Image Map Pro – Drag-and-drop Builder for Interactive Images image-map-pro
Import and export users and customers import-users-from-csv-with-meta
INK Official ink-official
Interactive World Map interactive-world-map
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates kata-plus
Kodex Posts likes kodex-posts-likes
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages landing-page-cat
LaTeX2HTML latex2html
League of Legends Shortcodes league-of-legends-shortcodes
leenk.me leenkme
Local Business Addons For Elementor (Formally Waze Map) map-addons-for-elementor-waze-map
MaanStore API maanstore-api
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid magazine-blocks
Mapster WP Maps mapster-wp-maps
Marketing Automation by AZEXO marketing-automation-by-azexo
MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter
Meetup meetup
Mega Elements – Addons for Elementor mega-elements-addons-for-elementor
Monitor.chat – Monitor WordPress with Instant Messages monitor-chat
Monkee-Boy Essentials monkee-boy-wp-essentials
Multi Purpose Mail Form multi-purpose-mail-form
Multi Step Form multi-step-form
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution dc-woocommerce-multi-vendor
My Wp Brand – Hide menu & Hide Plugin my-wp-brand
myCred Elementor mycred-for-elementor
Namaste! LMS namaste-lms
News Kit Elementor Addons news-kit-elementor-addons
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates the-plus-addons-for-block-editor
Order Notification for Telegram order-notification-for-telegram
PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder
PDF Invoices & Packing Slips for WooCommerce woocommerce-pdf-invoices-packing-slips
PegaPoll pegapoll
Photo Gallery, Images, Slider in Rbs Image Gallery robo-gallery
Plugin Name: iBryl Switch User ibryl-switch-user
Plugin Propagator wp-propagator
Poll Maker – Versus Polls, Anonymous Polls, Image Polls poll-maker
Portfolleo portfolleo
Post Grid and Gutenberg Blocks post-grid
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX ultimate-post
Premium SEO Pack – WP SEO Plugin premium-seo-pack
PriPre pripre
Product Filter by WBW woo-product-filter
ProfilePress Pro profilepress-pro
Qi Addons For Elementor qi-addons-for-elementor
Qi Blocks qi-blocks
Qode Essential Addons qode-essential-addons
Raptor Editor wp-raptor
Realty Workstation realty-workstation
Risk Warning Bar risk-warning-bar
Rover IDX rover-idx
Royal Elementor Addons and Templates royal-elementor-addons
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging wp-rss-aggregator
RSVP ME rsvp-me
Schema & Structured Data for WP & AMP schema-and-structured-data-for-wp
School Management System – WPSchoolPress wpschoolpress
Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin scrollbar-by-webxapp
Selection Lite selection-lite
SEOPress – On-site SEO wp-seopress
Shoutcast Icecast HTML5 Radio Player shoutcast-icecast-html5-radio-player
Signup Page signup-page
Simple Custom Admin simple-custom-admin
Simple Load More simple-load-more
Simple Membership simple-membership
Simple News simple-news
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs) sky-elementor-addons
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder stacks-mobile-app-builder
Sudan Payment Gateway for WooCommerce wc-sudan-payment-gateway
Sunshine Photo Cart: Free Client Photo Galleries for Photographers sunshine-photo-cart
Survey Maker survey-maker
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity surveyjs
SVG Captcha svg-captcha
Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud! templately
TeploBot – Telegram Bot for WP green-wp-telegram-bot-by-teplitsa
Terms descriptions terms-descriptions
Textboxes textboxes
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library) the-pack-addon
Themes4WP YouTube External Subtitles themes4wp-youtube-external-subtitles
Tida URL Screenshot tida-url-screenshot
Todo Custom Field todo-custom-field
Transients Manager transients-manager
Trip Plan tripplan
uCAT – Next Story ucat-next-story
Uix Shortcodes – Compatible with Gutenberg uix-shortcodes
User Toolkit user-toolkit
Verbalize WP verbalize-wp
WatchTowerHQ watchtowerhq
Web Bricks Addons for Elementor: Elite-Designed Elementor & eCommerce Widgets webbricks-addons
Whitelist fifthsegment-whitelist
WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) – Smart Manager smart-manager-for-wp-e-commerce
Woocommerce Custom Profile Picture woo-custom-profile-picture
WooCommerce Maintenance Mode (Free) woocommerce-maintenance-mode
WooCommerce Order Proposal wooCommerce-order-proposal
Woocommerce Product Design woo-product-design
Woocommerce Quote Calculator woo-quote-calculator-order
WooCommerce UPS Shipping – Live Rates and Access Points flexible-shipping-ups
WordPress eCommerce – ScottCart scottcart
WordPress Post Grid Layouts with Pagination – Sogrid sogrid
WP Abstracts wp-abstracts-manuscripts-manager
WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer adminify
WP Awesome Login wp-awesome-login
WP Booking System – Booking Calendar wp-booking-system
WP Crowdfunding wp-crowdfunding
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting erp
WP Flow Plus wp-imageflow2
WP Query Console wp-query-console
WP Recipe Maker wp-recipe-maker
WP Sessions Time Monitoring Full Automatic activitytime
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WP show more wp-show-more
Wp Social Login and Register Social Counter wp-social
WP VR – 360 Panorama and Virtual Tour Builder For WordPress wpvr
WP-Members Membership Plugin wp-members
WPC Shop as a Customer for WooCommerce wpc-shop-as-customer
WPKoi Templates for Elementor wpkoi-templates-for-elementor
WPS Telegram Chat wps-telegram-chat
Wux Blog Editor wux-blog-editor
YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Clean Retina clean-retina
Js Paper js-paper
Mags mags
Meta News meta-news
NewsCard newscard
Nioland – SaaS & Software Startup Tech WordPress Theme nioland

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

1-Click Login: Passwordless Authentication 1.4.5 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50478
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
1-Click Login: Passwordless Authentication
Researcher

stealthcopter

More Details >

Acnoo Flutter API <= 1.0.5 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50486
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Acnoo Flutter API
Researcher

stealthcopter

More Details >

aDirectory <= 1.3 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50420
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
aDirectory – Directory Listing WordPress Plugin
Researcher

stealthcopter

More Details >

Advanced Online Ordering and Delivery Platform <= 2.0.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50497
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Advanced Online Ordering and Delivery Platform
Researcher

stealthcopter

More Details >

Ajar in5 Embed <= 3.1.3 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50473
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Ajar in5 Embed
Researcher

C_T_R_L

More Details >

AR For WordPress <= 6.2 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50496
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
AR For WordPress
Researcher

João Pedro Soares de Alcântara

More Details >

Automatic Translation <= 1.0.4 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50493
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Automatic Translation
Researcher

stealthcopter

More Details >

Clean Retina <= 3.0.6 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50436
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Clean Retina
Researcher

tahu.datar

More Details >

Comments – wpDiscuz <= 7.6.24 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9488
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Comments – wpDiscuz
Researcher

wesley (wcraft)

More Details >

Exam Matrix <= 1.5 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50485
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Exam Matrix
Researcher

ghsinfosec

More Details >

Extensions by HocWP Team <= 0.2.3.2 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9930
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Extensions by HocWP Team
Researcher

István Márton

More Details >

GRÜN spendino Spendenformular <= 1.0.1 – Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50476
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
GRÜN spendino Spendenformular – Mehr Spenden! Weniger Arbeit!
Researcher

Mika

More Details >

MaanStore API <= 1.0.1 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50487
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
MaanStore API
Researcher

stealthcopter

More Details >

Mags <= 1.1.6 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49701
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Mags
Researcher

tahu.datar

More Details >

Meetup <= 0.1 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50483
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Meetup
Researcher

Bonds

More Details >

Meta News <= 1.1.7 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50435
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Meta News
Researcher

tahu.datar

More Details >

Multi Purpose Mail Form <= 1.0.2 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50484
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Multi Purpose Mail Form
Researcher

Bonds

More Details >

NewsCard <= 1.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50434
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
NewsCard
Researcher

tahu.datar

More Details >

PegaPoll <= 1.0.2 – Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50490
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
PegaPoll
Researcher

Mika

More Details >

Plugin Propagator <= 0.1 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50495
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Plugin Propagator
Researcher

stealthcopter

More Details >

Portfolleo <= 1.2 – Authenticated (Subscriber+) Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49653
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Portfolleo
Researcher

stealthcopter

More Details >

Realty Workstation <= 1.0.45 – Authentication Bypass to Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50489
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Realty Workstation
Researcher

ghsinfosec

More Details >

ScottCart <= 1.1 – Unauthenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50492
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
WordPress eCommerce – ScottCart
Researcher

Mika

More Details >

Signup Page <= 1.0 – Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50475
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Signup Page
Researcher

Mika

More Details >

Stacks Mobile App Builder <= 5.2.3 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50477
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder
Researcher

stealthcopter

More Details >

Sudan Payment Gateway for WooCommerce <= 1.2.2 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50494
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Sudan Payment Gateway for WooCommerce
Researcher

stealthcopter

More Details >

Verbalize WP <= 1.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49668
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Verbalize WP
Researcher

stealthcopter

More Details >

WatchTowerHQ <= 3.10.1 – Authentication Bypass to Administrator due to Missing Empty Value Check

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9933
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
WatchTowerHQ
Researcher

István Márton

More Details >

Woocommerce Custom Profile Picture <= 1.0 – Authenticated (Subscriber+) Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-49658
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Woocommerce Custom Profile Picture
Researcher

stealthcopter

More Details >

Woocommerce Product Design <= 1.0.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50482
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Woocommerce Product Design
Researcher

Bonds

More Details >

WP Query Console <= 1.0 – Unauthenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-50498
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
WP Query Console
Researcher

stealthcopter

More Details >

Wp Social Login and Register Social Counter <= 3.0.7 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9501
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Wp Social Login and Register Social Counter
Researcher

wesley (wcraft)

More Details >

Wux Blog Editor <= 3.0.0 – Authentication Bypass to Administrator

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9931
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Wux Blog Editor
Researcher

István Márton

More Details >

Wux Blog Editor <= 3.0.0 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-9932
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Wux Blog Editor
Researcher

István Márton

More Details >

3D Work In Progress <= 1.0.3 – Authenticated (Subscriber+) Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49657
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
3D Work In Progress
Researcher

stealthcopter

More Details >

3D Work In Progress <= 1.0.3 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49652
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
3D Work In Progress
Researcher

stealthcopter

More Details >

AI Image Generator for Your Content & Featured Images – AI Postpix <= 1.1.8 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49671
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
AI Image Generator for Your Content & Featured Images – AI Postpix
Researcher

theviper17y

More Details >

AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 – Cross-Site Request Forgery to Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9598
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
AMP for WP – Accelerated Mobile Pages
Researcher

David Gallagher (BatFeats)

More Details >

Bstone Demo Importer <= 1.0.1 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50481
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Bstone Demo Importer
Researcher

stealthcopter

More Details >

EKC Tournament Manager <= 2.2.1 – Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49674
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
EKC Tournament Manager
Researcher

Joshua Chan

More Details >

iBryl Switch User <= 1.0.1 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49675
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Plugin Name: iBryl Switch User
Researcher

stealthcopter

More Details >

INK Official <= 4.1.2 – Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49669
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
INK Official
Researcher

ghsinfosec

More Details >

Mapster WP Maps <= 1.5.0 – Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9235
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Mapster WP Maps
Researcher

Sean Murphy

More Details >

Marketing Automation by AZEXO <= 1.27.80 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50480
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Marketing Automation by AZEXO
Researcher

stealthcopter

More Details >

Namaste! LMS <= 2.6.3 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50408
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Namaste! LMS
Researcher

Mika

More Details >

Qi Blocks <= 1.3.2 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-49690
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Qi Blocks
Researcher

João Pedro Soares de Alcântara

More Details >

Qode Essential Addons <= 1.6.3 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50457
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Qode Essential Addons
Researcher

João Pedro Soares de Alcântara

More Details >

Rover IDX <= 3.0.0.2905 – Authenticated (Subscriber+) Authentication Bypass to Administrator

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-10002
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Rover IDX
Researcher

István Márton

More Details >

School Management System – WPSchoolPress <= 2.2.10 – Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9637
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
School Management System – WPSchoolPress
Researcher

wesley (wcraft)

More Details >

SurveyJS: Drag & Drop WordPress Form Builder <= 1.9.136 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50427
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
Researcher

stealthcopter

More Details >

The Pack Elementor addons <= 2.0.9 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50453
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
The Pack Elementor addons (Header Footer & WooCommerce Builder, Template Library)
Researcher

João Pedro Soares de Alcântara

More Details >

Token Login <= 1.0.3 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50488
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Auto Login using a secure tokenized url. Role wise login restriction.
Researcher

stealthcopter

More Details >

User Toolkit <= 1.2.3 – Authenticated (Subscriber+) Authentication Bypass

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9890
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
User Toolkit
Researcher

István Márton

More Details >

WPC Shop as a Customer for WooCommerce <= 1.2.6 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-50416
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
WPC Shop as a Customer for WooCommerce
Researcher

LVT-tholv2k

More Details >

TeploBot – Telegram Bot for WP <= 1.3 – Telegram Bot Token Disclosure

8.6

CVSS Rating
High (8.6)
CVE-ID
CVE-2024-9627
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
TeploBot – Telegram Bot for WP
Researcher

István Márton

More Details >

App Builder – Create Native Android & iOS Apps On The Flight <= 5.3.7 – Privilege Escalation and Account Takeover via Weak OTP

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-9302
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
App Builder – Create Native Android & iOS Apps On The Flight
Researcher

wesley (wcraft)

More Details >

BuddyPress <= 14.1.0 – Authenticated (Subscriber+) Directory Traversal

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-10011
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
BuddyPress
Researcher

Dominik Dziura (Domons)

More Details >

ProfilePress – Pro <= 4.11.1 – Authentication Bypass

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-9947
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
ProfilePress Pro
Researcher

wesley (wcraft)

More Details >

Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 – Missing Authorization to Authenticated (Contributor+) Form Update and Creation

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-10402
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

wesley (wcraft)

More Details >

RSVP ME <= 1.9.9 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-50491
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
RSVP ME
Researcher

LVT-tholv2k

More Details >

Woocommerce Quote Calculator <= 1.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-50479
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Woocommerce Quote Calculator
Researcher

LVT-tholv2k

More Details >

WP Sessions Time Monitoring Full Automatic <= 1.0.9 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-49681
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WP Sessions Time Monitoring Full Automatic
Researcher

stealthcopter

More Details >

Uix Shortcodes – Compatible with Gutenberg <= 1.9.9 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-9772
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Uix Shortcodes – Compatible with Gutenberg
Researcher

Francesco Carlucci

More Details >

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3.4 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-50450
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
MDTF – Meta Data and Taxonomies Filter
Researcher

Dimas Maulana

More Details >

All-in-One WP Migration and Backup <= 7.86 – Authenticated (Administrator+) Arbitrary PHP Code Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-9162
Patch Status
Patched
Published
Oct 27, 2024

Affected Software
All-in-One WP Migration and Backup
Researcher

Ryan Kozak

More Details >

Backup and Staging by WP Time Capsule <= 1.22.21 – Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-49684
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Backup and Staging by WP Time Capsule
Researcher

Hakiduck

More Details >

Custom Icons for Elementor <= 0.3.3 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-49676
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Custom Icons for Elementor
Researcher

tahu.datar

More Details >

WooCommerce Order Proposal <= 2.0.5 – Authenticated (Shop Manager+) Privilege Escalation via Order Proposal

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-9927
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
WooCommerce Order Proposal
Researcher

theop

More Details >

WordPress Post Grid Layouts with Pagination – Sogrid <= 1.5.6 – Authenticated (Admin+) Local File Inclusion

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-8392
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
WordPress Post Grid Layouts with Pagination – Sogrid
Researcher

paulmockford

More Details >

Download Plugin <= 2.2.0 – Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-9829
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
Download Plugin
Researchers

stealthcopter
Brian Sans-Souci (liardom)

More Details >

League of Legends Shortcodes <= 1.0.1 – Authenticated (Contributor+) SQL Injection via Shortcode

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-10341
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
League of Legends Shortcodes
Researcher

István Márton

More Details >

Premium SEO Pack <= 1.6.001 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-50465
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Premium SEO Pack – WP SEO Plugin
Researcher

Hakiduck

More Details >

WP Recipe Maker <= 9.6.1 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘tooltip’

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-9650
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
WP Recipe Maker
Researcher

Webbernaut

More Details >

Advanced Sermons <= 3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50458
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Advanced Sermons
Researcher

SOPROBRO

More Details >

AffiliateX <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49692
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
AffiliateX – Affiliate Blocks for WordPress, Amazon, eBay, AliExpress Affiliates
Researcher

João Pedro Soares de Alcântara

More Details >

Amilia Store <= 2.9.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50472
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Amilia Store
Researcher

SOPROBRO

More Details >

Anchor Episodes Index (Spotify for Podcasters) <= 2.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via anchor_episodes Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10189
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Anchor Episodes Index (Spotify for Podcasters)
Researcher

Peter Thaleikis

More Details >

Astra Widgets <= 1.2.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50439
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Astra Widgets
Researcher

João Pedro Soares de Alcântara

More Details >

Awesome buttons <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10148
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Awesome buttons
Researcher

Francesco Carlucci

More Details >

Bamazoo – Button Generator <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10150
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Bamazoo – Button Generator
Researcher

Francesco Carlucci

More Details >

Beaver Builder <= 2.8.3.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50430
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Beaver Builder – WordPress Page Builder
Researcher

João Pedro Soares de Alcântara

More Details >

Beek Widget Extention <= 0.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10343
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Beek Widget Extention
Researcher

István Márton

More Details >

CodePen Embedded Pens Shortcode <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50440
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
CodePen Embedded Pens Shortcode
Researcher

theviper17y

More Details >

Compact WP Audio Player <= 1.9.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10176
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
Compact WP Audio Player
Researcher

theviper17y

More Details >

Contact Form 7 – Repeatable Fields <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via field_group Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10180
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
Contact Form 7 – Repeatable Fields
Researcher

Peter Thaleikis

More Details >

Coub <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49659
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Coub
Researcher

SOPROBRO

More Details >

Cozy Blocks <= 2.0.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50441
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Cozy Blocks – Page Builder for Gutenberg & Site Editor, Post Blocks, WooCommerce Blocks, Magazine Blocks, WordPress Gutenberg Blocks, Patterns and Templates Library
Researcher

João Pedro Soares de Alcântara

More Details >

Cozy Blocks <= 2.0.18 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50502
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Cozy Blocks – Page Builder for Gutenberg & Site Editor, Post Blocks, WooCommerce Blocks, Magazine Blocks, WordPress Gutenberg Blocks, Patterns and Templates Library
Researcher

Michael

More Details >

Editor Custom Color Palette <= 3.3.8 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9642
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Editor Custom Color Palette
Researcher

Francesco Carlucci

More Details >

ElementsKit Elementor addons <= 3.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10091
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
ElementsKit Elementor addons
Researcher

zer0gh0st

More Details >

EmbedPress <= 4.0.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50461
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor
Researcher

Thanayut Maktheppongt

More Details >

Envo’s Elementor Templates & Widgets for WooCommerce <= 1.4.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50447
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Envo’s Elementor Templates & Widgets for WooCommerce
Researcher

João Pedro Soares de Alcântara

More Details >

Event Manager for WooCommerce <= 4.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49703
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Researcher

João Pedro Soares de Alcântara

More Details >

File Upload Types by WPForms <= 1.4.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10016
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
File Upload Types by WPForms
Researcher

Francesco Carlucci

More Details >

Firelight Lightbox <= 2.3.3 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50460
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Firelight Lightbox
Researcher

Robert DeVore

More Details >

Futurio Extra <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50446
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Futurio Extra
Researcher

João Pedro Soares de Alcântara

More Details >

GeoDirectory <= 2.3.80 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50437
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory
Researcher

João Pedro Soares de Alcântara

More Details >

ID-SK Toolkit <= 1.7.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9853
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
ID-SK Toolkit
Researcher

Francesco Carlucci

More Details >

Image Map Pro <= 6.0.20 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9585
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Image Map Pro – Drag-and-drop Builder for Interactive Images
Researcher

István Márton

More Details >

Interactive World Map <= 3.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50462
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Interactive World Map
Researcher

Sc1duck

More Details >

Kata Plus <= 1.4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50501
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates
Researcher

Michael

More Details >

Kodex Posts likes <= 2.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50464
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Kodex Posts likes
Researcher

theviper17y

More Details >

League of Legends Shortcodes <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10342
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
League of Legends Shortcodes
Researcher

István Márton

More Details >

Local Business Addons For Elementor <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49667
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Local Business Addons For Elementor (Formally Waze Map)
Researcher

Gab

More Details >

Magazine Blocks <= 1.3.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50429
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid
Researcher

João Pedro Soares de Alcântara

More Details >

Mega Elements <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49693
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Mega Elements – Addons for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Monkee-Boy Essentials <= 1.1 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9116
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Monkee-Boy Essentials
Researcher

Francesco Carlucci

More Details >

myCred Elementor <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49702
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
myCred Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Namaste! LMS <= 2.6.2 – Authenticated (Student+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50409
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Namaste! LMS
Researcher

Hakiduck

More Details >

Namaste! LMS <= 2.6.4 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50410
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Namaste! LMS
Researcher

Hazem Brini

More Details >

Nexter Blocks <= 3.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50452
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
Researcher

João Pedro Soares de Alcântara

More Details >

PDF Generator Addon for Elementor Page Builder <= 1.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50449
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
PDF Generator Addon for Elementor Page Builder
Researcher

João Pedro Soares de Alcântara

More Details >

Post Grid and Gutenberg Blocks <= 2.2.93 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50432
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Post Grid and Gutenberg Blocks
Researcher

João Pedro Soares de Alcântara

More Details >

PostX <= 4.1.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50443
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX
Researcher

Hwang Se-yeon

More Details >

PriPre <= 0.4.11 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9454
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
PriPre
Researcher

Francesco Carlucci

More Details >

Raptor Editor <= 1.0.20 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50468
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Raptor Editor
Researcher

SOPROBRO

More Details >

Robo Gallery <= 3.2.21 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49696
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Photo Gallery, Images, Slider in Rbs Image Gallery
Researcher

Robert DeVore

More Details >

Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50467
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Scrollbar by webxapp – Best vertical/horizontal scrollbars plugin
Researcher

SOPROBRO

More Details >

Selection Lite <= 1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50445
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Selection Lite
Researcher

João Pedro Soares de Alcântara

More Details >

Shoutcast Icecast HTML5 Radio Player <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8666
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Shoutcast Icecast HTML5 Radio Player
Researcher

Krzysztof Zając

More Details >

Simple News <= 2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10112
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Simple News
Researcher

Peter Thaleikis

More Details >

Sky Addons for Elementor <= 2.5.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50433
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs)
Researcher

João Pedro Soares de Alcântara

More Details >

Textboxes <= 0.1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50469
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Textboxes
Researcher

SOPROBRO

More Details >

Themes4WP YouTube External Subtitles <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50470
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Themes4WP YouTube External Subtitles
Researcher

SOPROBRO

More Details >

Time Slot <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50418
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Booking Plugin for Your WordPress Appointments – Time Slot
Researcher

SOPROBRO

More Details >

Trip Plan <= 1.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50471
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Trip Plan
Researcher

SOPROBRO

More Details >

Web Bricks Addons for Elementor <= 1.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49665
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Web Bricks Addons for Elementor: Elite-Designed Elementor & eCommerce Widgets
Researcher

Gab

More Details >

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-50451
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
MDTF – Meta Data and Taxonomies Filter
Researcher

SOPROBRO

More Details >

WP Adminify – Best WordPress Custom Dashboard Plugin <= 4.0.1.6 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-8959
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer
Researcher

Francesco Carlucci

More Details >

WP Awesome Login <= 0.4.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9456
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
WP Awesome Login
Researcher

Francesco Carlucci

More Details >

WP Crowdfunding <= 2.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpcf_donate Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10117
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
WP Crowdfunding
Researcher

Peter Thaleikis

More Details >

WP Flow Plus <= 5.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49695
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WP Flow Plus
Researcher

theviper17y

More Details >

WP show more <= 1.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via show_more Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9967
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
WP show more
Researcher

Peter Thaleikis

More Details >

WP-Members <= 3.4.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpmem_loginout Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10374
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
WP-Members Membership Plugin
Researcher

Peter Thaleikis

More Details >

WPKoi Templates for Elementor <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-49679
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WPKoi Templates for Elementor
Researcher

ghsinfosec

More Details >

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 – Cross-Site Request Forgery to Vendor Updates

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-9943
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Researcher

wesley (wcraft)

More Details >

Rover IDX <= 3.0.0.2903 – Authenticated (Subscriber+) Missing Authorization via Multiple Functions

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-10003
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Rover IDX
Researcher

István Márton

More Details >

Templately <= 3.1.5 – Missing Authorization via AJAX actions

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-50424
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud!
Researcher

Rafie Muhammad

More Details >

WPS Telegram Chat <= 4.6.0 – Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-9628
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
WPS Telegram Chat
Researcher

István Márton

More Details >

10Web Social Post Feed <= 1.2.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9607
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
10Web Social Post Feed
Researcher

vgo0

More Details >

ACL Floating Cart for WooCommerce <= 0.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49640
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
ACL Floating Cart for WooCommerce
Researcher

Mika

More Details >

Affiliate Platform <= 1.4.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49645
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Affiliate Platform
Researcher

Mika

More Details >

Agile Video Player Lite <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49636
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Agile Video Player Lite
Researcher

João Pedro Soares de Alcântara

More Details >

Banner Slider <= 2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49635
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Banner Slider
Researcher

João Pedro Soares de Alcântara

More Details >

Bet WC 2018 Russia <= 2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49637
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Bet WC 2018 Russia
Researcher

Le Ngoc Anh

More Details >

BP Member Type Manager <= 1.01 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49634
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
BP Member Type Manager
Researcher

João Pedro Soares de Alcântara

More Details >

BuddyPress Greeting Message <= 1.0.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49650
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
BuddyPress Greeting Message
Researcher

Mika

More Details >

Campus Explorer Widget <= 1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49660
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Campus Explorer Widget
Researcher

Mika

More Details >

chatplusjp <= 1.02 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49664
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
chatplusjp
Researcher

Mika

More Details >

Church Admin < 5.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-50438
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Church Admin
Researcher

Le Ngoc Anh

More Details >

Client Power Tools Portal <= 1.9.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49670
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Client Power Tools Portal
Researcher

SOPROBRO

More Details >

Code Generate <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49646
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Code Generate
Researcher

Mika

More Details >

CWD 3D Image Gallery <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49632
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
CWD 3D Image Gallery
Researcher

João Pedro Soares de Alcântara

More Details >

DocumentPress <= 2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49656
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
DocumentPress
Researcher

Mika

More Details >

EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9864
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
EventPrime – Events Calendar, Bookings and Tickets
Researcher

zer0gh0st

More Details >

EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 – Unauthenticated Stored Cross-Site Scripting via Transaction Log

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9865
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
EventPrime – Events Calendar, Bookings and Tickets
Researcher

zer0gh0st

More Details >

Extra Privacy for Elementor <= 0.1.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49654
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Extra Privacy for Elementor
Researcher

Mika

More Details >

Extra Product Options Builder for WooCommerce <= 1.2.133 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9214
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
Extra Product Options Builder for WooCommerce
Researcher

Aitor F (kr0no)

More Details >

FormFacade – WordPress plugin for Google Forms <= 1.3.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9613
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
FormFacade – WordPress plugin for Google Forms
Researcher

vgo0

More Details >

Forms for Mailchimp by Optin Cat – Grow Your MailChimp List <= 2.5.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8870
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Forms for Mailchimp by Optin Cat – Grow Your MailChimp List
Researcher

vgo0

More Details >

Google Docs RSVP <= 2.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49672
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Google Docs RSVP, WordPress Plugin
Researcher

SOPROBRO

More Details >

Js paper <= 2.5.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49678
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Js Paper
Researcher

akas wisnu aji

More Details >

LaTeX2HTML <= 2.5.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49673
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
LaTeX2HTML
Researcher

ardias

More Details >

leenk.me <= 2.16.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49661
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
leenk.me
Researcher

João Pedro Soares de Alcântara

More Details >

Monitor.chat <= 1.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49639
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Monitor.chat – Monitor WordPress with Instant Messages
Researcher

Mika

More Details >

Namaste! LMS <= 2.6.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-50407
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Namaste! LMS
Researcher

Hakiduck

More Details >

Nioland <= 1.2.6 – Reflected Cross-Site Scripting via s

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10250
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
Nioland – SaaS & Software Startup Tech WordPress Theme
Researcher

sav4n

More Details >

PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip <= 2.3.32 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-8717
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer
Researcher

Noah Stead (TurtleBurg)

More Details >

Risk Warning Bar <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49638
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Risk Warning Bar
Researcher

Mika

More Details >

Simple Custom Admin <= 1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49647
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Simple Custom Admin
Researcher

Mika

More Details >

Simple Load More <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49662
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Simple Load More
Researcher

Mika

More Details >

Simple Membership <= 4.5.3 – Unauthenticated Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49682
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Simple Membership
Researcher

ardias

More Details >

Sunshine Photo Cart <= 3.2.9 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-50463
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Researcher

ardias

More Details >

SVG Captcha <= 1.0.11 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49648
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
SVG Captcha
Researcher

Mika

More Details >

Terms descriptions <= 3.4.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9374
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
Terms descriptions
Researcher

vgo0

More Details >

Tida URL Screenshot <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49641
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Tida URL Screenshot
Researcher

Mika

More Details >

Todo Custom Field <= 3.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49642
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Todo Custom Field
Researcher

Mika

More Details >

uCAT – Next Story <= 2.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49663
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
uCAT – Next Story
Researcher

Mika

More Details >

Whitelist <= 3.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49643
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Whitelist
Researcher

Mika

More Details >

WooCommerce Maintenance Mode <= 2.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-49651
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
WooCommerce Maintenance Mode (Free)
Researcher

Mika

More Details >

WP ERP <= 1.13.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-47640
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting
Researcher

Le Ngoc Anh

More Details >

WP-Members Membership Plugin <= 3.4.9.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-9231
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WP-Members Membership Plugin
Researcher

vgo0

More Details >

YITH WooCommerce Product Add-Ons <= 4.14.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-50448
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
YITH WooCommerce Product Add-Ons
Researcher

Le Ngoc Anh

More Details >

Ads.txt & App-ads.txt Manager for WordPress <= 1.1.7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-50415
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Ads.txt & App-ads.txt Manager for WordPress
Researcher

UKO

More Details >

Button contact VR <= 4.7.9.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-50414
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Call / Contact Button
Researcher

UKO

More Details >

Category and Taxonomy Image <= 1.0.0 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-9591
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Category and Taxonomy Image
Researcher

István Márton

More Details >

Category and Taxonomy Meta Fields <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-9589
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Category and Taxonomy Meta Fields
Researcher

István Márton

More Details >

Category and Taxonomy Meta Fields <= 1.0.0 – Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-9590
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Category and Taxonomy Meta Fields
Researcher

István Márton

More Details >

Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-9462
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Researcher

Jonas Benjamin Friedli

More Details >

Category and Taxonomy Meta Fields <= 1.0.0 – Cross-Site Request Forgery to Taxonomy Meta Add/Delete

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9588
Patch Status
Unpatched
Published
Oct 21, 2024

Affected Software
Category and Taxonomy Meta Fields
Researcher

István Márton

More Details >

Contact Form 7 + Telegram <= 0.8.5 – Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9629
Patch Status
Patched
Published
Oct 27, 2024

Affected Software
Contact Form 7 + Telegram
Researcher

István Márton

More Details >

Image Map Pro <= 6.0.20 – Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9584
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Image Map Pro – Drag-and-drop Builder for Interactive Images
Researcher

István Márton

More Details >

Royal Elementor Addons <= 1.3.980 – Authenticated (Author+) External Entity Injection

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-50442
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Royal Elementor Addons and Templates
Researcher

wesley (wcraft)

More Details >

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.2.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-8500
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate
Researcher

Webbernaut

More Details >

WPS Telegram Chat <= 4.6.0 – Missing Authorization to Information Exposure

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-9630
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
WPS Telegram Chat
Researcher

István Márton

More Details >

All-in-One WP Migration and Backup <= 7.86 – Unauthenticated Information Disclosure via Error Logs

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-8852
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
All-in-One WP Migration and Backup
Researcher

villu164

More Details >

Breeze <= 2.1.14 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-50422
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Breeze – WordPress Cache Plugin
Researcher

Rafie Muhammad

More Details >

Greenshift – animation and page builder blocks <=9.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-50419
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Greenshift – animation and page builder blocks
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Multi Step Form <= 1.7.21 – Missing Authorization via fw_delete_files

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-50428
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Multi Step Form
Researcher

ardias

More Details >

My Wp Brand – Hide menu & Hide Plugin <= 1.1.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-49694
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
My Wp Brand – Hide menu & Hide Plugin
Researcher(s): Unknown

More Details >

Order Notification for Telegram <= 1.0.1 – Missing Authorization to Unauthenticated Send Telegram Test Message

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-9686
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
Order Notification for Telegram
Researcher

István Márton

More Details >

Schema & Structured Data for WP & AMP <= 1.35 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-49683
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Schema & Structured Data for WP & AMP
Researcher

Joshua Chan

More Details >

SEOPress <= 8.1.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-50454
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
SEOPress – On-site SEO
Researcher

Rafie Muhammad

More Details >

WooCommerce PDF Invoices & Packing Slips <= 3.8.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-50421
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
PDF Invoices & Packing Slips for WooCommerce
Researcher

Rafie Muhammad

More Details >

WordPress Stripe Donation and Payment Plugin <= 3.2.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-50459
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Accept Stripe Donation and Payments – AidWP
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 – Authenticated (Administrator+) SQL Injection via Order_by Parameter

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-9475
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Poll Maker – Versus Polls, Anonymous Polls, Image Polls
Researcher

Ivan Kuzymchak

More Details >

Product Filter by WBW <= 2.7.0 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-49691
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Product Filter by WBW
Researcher

Hakiduck

More Details >

Breeze <= 2.1.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-50431
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Breeze – WordPress Cache Plugin
Researcher

Felipe Alcantara

More Details >

Conditional Fields for Contact Form 7 <= 2.4.15 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-50412
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Conditional Fields for Contact Form 7
Researcher

UKO

More Details >

Import and export users and customers <= 1.27.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-50413
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Import and export users and customers
Researcher

UKO

More Details >

Survey Maker <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-50426
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Survey Maker
Researcher

Marek Mikita

More Details >

WP Abstracts <= 2.7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-50411
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
WP Abstracts
Researcher

UKO

More Details >

Best Restaurant Menu by PriceListo <= 1.4.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49698
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Great Restaurant Menu WP
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Bold Page Builder <= 5.1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-50417
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
Bold Page Builder
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Clever Addons for Elementor <= 2.2.1 – Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10357
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Clever Addons for Elementor
Researcher

Ankit Patel

More Details >

Custom Twitter Feeds (Tweets Widget) <= 2.2.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49685
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Custom Twitter Feeds – A Tweets Widget or X Feed Widget
Researcher

Rafie Muhammad

More Details >

DarkMySite – Advanced Dark Mode Plugin for WordPress <= 1.2.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-50466
Patch Status
Unpatched
Published
Oct 24, 2024

Affected Software
DarkMySite – Advanced Dark Mode Plugin for WordPress
Researcher

SOPROBRO

More Details >

Download Monitor <= 5.0.12 – Missing Authorization to API Key Manipulation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10092
Patch Status
Patched
Published
Oct 25, 2024

Affected Software
Download Monitor
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Editorial Assistant by Sovrn <= 1.3.3 – Missing Authorization to Authenticated (Subscriber+) Attachment Upload and Set Post Featured Image

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9626
Patch Status
Unpatched
Published
Oct 25, 2024

Affected Software
Editorial Assistant by Sovrn
Researcher

István Márton

More Details >

HD Quiz – Save Results Light <= 0.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49689
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
HD Quiz – Save Results Light
Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

More Details >

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.10.0 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8667
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce
Researcher

Webbernaut

More Details >

Landing Page Cat <= 1.7.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49686
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages
Researcher

Phill Sav (Savphill)

More Details >

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 – Missing Authorization to Forged Vendor Profile Deletion Email Sending

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9531
Patch Status
Patched
Published
Oct 23, 2024

Affected Software
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Researcher

Tieu Pham Trong Nhan

More Details >

News Kit Elementor Addons <= 1.2.1 – Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9541
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
News Kit Elementor Addons
Researcher

Nishiv

More Details >

Qi Addons For Elementor <= 1.8.0 – Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9530
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
Qi Addons For Elementor
Researcher

Ankit Patel

More Details >

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 4.23.12 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9583
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging
Researcher

incognito

More Details >

SEOPress <= 8.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-50455
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
SEOPress – On-site SEO
Researcher

Rafie Muhammad

More Details >

SEOPress <= 8.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-50456
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
SEOPress – On-site SEO
Researcher

Rafie Muhammad

More Details >

Smart Manager <= 8.45.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49687
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WooCommerce Bulk Edit Products, Orders, Coupons, Any WordPress Post Type (Advanced) – Smart Manager
Researcher

Ananda Dhakal

More Details >

Sunshine Photo Cart <= 3.2.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49697
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Transients Manager <= 2.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10045
Patch Status
Patched
Published
Oct 22, 2024

Affected Software
Transients Manager
Researcher

David Gallagher (BatFeats)

More Details >

UPS Live Rates and Access Points <= 2.3.12 – Missing Authorization to Plugin API key reset

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9109
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
WooCommerce UPS Shipping – Live Rates and Access Points
Researcher

Peter Thaleikis

More Details >

WP Booking System <= 2.0.19.10 – Missing Authorization via wpbs_refresh_calendar_editor

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-50425
Patch Status
Patched
Published
Oct 24, 2024

Affected Software
WP Booking System – Booking Calendar
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP VR <= 8.5.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-49680
Patch Status
Patched
Published
Oct 21, 2024

Affected Software
WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.