CVE-2024-13xxx

There are 908 CVE in this subgroup.
Last updated: 
← Back to 2024
ID Summary Flags Max Score
CVE-2024-13000 PHPGurukul Small CRM quote-details.php sql injection
E
CVE-2024-13001 PHPGurukul Small CRM index.php sql injection
E
CVE-2024-13002 1000 Projects Bookstore Management System order_process.php sql injection
E
CVE-2024-13003 1000 Projects Portfolio Management System MCA update_ed.php sql injection
E
CVE-2024-13004 PHPGurukul Complaint Management System category.php sql injection
E
CVE-2024-13005 1000 Projects Attendance Tracking Management System attendance_action.php sql injection
E
CVE-2024-13006 1000 Projects Human Resource Management System employeeview.php sql injection
E
CVE-2024-13007 Codezips Event Management System contact.php sql injection
E
CVE-2024-13008 code-projects Responsive Hotel Site newsletter.php sql injection
E
CVE-2024-13009 Eclipse Jetty GZIP buffer release
CVE-2024-13010 WP Foodbakery <= 4.7 - Reflected Cross-Site Scripting
CVE-2024-13011 WP Foodbakery <= 4.7 - Unauthenticated Arbitrary File Upload
CVE-2024-13012 code-projects Hostel Management System registration.php cross site scripting
CVE-2024-13013 PHPGurukul Maid Hiring Management System Contact Us Page contactus.php cross site scripting
CVE-2024-13014 PHPGurukul Maid Hiring Management System search-maid.php sql injection
CVE-2024-13015 PHPGurukul Maid Hiring Management System search-booking-request.php cross site scripting
CVE-2024-13016 PHPGurukul Maid Hiring Management System edit-category.php sql injection
CVE-2024-13017 PHPGurukul Maid Hiring Management System About Us Page aboutus.php cross site scripting
CVE-2024-13018 PHPGurukul Maid Hiring Management System profile.php cross site scripting
CVE-2024-13019 code-projects Chat System Chat Room Page update_room.php cross site scripting
E
CVE-2024-13020 code-projects Chat System chatroom.php sql injection
E
CVE-2024-13021 SourceCodester Road Accident Map Marker add-mark.php cross site scripting
E
CVE-2024-13022 taisan tarzan-cms Article Management UploadController.java UploadResponse unrestricted upload
E
CVE-2024-13023 PHPGurukul Maid Hiring Management System Search Maid Page search-maid.php cross site scripting
E
CVE-2024-13024 Codezips Blood Bank Management System campaign.php sql injection
E
CVE-2024-13025 Codezips College Management System faculty.php sql injection
E
CVE-2024-13026 Inadequate Encryption Strength Vulnerability in Roche Algo Edge
CVE-2024-13028 Antabot White-Jotter login observable response discrepancy
E
CVE-2024-13029 Antabot White-Jotter Edit Book book server-side request forgery
E
CVE-2024-13030 D-Link DIR-823G Web Management Interface HNAP1 SetVirtualServerSettings access control
E
CVE-2024-13031 Antabot White-Jotter Article Content Editor editor cross site scripting
E
CVE-2024-13032 Antabot White-Jotter Article Editor editor server-side request forgery
E
CVE-2024-13033 code-projects Chat System chatroom.php cross site scripting
CVE-2024-13034 code-projects Chat System update_user.php cross site scripting
CVE-2024-13035 code-projects Chat System update_user.php sql injection
CVE-2024-13036 code-projects Chat System update_room.php sql injection
CVE-2024-13037 1000 Projects Attendance Tracking Management System report.php attendance_report sql injection
E
CVE-2024-13038 CodeAstro Simple Loan Management System Login index.php sql injection
E
CVE-2024-13039 code-projects Simple Chat System add_user.php sql injection
E
CVE-2024-13040 Quanta Computer QOCA aim - Authorization Bypass
S
CVE-2024-13041 Incorrect User Management in GitLab
S
CVE-2024-13042 Tsinghua Unigroup Electronic Archives Management System download.html download information disclosure
E
CVE-2024-13043 Panda Security Dome Link Following Local Privilege Escalation Vulnerability
CVE-2024-13044 Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE-2024-13045 Ashlar-Vellum Cobalt AR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2024-13046 Ashlar-Vellum Cobalt CO File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE-2024-13047 Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability
CVE-2024-13048 Ashlar-Vellum Cobalt XE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE-2024-13049 Ashlar-Vellum Cobalt XE File Parsing Type Confusion Remote Code Execution Vulnerability
CVE-2024-13050 Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2024-13051 Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2024-13052 Dental Optimizer Patient Generator App <= 1.0 - Reflected XSS
E
CVE-2024-13053 Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title
E
CVE-2024-13054 Allocation of Resources Without Limits or Throttling in GitLab
E S
CVE-2024-13055 Dyn Business Panel <= 1.0.0 - Reflected XSS
E
CVE-2024-13056 Dyn Business Panel <= 1.0.0 - Reflected XSS
E
CVE-2024-13057 Dyn Business Panel <= 1.0.0 - Stored XSS via CSRF
E
CVE-2024-13058 Authenticated, non-admin users can create storage pools via the sifi API
CVE-2024-13059 Path Traversal in mintplex-labs/anything-llm
E
CVE-2024-13060 Improper Authorization in mintplex-labs/anything-llm
E S
CVE-2024-13061 2100 Technology Electronic Official Document Management System - Authentication Bypass
S
CVE-2024-13062 An unintended entry point vulnerability has been identified in certain router models, which may allo...
CVE-2024-13067 CodeAstro Online Food Ordering System All Users Page all_users.php access control
E
CVE-2024-13069 SourceCodester Multi Role Login System add-user.php cross site scripting
E
CVE-2024-13070 CodeAstro Online Food Ordering System Update User Page update_users.php sql injection
E
CVE-2024-13072 1000 Projects Beauty Parlour Management System Customer Detail add-customer-services.php sql injection
E
CVE-2024-13074 PHPGurukul Land Record System index.php cross site scripting
E
CVE-2024-13075 PHPGurukul Land Record System add-propertytype.php cross site scripting
E
CVE-2024-13076 PHPGurukul Land Record System edit-propertytype.php cross site scripting
E
CVE-2024-13077 PHPGurukul Land Record System add-property.php cross site scripting
E
CVE-2024-13078 PHPGurukul Land Record System index.php sql injection
E
CVE-2024-13079 PHPGurukul Land Record System property-details.php sql injection
E
CVE-2024-13080 PHPGurukul Land Record System aboutus.php cross site scripting
CVE-2024-13081 PHPGurukul Land Record System contactus.php cross site scripting
CVE-2024-13082 PHPGurukul Land Record System search-property.php cross site scripting
CVE-2024-13083 PHPGurukul Land Record System admin-profile.php cross site scripting
CVE-2024-13084 PHPGurukul Land Record System search-property.php sql injection
CVE-2024-13085 PHPGurukul Land Record System login.php sql injection
CVE-2024-13086 QTS, QuTS hero
S
CVE-2024-13091 WPBot Pro Wordpress Chatbot <= 13.5.4 - Unauthenticated Arbitrary File Upload
CVE-2024-13092 code-projects Job Recruitment Job Post search_ajax.php sql injection
E
CVE-2024-13093 code-projects Job Recruitment Seeker Profile _call_main_search_ajax.php sql injection
E
CVE-2024-13094 WP Triggers Lite <= 2.5.3 - Reflected XSS
E
CVE-2024-13095 WP Triggers Lite <= 2.5.3 - Admin+ SQL Injection
E
CVE-2024-13096 WP Finance <= 1.3.6 - Stored XSS via CSRF
E
CVE-2024-13097 WP Finance <= 1.3.6 - Reflected XSS
E
CVE-2024-13098 WP Email Newsletter <= 1.1 - Reflected XSS
E
CVE-2024-13099 Widget4call <= 1.0.7 - Reflected XSS
E
CVE-2024-13100 Woo UPS Pickup <= 2.6.3 - Reflected XSS
E
CVE-2024-13101 WP MediaTagger <= 4.1.1 - Contributor+ Stored XSS
E
CVE-2024-13102 D-Link DIR-816 A2 DDNS Service access control
E
CVE-2024-13103 D-Link DIR-816 A2 Virtual Service form2AddVrtsrv.cgi access control
E
CVE-2024-13104 D-Link DIR-816 A2 WiFi Settings form2AdvanceSetup.cgi access control
E
CVE-2024-13105 D-Link DIR-816 A2 DHCPD Setting form2Dhcpd.cgi access control
E
CVE-2024-13106 D-Link DIR-816 A2 IP QoS form2IPQoSTcAdd access control
E
CVE-2024-13107 D-Link DIR-816 A2 ACL form2LocalAclEditcfg.cgi access control
E
CVE-2024-13108 D-Link DIR-816 A2 form2NetSniper.cgi access control
E
CVE-2024-13109 Beijing Yunfan Internet Technology Yunfan Learning Examination System doc.html improper authorization
E
CVE-2024-13110 Beijing Yunfan Internet Technology Yunfan Learning Examination System Exam Answer PaperController.java, information disclosure
E
CVE-2024-13111 Beijing Yunfan Internet Technology Yunfan Learning Examination System JWT Token SysUserControl improper authentication
E
CVE-2024-13112 WP MediaTagger <= 4.1.1 - Reflected XSS
E
CVE-2024-13113 Countdown Timer for Elementor < 1.3.7 - Contributor+ Stored XSS
E
CVE-2024-13114 WP Projects Portfolio with Client Testimonials <= 3.0 - Reflected XSS
E
CVE-2024-13115 WP Projects Portfolio with Client Testimonials <= 3.0 - Stored XSS via CSRF
E
CVE-2024-13116 Crelly Slider < 1.4.7 - Admin+ Stored XSS
E
CVE-2024-13117 Social Share Buttons for WordPress <= 2.7 - Unauthenticated Image Upload & Path Traversal
E
CVE-2024-13118 IP Based Login < 2.4.1 - Log Deletion via CSRF
E
CVE-2024-13119 ProfilePress < 4.15.20 - Admin+ Stored XSS
E
CVE-2024-13120 ProfilePress < 4.15.20 - Admin+ Stored XSS
E
CVE-2024-13121 Paid Membership Plugin < 4.15.20 - Admin+ Stored XSS
E
CVE-2024-13122 AFI < 1.100.0 - Admin+ Stored XSS
E
CVE-2024-13123 AFI < 1.100.0 - Admin+ Stored XSS
E
CVE-2024-13124 Photo Gallery by 10Web < 1.8.33 - Admin+ Stored XSS
E
CVE-2024-13125 Everest Forms < 3.0.8.1 - Admin+ Stored XSS
E
CVE-2024-13126 Download Manager < 3.3.07 - Unauthenticated Data Exposure
E
CVE-2024-13127 LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Admin+ Stored XSS
E
CVE-2024-13128 LearnPress – WordPress LMS Plugin < 4.2.7.5.1 - Admin+ Stored XSS
E
CVE-2024-13129 Roxy-WI roxy.py action_service os command injection
E S
CVE-2024-13130 Dahua IPC-HFW1200S Web Interface Sha1Account1 path traversal
E
CVE-2024-13131 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-9680. Reason: T...
R
CVE-2024-13132 Emlog Pro Subpage article.php cross site scripting
E
CVE-2024-13133 ZeroWdd studentmanager StudentController. java editStudent unrestricted upload
E
CVE-2024-13134 ZeroWdd studentmanager TeacherController. java editTeacher unrestricted upload
E
CVE-2024-13135 Emlog Pro Subpage twitter.php cross site scripting
E
CVE-2024-13136 wangl1989 mysiteforme ShiroConfig.java rememberMeManager deserialization
E
CVE-2024-13137 wangl1989 mysiteforme SiteController RestResponse cross site scripting
E
CVE-2024-13138 wangl1989 mysiteforme LocalUploadServiceImpl upload unrestricted upload
E
CVE-2024-13139 wangl1989 mysiteforme FileController doContent server-side request forgery
E
CVE-2024-13140 Emlog Pro Cover Upload article.php cross site scripting
E
CVE-2024-13141 osuuu LightPicture SVG File Upload upload cross site scripting
E
CVE-2024-13142 ZeroWdd studentmanager RoleController. java submitAddRole cross site scripting
E
CVE-2024-13143 ZeroWdd studentmanager PermissionController. java submitAddPermission cross site scripting
E
CVE-2024-13144 zhenfeng13 My-Blog BlogController.java uploadFileByEditomd unrestricted upload
E
CVE-2024-13145 zhenfeng13 My-Blog uploadController. java upload unrestricted upload
E
CVE-2024-13146 Booknetic < 4.1.5 - Staff Creation via CSRF
E
CVE-2024-13147 SQLi in Merkur Software's B2B Login Panel
CVE-2024-13148 SQLi in Yukseloglu Filter's B2B Login Platform
CVE-2024-13152 SQLi in BSS Software's Mobuy Online Machinery Monitoring Panel
CVE-2024-13153 Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.135 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
CVE-2024-13154 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: 2024-13362. Reason: This...
R
CVE-2024-13155 Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 - Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget
CVE-2024-13156 HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.35 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via heading Parameter
CVE-2024-13157 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Podcast RSS Feed
CVE-2024-13158 An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 202...
CVE-2024-13159 Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janu...
KEV E
CVE-2024-13160 Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janu...
KEV E
CVE-2024-13161 Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janu...
KEV E
CVE-2024-13162 SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 S...
CVE-2024-13163 Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 202...
CVE-2024-13164 An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Ja...
CVE-2024-13165 An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua...
CVE-2024-13166 An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua...
CVE-2024-13167 An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua...
CVE-2024-13168 An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua...
CVE-2024-13169 An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Januar...
CVE-2024-13170 An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 Janua...
CVE-2024-13171 Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022...
CVE-2024-13172 Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 ...
CVE-2024-13173 Health information leakage vulnerability
CVE-2024-13176 Timing side-channel in ECDSA signature computation
S
CVE-2024-13177 Symlink Following in Netskope Client Postinstall Script
S
CVE-2024-13179 Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to ...
CVE-2024-13180 Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to ...
CVE-2024-13181 Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to ...
CVE-2024-13182 WP Directorybox Manager <= 2.5 - Authentication Bypass
CVE-2024-13183 Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter
S
CVE-2024-13184 The Ultimate WordPress Toolkit – WP Extended <= 3.0.12 - Unauthenticated SQL Injection via Login Attempts Module
CVE-2024-13185 MinigameCenter module information leakage vulnerability
CVE-2024-13186 MinigameCenter information leakage vulnerability
CVE-2024-13187 Kingsoft WPS Office TCC code injection
E
CVE-2024-13188 MicroWorld eScan Antivirus Installation var default permission
E
CVE-2024-13189 ZeroWdd myblog MyBlogMvcConfig.java permission
E
CVE-2024-13190 ZeroWdd myblog BlogMapper.xml xml injection
E
CVE-2024-13191 ZeroWdd myblog uploadController.java upload unrestricted upload
E
CVE-2024-13192 ZeroWdd myblog BlogController.java update cross site scripting
E
CVE-2024-13193 SEMCMS Image Library Management Page SEMCMS_Images.php sql injection
E S
CVE-2024-13194 Sucms admin_members.php sql injection
E S
CVE-2024-13195 donglight bookstore电商书城系统说明 HttpUtil.java getHtml server-side request forgery
E
CVE-2024-13196 donglight bookstore电商书城系统说明 BookInfoController.java BookSearchList cross site scripting
E
CVE-2024-13197 donglight bookstore电商书城系统说明 AdminUserControlle.java updateUser cross site scripting
E
CVE-2024-13198 langhsu Mblog Blog System login observable response discrepancy
E
CVE-2024-13199 langhsu Mblog Blog System Search Bar search cross site scripting
E
CVE-2024-13200 wander-chu SpringBoot-Blog HTTP POST Request BaseInterceptor.java preHandle access control
E
CVE-2024-13201 wander-chu SpringBoot-Blog Admin Attachment AttachtController.java upload unrestricted upload
E
CVE-2024-13202 wander-chu SpringBoot-Blog Blog Article PageController.java modifiyArticle cross site scripting
E
CVE-2024-13203 kurniaramadhan E-Commerce-PHP cross-site request forgery
E
CVE-2024-13204 kurniaramadhan E-Commerce-PHP blog-details.php sql injection
E
CVE-2024-13205 kurniaramadhan E-Commerce-PHP Create Product Page create_product.php cross site scripting
E
CVE-2024-13206 REVE Antivirus reveinstall default permission
E
CVE-2024-13207 Widget for Social Page Feeds < 6.4.2 - Admin+ Stored XSS
E
CVE-2024-13208 WP Google Map < 1.9.4 - Admin+ Stored XSS
E
CVE-2024-13209 Redaxo CMS Structure Management Page index.php cross site scripting
E
CVE-2024-13210 donglight bookstore电商书城系统说明 AdminBookController. java uploadPicture unrestricted upload
E
CVE-2024-13211 SingMR HouseRent AdminController.java access control
E
CVE-2024-13212 SingMR HouseRent AddHouseController.java upload unrestricted upload
E
CVE-2024-13213 SingMR HouseRent toAdminUpdateHousePage cross site scripting
E
CVE-2024-13215 Elementor Addon Elements <= 1.13.10 - Authenticated (Contributor+) Sensitive Information Exposure via Modal Popup
S
CVE-2024-13216 HT Event – WordPress Event Manager Plugin for Elementor <= 1.4.7 - Authenticated (Contributor+) Sensitive Information Exposure via HT Event: Sponsor
CVE-2024-13217 Jeg Elementor Kit <= 2.6.11 - Authenticated (Contributor+) Sensitive Information Exposure via Countdown and Off-Canvas
S
CVE-2024-13218 Fast Tube <= 2.3.1 - Reflected XSS
E
CVE-2024-13219 Policy Genius <= 2.0.4 - Reflected XSS
E
CVE-2024-13220 Google Map Professional <= 1.0 - Reflected XSS
E
CVE-2024-13221 Fantastic Elasticsearch <= 4.1.0 - Reflected XSS
E
CVE-2024-13222 User Messages <= 1.2.4 - Reflected XSS
E
CVE-2024-13223 Tabulate <= 2.10.3 - Reflected XSS
E
CVE-2024-13224 SlideDeck 1 Lite Content Slider <= 1.4.8 - Reflected XSS
E
CVE-2024-13225 ECT Home Page Products <= 1.9 - Reflected XSS
E
CVE-2024-13226 A5 Custom Login Page <= 2.8.1 - Reflected XSS
E
CVE-2024-13227 Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.235 - Authenticated (Contributor+) Stored Cross-Site Scripting via Rank Math API
S
CVE-2024-13228 Qubely – Advanced Gutenberg Blocks <= 1.8.13 - Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content
S
CVE-2024-13229 Rank Math SEO <= 1.0.235 - Missing Authorization to Authenticated (Contributor+) Arbitrary Schema Deletion
S
CVE-2024-13230 Social Share, Social Login and Social Comments Plugin – Super Socializer <= 7.14 - Unauthenticated Limited SQL Injection via 'SuperSocializerKey'
CVE-2024-13231 WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Missing Authorization to Unauthenticated Portfolio Update
CVE-2024-13232 WordPress Awesome Import & Export Plugin - Import & Export WordPress Data <= 4.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Execution/Privilege Escalation
CVE-2024-13234 Product Table by WBW <= 2.1.2 - Unuthenticated SQL Injection
S
CVE-2024-13235 Pinpoint Booking System – #1 WordPress Booking Plugin <= 2.9.9.5.2 - Authenticated (Subscriber+) SQL Injection
S
CVE-2024-13236 Tainacan <= 0.21.12 - Authenticated (Subscriber+) SQL Injection
S
CVE-2024-13237 File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001
CVE-2024-13238 Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002
CVE-2024-13239 Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003
CVE-2024-13240 Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004
CVE-2024-13241 Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005
CVE-2024-13242 Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006
CVE-2024-13243 Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007
CVE-2024-13244 Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008
CVE-2024-13245 CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
CVE-2024-13246 Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010
CVE-2024-13247 Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011
CVE-2024-13248 Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012
CVE-2024-13249 Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013
CVE-2024-13250 Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014
CVE-2024-13251 Registration role - Critical - Access bypass - SA-CONTRIB-2024-015
CVE-2024-13252 TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016
CVE-2024-13253 Advanced PWA - Critical - Access bypass - SA-CONTRIB-2024-017
CVE-2024-13254 REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018
CVE-2024-13255 RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019
CVE-2024-13256 Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
CVE-2024-13257 Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021
CVE-2024-13258 Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022
CVE-2024-13259 Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023
CVE-2024-13260 Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024
CVE-2024-13261 Acquia DAM - Moderately critical - Cross Site Request Forgery, Denial of Service - SA-CONTRIB-2024-025
CVE-2024-13262 View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026
CVE-2024-13263 Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027
CVE-2024-13264 Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028
CVE-2024-13265 Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029
CVE-2024-13266 Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030
CVE-2024-13267 Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031
CVE-2024-13268 Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032
CVE-2024-13269 Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033
CVE-2024-13270 Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034
CVE-2024-13271 Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035
CVE-2024-13272 Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
CVE-2024-13273 Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
CVE-2024-13274 Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
CVE-2024-13275 Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039
CVE-2024-13276 File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040
CVE-2024-13277 Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041
CVE-2024-13278 Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042
CVE-2024-13279 Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043
CVE-2024-13280 Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044
CVE-2024-13281 Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045
CVE-2024-13282 Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046
CVE-2024-13283 Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047
CVE-2024-13284 Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048
CVE-2024-13285 wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049
CVE-2024-13286 SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050
CVE-2024-13287 Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051
CVE-2024-13288 Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052
CVE-2024-13289 Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055
CVE-2024-13290 OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056
CVE-2024-13291 Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
CVE-2024-13292 Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058
CVE-2024-13293 POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059
CVE-2024-13294 POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060
CVE-2024-13295 Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061
CVE-2024-13296 Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062
CVE-2024-13297 Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063
CVE-2024-13298 Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064
CVE-2024-13299 Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065
CVE-2024-13300 Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066
CVE-2024-13301 OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067
CVE-2024-13302 Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068
CVE-2024-13303 Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069
CVE-2024-13304 Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070
CVE-2024-13305 Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
CVE-2024-13306 WP Google Map < 1.9.4 - Admin+ Stored XSS
E
CVE-2024-13307 Reales WP - Real Estate WordPress Theme <= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates
CVE-2024-13308 Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072
CVE-2024-13309 Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
CVE-2024-13310 Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074
CVE-2024-13311 Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075
CVE-2024-13312 Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
CVE-2024-13313 AWeber <= 7.3.20 - Admin+ Stored XSS
E
CVE-2024-13314 Carousel, Slider, Gallery by WP Carousel < 2.7.4 - Admin+ Stored XSS
E
CVE-2024-13315 Shopwarden – Automated WooCommerce monitoring & testing <= 1.0.11 - Cross-Site Request Forgery to Arbitrary Options Update
S
CVE-2024-13316 Scratch & Win – Giveaways and Contests <= 2.8.0 - Missing Authorization to Unauthenticated Coupon Creation
S
CVE-2024-13317 ShipWorks Connector for Woocommerce <= 5.2.5 - Cross-Site Request Forgery to Service Password/Username Update
CVE-2024-13318 Essential WP Real Estate <= 1.1.3 - Missing Authorization to Arbitrary Post/Page Deletion
CVE-2024-13319 Themify Builder <= 7.6.5 - Reflected Cross-Site Scripting
S
CVE-2024-13320 CURCY - WooCommerce Multi Currency - Currency Switcher <= 2.3.6 - Unauthenticated SQL Injection
CVE-2024-13321 AnalyticsWP <= 2.0.0 - Unauthenticated SQL Injection
CVE-2024-13322 Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.88 - Unauthenticated SQL Injection
CVE-2024-13323 Booking Calendar <= 10.9.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'booking' Shortcode
CVE-2024-13324 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: 2024-13362. Reason: This...
R
CVE-2024-13325 Glossy <= 2.3.5 - Reflected XSS
E
CVE-2024-13326 iBuildApp <= 0.2.0 - Reflected XSS
E
CVE-2024-13327 Musicbox <= 2.0.3 - Reflected XSS
E
CVE-2024-13328 Giga Messenger Bots <= 2.3.1 - Reflected XSS
E
CVE-2024-13329 Solidres <= 0.9.4 - Reflected XSS
E
CVE-2024-13330 Justrows Free <= 0.2 - Reflected XSS
E
CVE-2024-13331 WP Dream Carousel <= 1.0.1b - Reflected XSS
E
CVE-2024-13332 TransFinanz <= 1.0.0 - Reflected XSS
E
CVE-2024-13333 Advanced File Manager 5.2.12 - 5.2.13 - Authenticated (Subscriber+) Arbitrary File Upload
CVE-2024-13334 Car Demon <= 1.8.1 - Reflected Cross-Site Scripting
CVE-2024-13335 Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates <= 1.0.14 - Missing Authorization to Spexo Theme Install
S
CVE-2024-13336 Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable
CVE-2024-13337 Webcraftic Clearfy – WordPress optimization plugin <= 2.3.2 - Cross-Site Request Forgery to Plugin Settings Update via 'setup-wbcr_clearfy'
CVE-2024-13338 Webcraftic Clearfy – WordPress optimization plugin <= 2.3.1 - Cross-Site Request Forgery to Clear Cache
CVE-2024-13339 DeBounce Email Validator <= 5.6.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13340 MDTF – Meta Data and Taxonomies Filter <= 1.3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13341 MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.1.11 - Authenticated (Subscriber+) SQL Injection
CVE-2024-13343 WooCommerce Customers Manager <= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
CVE-2024-13344 Advance Seat Reservation Management for WooCommerce <= 3.3 - Unauthenticated SQL Injection
CVE-2024-13345 Avada Builder <= 3.11.13 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13346 Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13347 Essential WP Real Estate <= 1.1.3 - Reflected XSS
E
CVE-2024-13348 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-22506 Reason: T...
R
CVE-2024-13349 Stockdio Historical Chart <= 2.8.18 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13350 SearchIQ – The Search Solution <= 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13351 Social proof testimonials and reviews by Repuso <= 5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13352 Legull <= 1.2.2 - Reflected XSS
E
CVE-2024-13353 Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Local File Inclusion
S
CVE-2024-13354 Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13355 Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting
CVE-2024-13356 DSGVO All in one for WP <= 4.6 - Cross-Site Request Forgery to Account Deletion
S
CVE-2024-13357 Ditty – Responsive News Tickers, Sliders, and Lists < 3.1.52 - Author+ Stored XSS
E
CVE-2024-13358 BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages <= 3.4.24 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update
S
CVE-2024-13359 Product Input Fields for WooCommerce <= 1.12.0 - Unauthenticated Limited File Upload
S
CVE-2024-13360 AI Power: Complete AI Pack <= 1.8.96 - Authenticated (Subscriber+) Server-Side Request Forgery
S
CVE-2024-13361 AI Power: Complete AI Pack <= 1.8.96 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
S
CVE-2024-13363 Raptive Ads <= 3.6.3 - Reflected Cross-Site Scripting
CVE-2024-13364 Raptive Ads <= 3.6.3 - Missing Authorization to Unauthenticated Data/Settings Reset
CVE-2024-13365 Security & Malware scan by CleanTalk <= 2.149 - Unauthenticated Arbitrary File Upload
S
CVE-2024-13366 Sandbox <= 0.4 - Reflected Cross-Site Scripting
CVE-2024-13367 Sandbox <= 0.4 - Missing Authorization to Authenticated (Subscriber+) Sandbox Download
CVE-2024-13368 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
CVE-2024-13369 Tour Master - Tour Booking, Travel, Hotel <= 5.3.6 - Authenticated (Subscriber+) SQL Injection via review_id Parameter
CVE-2024-13370 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)
CVE-2024-13371 WP Job Portal <= 2.2.6 - Missing Authorization to Unauthenticated Arbitrary Email Sending
S
CVE-2024-13372 WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download
S
CVE-2024-13373 Exertio Framework <= 1.3.1 - Unauthenticated Arbitrary User Password Update
CVE-2024-13374 WP Table Manager <= 4.1.3 - Missing Authorization to Authenticated (Subscriber+) Directory Traversal to Folder/File Name Disclosure
CVE-2024-13375 Adifier System <= 3.1.7 - Unauthenticated Arbitrary Password Reset
CVE-2024-13376 Industrial <= 1.7.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
CVE-2024-13377 GravityForms <= 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'alt' parameter
CVE-2024-13378 GravityForms 2.9.0.1 - 2.9.1.3 - Unauthenticated Stored Cross-Site Scripting via 'style_settings' parameter
CVE-2024-13379 C9 Admin Dashboard <= 1.3.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
CVE-2024-13380 Alex Reservations: Smart Restaurant Booking <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-13381 Calculated Fields Form < 5.2.62 - Admin+ Stored XSS
E
CVE-2024-13382 Calculated Fields Form < 5.2.64 - Admin+ Stored XSS
E
CVE-2024-13383 HD Quiz < 2.0.0 - Editor+ Stored XSS
E
CVE-2024-13384 Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.24 - Admin+ Stored XSS
E
CVE-2024-13385 JSM Screenshot Machine Shortcode <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13386 quote-posttype-plugin <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13387 WP Responsive Tabs <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13388 TCBD Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13389 Cliptakes <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13390 ADFO – Custom data in admin dashboard <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13391 MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet <= 2.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13392 Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13393 Video Share VOD – Turnkey Video Site Builder Script <= 2.6.31 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13394 ViewMedica 9 <= 1.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13395 Threepress <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13396 Frictionless <= 0.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13397 WPRadio – WordPress Radio Streaming Plugin <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13398 Checkout for PayPal <= 1.0.32 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13399 Gosign – Posts Slider Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13400 Kona Gallery Block <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13401 Payment Button for PayPal <= 1.2.3.35 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13402 BuddyBoss Platform <= 2.7.70 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'link_title'
CVE-2024-13403 WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter
CVE-2024-13404 Link Library <= 7.7.2 - Reflected Cross-Site Scripting
S
CVE-2024-13405 Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block
CVE-2024-13406 XML for Google Merchant Center <= 3.0.11 - Reflected Cross-Site Scripting
S
CVE-2024-13407 Omnipress <= 1.5.4 - Authenticated (Contributor+) Post Disclosure
S
CVE-2024-13408 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion
S
CVE-2024-13409 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler()
S
CVE-2024-13410 CozyStay <= 1.7.0 and TinySalt <= 3.9.0 - Unauthenticated PHP Object Injection in ajax_handler
CVE-2024-13411 Zapier for WordPress <= 1.5.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via updated_user Function
CVE-2024-13412 CozyStay <= 1.7.0 - Missing Authorization to Arbitrary Action Execution in ajax_handler
CVE-2024-13413 ProductDyno <= 1.0.24 - Reflected Cross-Site Scripting via 'res' Parameter
CVE-2024-13415 Food Menu – Restaurant Menu & Online Ordering for WooCommerce <= 5.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
CVE-2024-13416 Using API in the 2N OS device, authorized user can enable logging, which discloses valid authenticat...
CVE-2024-13417 Specifically crafted payloads sent to the RFID reader could cause DoS of RFID reader. After the devi...
CVE-2024-13418 Smart Framework <= Multiple Plugins - Authenticated (Subscriber+) Arbitrary File Upload
CVE-2024-13419 Smart Framework <= Multiple Plugins - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE-2024-13420 Smart Framework <= Multiple Plugins - Missing Authorization to Authenticated (Subscriber+) Settings Updates
CVE-2024-13421 Real Estate 7 WordPress <= 3.5.1 - Unauthenticated Privilege Escalation to Administrator
CVE-2024-13422 SEO Blogger to WordPress Migration using 301 Redirection <= 0.4.8 - Reflected Cross-Site Scripting
S
CVE-2024-13423 Sparkling <= 2.4.9 - Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation
CVE-2024-13424 Ni Sales Commission For WooCommerce <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Commission Update
CVE-2024-13425 WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion
S
CVE-2024-13426 WP-Polls <= 2.77.2 - Unauthenticated SQL Injection to Stored Cross-Site Scripting
S
CVE-2024-13427 Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link
CVE-2024-13428 WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Unauthenticated Company Logo Deletion
S
CVE-2024-13429 WP Job Portal <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion
S
CVE-2024-13430 Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode
S
CVE-2024-13431 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.3 - Reflected Cross-Site Scripting
S
CVE-2024-13432 Webcamconsult <= 1.5.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13433 Utilities for MTG <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13434 WP Inventory Manager <= 2.3.2 - Reflected Cross-Site Scripting
CVE-2024-13435 Ebook Downloader <= 1.0 - Unauthenticated SQL Injection
CVE-2024-13436 Appsero Helper <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13437 Book a Room <= 2.9 - Cross-Site Request Forgery to Settings Update
CVE-2024-13438 SpeedSize Image & Video AI-Optimizer <= 1.5.1 - Cross-Site Request Forgery to Clear Cache
S
CVE-2024-13439 Team – Team Members Showcase Plugin <= 4.4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Update
S
CVE-2024-13440 Super Store Finder <= 7.0 - Unauthenticated SQL Injection to Stored Cross-Site Scripting
S
CVE-2024-13441 Bilingual Linker <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13442 Service Finder Bookings <= 5.0 - Unauthenticated Privilege Escalation via Account Takeover
CVE-2024-13443 Easypromos Plugin <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-13444 wp-greet <= 6.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13445 Elementor Website Builder – More Than Just a Page Builder <= 3.27.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13446 Workreap <= 3.2.5 - Unauthenticated Privilege Escalation via Account Takeover
CVE-2024-13447 WP Hotel Booking <= 2.1.6 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval
S
CVE-2024-13448 ThemeREX Addons <= 2.32.3 - Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data
CVE-2024-13449 Boom Fest <= 2.2.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
S
CVE-2024-13450 Contact Form by Bit Form <= 2.17.4 - Authenticated (Administrator+) Server-Side Request Forgery
CVE-2024-13452 Contact Form by Supsystic <= 1.7.29 - Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action
CVE-2024-13453 Contact Form & SMTP Plugin for WordPress by PirateForms <= 2.6.0 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13454 Weak encryption algorithm in Easy-RSA version 3.0.5 through 3.1.7 allows a local attacker to more ea...
CVE-2024-13455 igumbi Online Booking <= 1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13456 Easy Quiz Maker <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13457 Event Tickets <= 5.18.1 - Insecure Direct Object Reference to Sensitive Information Exposure
S
CVE-2024-13458 WordPress SEO Friendly Accordion FAQ with AI assisted content generation <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13459 FuseDesk <= 6.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13460 WE – Testimonial Slider <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13461 Autoship Cloud for WooCommerce Subscription Products <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13462 WP Wiki Tooltip <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13463 SeatReg <= 1.56.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13464 Library Bookshelves <= 5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13465 aBlocks – WordPress Gutenberg Blocks <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13466 Automatically Hierarchic Categories in Menu <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13467 WP Contact Form7 Email Spam Blocker <= 1.0.0 - Reflected Cross-Site Scripting
CVE-2024-13468 Trash Duplicate and 301 Redirect <= 1.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
CVE-2024-13469 Pricing Table by PickPlugins <= 1.12.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13470 Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
S
CVE-2024-13471 DesignThemes Core Features <= 4.7 - Missing Authorization to Unauthenticated Arbitrary File Read via dt_process_imported_file
CVE-2024-13472 WooCommerce Product Table Lite <= 3.9.4 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
S
CVE-2024-13473 LTL Freight Quotes - Worldwide Express Edition <= 5.0.20 - Unauthenticated SQL Injection
CVE-2024-13474 LTL Freight Quotes – Purolator Edition <= 2.2.3 - Unauthenticated SQL Injection
CVE-2024-13475 Small Package Quotes – UPS Edition <= 4.5.16 - Unauthenticated SQL Injection
S
CVE-2024-13476 LTL Freight Quotes – GlobalTranz Edition <= 2.3.11 - Unauthenticated SQL Injection
S
CVE-2024-13477 LTL Freight Quotes – Unishippers Edition <= 2.5.8 - Unauthenticated SQL Injection
S
CVE-2024-13478 LTL Freight Quotes – TForce Edition <= 3.6.4 - Unauthenticated SQL Injection
S
CVE-2024-13479 LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthenticated SQL Injection
S
CVE-2024-13480 LTL Freight Quotes – For Customers of FedEx Freight <= 3.4.1 - Unauthenticated SQL Injection
S
CVE-2024-13481 LTL Freight Quotes – R+L Carriers Edition <= 3.3.4 - Unauthenticated SQL Injection
S
CVE-2024-13482 Icegram Engage < 3.1.32 - Admin+ Stored XSS
E
CVE-2024-13483 LTL Freight Quotes – SAIA Edition <= 2.2.10 - Unauthenticated SQL Injection
S
CVE-2024-13484 Openshift-gitops-operator-container: namespace isolation break
M
CVE-2024-13485 LTL Freight Quotes – ABF Freight Edition <= 3.3.7 - Unauthenticated SQL Injection
S
CVE-2024-13486 Icegram Engage < 3.1.32 - Admin+ Stored XSS
E
CVE-2024-13487 CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function
CVE-2024-13488 LTL Freight Quotes – Estes Edition <= 3.3.7 - Unauthenticated SQL Injection
S
CVE-2024-13489 LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - Unauthenticated SQL Injection
S
CVE-2024-13490 LTL Freight Quotes – XPO Edition <= 4.3.7 - Unauthenticated SQL Injection
S
CVE-2024-13491 Small Package Quotes – For Customers of FedEx <= 4.3.1 - Unauthenticated SQL Injection
S
CVE-2024-13492 Guten Free Options <= 0.9.5 - Reflected XSS
E
CVE-2024-13493 Sensly Online Presence <= 0.6 - Admin+ Stored XSS
E
CVE-2024-13494 WordPress File Upload <= 4.25.2 - Cross-Site Request Forgery in wfu_file_details
S
CVE-2024-13495 GamiPress <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function
S
CVE-2024-13496 GamiPress <= 7.3.1 - Unauthenticated SQL Injection via orderby Parameter
S
CVE-2024-13497 WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.9 - Unauthenticated Stored Cross-Site Scripting
S
CVE-2024-13498 NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.8.1 - Unauthenticated Sensitive Information Exposure
CVE-2024-13499 GamiPress <= 7.2.1 - Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function
S
CVE-2024-13500 WP Project Manager <= 2.6.17 - Authenticated (Subscriber+) SQL Injection via orderby Parameter
S
CVE-2024-13501 WP-FormAssembly <= 2.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-13502 A command injection in the NTC2218, NTC2250, NTC2299 modems' web interfaces allows to exeucte arbitrary shell commands.
CVE-2024-13503 Stack-Based Buffer Overflow in Newtec's update signaling causes RCE
CVE-2024-13504 Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.42 - Limited Unauthenticated Stored Cross-Site Scripting via File Upload
CVE-2024-13505 Survey Maker <= 5.1.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting via Survey Question
S
CVE-2024-13506 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.97 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display_name Parameter
CVE-2024-13508 Booking Package <= 1.6.72 - Reflected Cross-Site Scripting via Locale Parameter
CVE-2024-13509 WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.13 - Unauthenticated Stored Cross-Site Scripting
S
CVE-2024-13510 ShopSite <= 1.5.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13511 Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset
S
CVE-2024-13512 Wonder FontAwesome <= 0.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13513 Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation
S
CVE-2024-13514 B Slider- Gutenberg Slider Block for WP <= 1.1.23 - Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode
CVE-2024-13515 Image Source Control Lite – Show Image Credits and Captions <= 2.28.0 - Reflected Cross-Site Scripting
CVE-2024-13516 Kubio AI Page Builder <= 2.3.5 - Reflected Cross-Site Scripting
CVE-2024-13517 Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Title
S
CVE-2024-13518 Simple:Press <= 6.10.11 - Cross-Site Request Forgery to Unauthorized Post Editing
CVE-2024-13519 MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution <= 1.9.80 - Authenticated (Shop Manager+) Stored Cross-Site Scripting
CVE-2024-13520 Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.6 - Missing Authorization to Unauthenticated Price, Date, and Note Updates
CVE-2024-13521 MailUp Auto Subscription <= 1.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
S
CVE-2024-13522 magayo Lottery Results <= 2.0.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE-2024-13523 MemorialDay <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
S
CVE-2024-13524 obsproject OBS Studio untrusted search path
S
CVE-2024-13525 Customer Email Verification for WooCommerce <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure
S
CVE-2024-13526 EventPrime – Events Calendar, Bookings and Tickets <= 4.0.7.3 - Missing Authorization to Authenticated (Subscriber+) Event Attendees Export
CVE-2024-13527 Philantro – Donations and Donor Management <= 5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via donate Shortcode
S
CVE-2024-13528 Customer Email Verification for WooCommerce <= 2.9.5 - Authentication Bypass via Shortcode
S
CVE-2024-13529 SocialV - Social Network and Community BuddyPress Theme <= 2.0.15 - Missing Authorization to Arbitrary File Download
CVE-2024-13530 Custom Login Page Styler <= 7.1.1 - Missing Authorization to Authenticated (Subsciber+) Log Deletion and Session Termination
CVE-2024-13531 ShipEngine Shipping Quotes <= 1.0.7 - Unauthenticated SQL Injection
CVE-2024-13532 Small Package Quotes – Purolator Edition <= 3.6.4 - Unauthenticated SQL Injection
CVE-2024-13533 Small Package Quotes – USPS Edition <= 1.3.5 - Unauthenticated SQL Injection
S
CVE-2024-13534 Small Package Quotes – Worldwide Express Edition <= 5.2.18 - Unauthenticated SQL Injection
S
CVE-2024-13535 Actionwear products sync <= 2.3.0 - Unauthenticated Full Patch Disclosure
CVE-2024-13536 1003 Mortgage Application <= 1.87 - Unauthenticated Full Path Disclosure
CVE-2024-13537 C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure
CVE-2024-13538 BigBuy Dropshipping Connector for WooCommerce <= 1.9.19 - Unauthenticated Full Path Disclosute
CVE-2024-13539 AForms Eats <= 1.3.1 - Unauthenticated Full Path Disclosure
S
CVE-2024-13540 WooODT Lite – Delivery & pickup date time location for WooCommerce <= 2.5.1 - Unauthenticated Full Path Dsiclosure
CVE-2024-13541 aDirectory – WordPress Directory Listing Plugin <= 2.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
S
CVE-2024-13542 WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13543 Zarinpal Paid Downloads <= 2.3 - Reflected XSS
E
CVE-2024-13544 Zarinpal Paid Downloads <= 2.3 - Admin+ Arbitrary File Upload
E
CVE-2024-13545 Bootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion
CVE-2024-13546 GenerateBlocks <= 1.9.1 - Authenticated (Contributor+) Sensitive Information Exposure via 'get_image_description'
CVE-2024-13547 aThemes Addons for Elementor <= 1.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13548 Power Ups for Elementor <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13549 All Bootstrap Blocks <= 1.3.26 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13550 ABC Notation <= 6.1.3 - Authenticated (Contributor+) Arbitrary File Read
E
CVE-2024-13551 ABC Notation <= 6.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
E
CVE-2024-13552 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.0 - Insecure Direct Object Reference
CVE-2024-13553 SMS Alert Order Notifications – WooCommerce <= 3.7.9 - Unauthenticated Account Takeover/Privilege Escalation
S
CVE-2024-13554 The Ultimate WordPress Toolkit – WP Extended <= 3.0.13 - Missing Authorization to Unauthenticated Post Order Manipulation
S
CVE-2024-13555 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Cross-Site Request Forgery to Backup Process Cancellation
CVE-2024-13556 Affiliate Links: WordPress Plugin for Link Cloaking and Link Management <= 3.0.1 - Missing Authorization to Unauthenticated Import/Export and PHP Object Injection
S
CVE-2024-13557 Shortcodes by United Themes <= 5.1.6 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13558 NP Quote Request for WooCommerce <= 1.9.179 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure
S
CVE-2024-13559 TemplatesNext ToolKit <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-13560 Subscriptions & Memberships for PayPal <= 1.1.6 - Cross-Site Request Forgery to Arbitrary Post Deletion
CVE-2024-13561 Target Video Easy Publish <= 3.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via brid_override_yt Shortcode
CVE-2024-13562 Import WP – Export and Import CSV and XML files to WordPress <= 2.14.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
S
CVE-2024-13563 Front End Users <= 3.2.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via forgot-password Shortcode
S
CVE-2024-13564 Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode
S
CVE-2024-13565 Simple Map No Api <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
CVE-2024-13566 WP DataTable <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
CVE-2024-13567 Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13568 Fluent Support – Helpdesk & Customer Support Ticket System <= 1.8.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13569 Front End Users <= 3.2.32 - Reflected XSS
E
CVE-2024-13570 Stray Random Quotes <= 1.9.9 - Reflected XSS
E
CVE-2024-13571 Post Timeline < 2.3.10 - Reflected XSS
E
CVE-2024-13572 Precious Metals Charts and Widgets for WordPress <= 1.2.8 - Authenticated (Contributor+) Stored Cross-site Scripting
S
CVE-2024-13573 Zigaform – Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13574 XV Random Quotes <= 1.40 - Reflected XSS
E
CVE-2024-13575 Web Stories Enhancer – Level Up Your Web Stories <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13576 Gumlet Video <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13577 CATS Job Listings <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13578 WP-BibTeX <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13579 WP-Asambleas <= 2.85.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13580 XV Random Quotes <= 1.40 - Settings Reset via CSRF
E
CVE-2024-13581 Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13582 Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13583 Simple Gallery with Filter <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13584 Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.19 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13585 Ajax Search Lite < 4.12.5 - Admin+ Stored XSS
E
CVE-2024-13586 Masy Gallery <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13587 Zigaform – Price Calculator & Cost Estimation Form Builder Lite <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13588 Simplebooklet PDF Viewer and Embedder <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13589 YouTube Playlists with Schema <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13590 Ketchup Shortcodes <= 0.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13591 Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13592 Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Local File Inclusion
CVE-2024-13593 BMLT Meeting Map <= 2.6.0 - Authenticated (Contributor+) Local File Inclusion
S
CVE-2024-13594 Simple Downloads List <= 1.4.2 - Authenticated (Contributor+) SQL Injection
S
CVE-2024-13595 Simple Signup Form <= 1.6.5 - Authenticated (Contributor+) SQL Injection
CVE-2024-13596 WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress <= 1.7.5 - Authenticated (Contributor+) SQL Injection
S
CVE-2024-13597 XSS in iKSORIS
CVE-2024-13598 XSS in iKSORIS
CVE-2024-13599 LearnPress – WordPress LMS Plugin <= 4.2.7.5 - Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name
S
CVE-2024-13600 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin <= 1.0.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
S
CVE-2024-13601 Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin <= 1.0.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
S
CVE-2024-13602 Poll Maker < 5.5.4 - Admin+ Stored XSS
E
CVE-2024-13603 Wise Forms <= 1.2.0 - Unauthenticated Stored XSS
E
CVE-2024-13604 KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin <= 1.7.4 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13605 Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS
E
CVE-2024-13606 JS Help Desk – The Ultimate Help Desk & Support Plugin <= 2.8.8 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13607 JS Help Desk – The Ultimate Help Desk & Support Plugin <= 2.8.8 - Authenticated (Subscriber+) Insecure Direct Object Reference
CVE-2024-13608 Track Logins <= 1.0 - Admin+ SQL Injection
E
CVE-2024-13609 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php
CVE-2024-13610 Simple Social Media Share Buttons < 6.0.0 - Admin+ Stored XSS
E
CVE-2024-13611 Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13612 Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
S
CVE-2024-13613 Wise Chat <= 3.3.3 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13614 Kaspersky has fixed a security issue in Kaspersky Anti-Virus SDK for Windows, Kaspersky Security for...
S
CVE-2024-13615 Social Media Plugin by Social Snap <= 1.3.6 - Admin+ Stored XSS
E
CVE-2024-13616 VikBooking < 1.7.2 - Admin+ Stored XSS
E
CVE-2024-13617 Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download
E
CVE-2024-13618 Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated SSRF
E
CVE-2024-13619 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes < 8.0.1 - Reflected XSS
E
CVE-2024-13621 The GDPR Framework By Data443 < 2.2.0 - Admin+ Stored XSS
E
CVE-2024-13622 File Uploads Addon for WooCommerce <= 1.7.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13623 Order Export for WooCommerce <= 3.24 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13624 WPMovieLibrary <= 2.1.4.8 - Reflected XSS
E
CVE-2024-13625 Tube Video Ads Lite <= 1.5.7 - Reflected XSS
E
CVE-2024-13626 VR Frases <= 3.0.1 - Reflected XSS
E
CVE-2024-13627 WP Touch Slider <= 2.2 - Reflected XSS
E
CVE-2024-13628 WP Pricing Table <= 1.1 - Reflected XSS
E
CVE-2024-13629 Pushbiz <= 1.0 - Reflected XSS
E
CVE-2024-13630 News List <= 1.0 - Reflected XSS
E
CVE-2024-13631 OM Stripe <= 02.00.00 - Reflected XSS
E
CVE-2024-13632 WP Extra Fields <= 1.0.1 - Reflected XSS
E
CVE-2024-13633 Simple Catalogue <= 1.0.2 - Reflected XSS
E
CVE-2024-13634 Post Sync <= 1.1 - Reflected XSS
E
CVE-2024-13635 VK Blocks <= 1.94.2.2 - Missing Authorization to Sensitive Information Exposure
CVE-2024-13636 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-24926. Reason: ...
R
CVE-2024-13637 Demo Awesome <= 1.0.3 - Missing Authorization to Authenticated (Subscriber+) Plugin Activation
CVE-2024-13638 Order Attachments for WooCommerce <= 2.5.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13639 Read More & Accordion <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion
S
CVE-2024-13640 Print Invoice & Delivery Notes for WooCommerce <= 5.4.1 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
CVE-2024-13641 Return Refund and Exchange For WooCommerce <= 4.4.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
S
CVE-2024-13642 Stratum – Elementor Widgets <= 1.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerability via Image Hotspot Widget
S
CVE-2024-13643 Zox News <= 3.17.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Modification
CVE-2024-13644 DethemeKit For Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget
S
CVE-2024-13645 TagDiv Composer <= 5.3 - Unauthenticated Arbitrary PHP Object Instantiation
CVE-2024-13646 Single-user-chat <= 0.5 - Authenticated (Subscriber+) Limited Options Update
CVE-2024-13647 School Management System – SakolaWP <= 1.0.8 - Cross-Site Request Forgery to Exam Setting Manipulation
CVE-2024-13648 Maps for WP <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13649 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13650 Piotnet Addons For Elementor <= 2.4.34 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13651 RapidLoad – Optimize Web Vitals Automatically <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset
S
CVE-2024-13652 ECPay Ecommerce for WooCommerce <= 1.1.2411060 - Missing Authorization to Authenticated (Subscriber+) Log Deletion
CVE-2024-13653 ZoxPress - The All-In-One WordPress News Theme <= 2.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
CVE-2024-13654 ZoxPress - The All-In-One WordPress News Theme <= 2.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Deletion
CVE-2024-13655 Flex Mag - Responsive WordPress News Theme <= 3.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion
CVE-2024-13656 Click Mag - Viral WordPress News Magazine/Blog Theme <= 3.6.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Deletion
CVE-2024-13657 Store Locator Widget <= 20200131 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13658 NGG Smart Image Search <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13659 Listamester <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13660 Responsive Flickr Slideshow <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13661 Table Editor <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13662 eHive Objects Image Grid <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13663 Coaching Staffs <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13664 WP Post List Table <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13665 Admire Extra <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13666 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 5.2.12 - IP-Spoofing
CVE-2024-13667 Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via mle-description
CVE-2024-13668 WordPress Activity O Meter <= 1 - Reflected XSS
E
CVE-2024-13669 CalendApp <= 1.1 - Reflected XSS
E
CVE-2024-13670 Music Sheet Viewer <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13671 Music Sheet Viewer <= 4.1 - Unauthenticated Arbitrary File Read
S
CVE-2024-13672 Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13673 Big Boom Directory <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13674 Cosmic Blocks (40+) Content Editor Blocks Collection <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13675 SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13676 Categorized Gallery Plugin <= 2.0 - Authenticated (Contributor+) SQL Injection
CVE-2024-13677 GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover
CVE-2024-13678 R3W Instafeed <= 1.0 - Reflected XSS
E
CVE-2024-13679 Widget BUY.BOX <= 3.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13680 Form Builder CP <= 1.2.41 - Authenticated (Contributor+) SQL Injection
S
CVE-2024-13681 Uncode <= 2.9.1.6 - Unauthenticated Arbitrary File Read in uncode_admin_get_oembed
CVE-2024-13682 Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction <= 2.6.2 - Cross-Site Request Forgery
S
CVE-2024-13683 Automate Hub Free by Sperse.IO <= 1.7.0 - Cross-Site Request Forgery to Activation Status Update
S
CVE-2024-13684 Reset <= 1.6 - Cross-Site Request Forgery to Database Reset
CVE-2024-13685 Admin and Site Enhancements (ASE) < 7.6.10 - Limit Login Attempt Bypass via IP Spoofing
E
CVE-2024-13686 VW Storefront <= 0.9.9 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
S
CVE-2024-13687 Team Builder – Meet the Team <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update
CVE-2024-13688 Admin and Site Enhancements (ASE) < 7.6.10 - Password Protection Bypass
E
CVE-2024-13689 Uncode Core <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias
CVE-2024-13690 WP Church Donation <= 1.7 - Unauthenticated Stored Cross-Site Scripting
CVE-2024-13691 Uncode <= 2.9.1.6 - Authenticated (Subscriber+) Arbitrary File Read in uncode_recordMedia
CVE-2024-13692 Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
S
CVE-2024-13693 Enfold <= 6.0.9 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php
CVE-2024-13694 WooCommerce Wishlist <= 1.8.7 - Unauthenticated Wishlist Disclosure via download_pdf_file Function
S
CVE-2024-13695 Enfold <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id
CVE-2024-13696 Flexible Wishlist for WooCommerce <= 1.2.25 - Unauthenticated Stored Cross-Site Scripting via wishlist_name Parameter
CVE-2024-13697 Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.7.4 - Unauthenticated Limited Server-Side Request Forgery in nice_links
CVE-2024-13698 Jobify - Job Board WordPress Theme <= 4.2.7 - Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation
CVE-2024-13699 Qi Addons For Elementor <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13700 Embed Swagger UI <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13701 Liveticker (by stklcode) <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13702 CRM and Lead Management by vcita <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13703 CRM and Lead Management by vcita <= 2.7.1 - Missing Authorization to Authenticated (Susbcriber+) Widget Toggle
CVE-2024-13704 Super Testimonials <= 4.0.1 - Unauthenticated Stored Cross-Site Scripting
S
CVE-2024-13705 StageShow <= 9.8.6 - Reflected Cross-Site Scripting
S
CVE-2024-13706 WP Image Uploader <= 1.0.1 - Reflected Cross-Site Scripting
CVE-2024-13707 WP Image Uploader <= 1.0.1 - Cross-Site Request Forgery to Arbitrary File Deletion
S
CVE-2024-13708 Booster for WooCommerce 4.0.1 - 7.2.4 - Unauthenticated Stored Cross-Site Scripting
CVE-2024-13709 Linear <= 2.8.1 - Cross-Site Request Forgery to Cache Reset
CVE-2024-13710 Estatebud – Properties & Listings <= 5.5.0 - Cross-Site Request Forgery to Settings Update
CVE-2024-13711 Pollin <= 1.01.1 - Reflected Cross-Site Scripting
CVE-2024-13712 Pollin <= 1.01.1 - Authenticated (Admin+) SQL Injection
CVE-2024-13713 WPExperts Square For GiveWP <= 1.3.1 - Authenticated (Subscriber+) SQL Injection
S
CVE-2024-13714 All-Images.ai – IA Image Bank and Custom Image creation <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload
CVE-2024-13715 zStore Manager Basic <= 3.311 - Missing Authorization to Authenticated (Subscriber+) Cache Clearing
S
CVE-2024-13716 Forex Calculators <= 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
CVE-2024-13717 Contact Form and Calls To Action by vcita <= 2.7.1 - Missing Authorization to Authenticated (Subscriber+) Contact/Widget Toggle
CVE-2024-13718 Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later <= 1.2.26 - Cross-Site Request Forgery to Wishlist Creation/Modification
S
CVE-2024-13719 PeproDev Ultimate Invoice <= 2.0.8 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure
CVE-2024-13720 WP Image Uploader <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion
S
CVE-2024-13721 Plethora Plugins Tabs + Accordions <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor
CVE-2024-13722 Checkmk NagVis Reflected Cross-site Scripting
CVE-2024-13723 Checkmk NagVis Remote Code Execution
CVE-2024-13724 Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction <= 2.6.2 - Missing Authorization
S
CVE-2024-13725 Keap Official Opt-in Forms <= 2.0.1 - Unauthenticated Limited Local File Inclusion
S
CVE-2024-13726 Themes Coder <= 1.3.4 - Unauthenticated SQLi
E
CVE-2024-13727 MemberSpace – Membership Plugin and Paid Subscriptions < 2.1.14 - Reflected XSS
E
CVE-2024-13728 Accept Donations with PayPal & Stripe <= 1.4.4 - Reflected Cross-Site Scripting
CVE-2024-13729 Podlove Podcast Publisher < 4.1.24 - Admin+ Stored XSS
E
CVE-2024-13730 Podlove Podcast Publisher < 4.2.1 - Admin+ Stored XSS
E
CVE-2024-13731 Alert Box Block – Display notice/alerts in the front end <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Alert Box Block
CVE-2024-13732 Responsive Blocks – WordPress Gutenberg Blocks <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via section_tag Parameter
S
CVE-2024-13733 SKT Blocks – Gutenberg based Page Builder <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
S
CVE-2024-13734 Card Elements for Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Profile Card Widget
S
CVE-2024-13735 HurryTimer <= 2.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Name
S
CVE-2024-13736 Pure Chat – Live Chat & More! <= 2.31 - Reflected Cross-Site Scripting via purechatWidgetName Parameter
CVE-2024-13737 Motors – Car Dealer, Classifieds & Listing <= 1.4.57 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Listing Template Creation
S
CVE-2024-13738 Motors - Car Dealer, Rental & Listing WordPress theme <= 5.6.65 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13739 Newsletters <= 4.9.9.7 - Reflected Cross-Site Scripting via To Parameter
CVE-2024-13740 ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure
CVE-2024-13741 ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 - Authenticated (Subscriber+) Limited Server-Side Request Forgery
CVE-2024-13742 iControlWP – Multiple WordPress Site Manager <= 4.4.5 - Unauthenticated PHP Object Injection
S
CVE-2024-13743 Wonder Video Embed <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2024-13744 Booster for WooCommerce 4.0.1 - 7.2.4 - Unauthenticated Arbitrary File Upload
S
CVE-2024-13746 Booking Calendar and Notification <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions
CVE-2024-13747 WooMail - WooCommerce Email Customizer <= 3.0.34 - Authenticated (Subscriber+) Missing Authorization to SQL Injection
CVE-2024-13748 Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter
CVE-2024-13749 StaffList <= 3.2.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
S
CVE-2024-13750 Multilevel Referral Affiliate Plugin for WooCommerce <= 2.27 - Authenticated (Subscriber+) SQL Injection
CVE-2024-13751 3D Photo Gallery <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE-2024-13752 WP Project Manager <= 2.6.17 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
S
CVE-2024-13753 Ultimate Classified Listings <= 1.4 - Cross-Site Request Forgery to Account Takeover
S
CVE-2024-13757 Master Slider – Responsive Touch Slider <= 3.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode
CVE-2024-13758 CP Contact Form with PayPal <= 1.3.52 - Cross-Site Request Forgery
S
CVE-2024-13759 Local Privilege Escalation in Avira Prime 1.1.96.2 on Windows 10 x64
S
CVE-2024-13767 Live2DWebCanvas <= 1.9.11 - Authenticated (Subscriber+) Arbitrary File Deletion
CVE-2024-13768 CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Font Assignment Deletion
CVE-2024-13769 Puzzles | WP Magazine / Review with Store WordPress Theme + RTL <= 4.2.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE-2024-13770 Puzzles | WP Magazine / Review with Store WordPress Theme + RTL <= 4.2.4 - Unauthenticated PHP Object Injection
CVE-2024-13771 Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Authentication Bypass via Password Update
CVE-2024-13772 Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Authentication Bypass via Non-Randomized Password for SSO Accounts
CVE-2024-13773 Civi - Job Board & Freelance Marketplace WordPress Theme <= 2.1.4 - Sensitive Information Exposure
CVE-2024-13774 Wishlist for WooCommerce: Multi Wishlists Per Customer <= 3.1.7 - Cross-Site Request Forgery to Cross-Site Scriping via Wishlist Name
CVE-2024-13775 WooCommerce Support Ticket System <= 17.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Information Exposure
CVE-2024-13776 ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update and Settings Manipulation
CVE-2024-13777 ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.91 - Unauthenticated PHP Object Injection
CVE-2024-13778 Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Authenticated (Subscriber+) SQL Injection
CVE-2024-13779 Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Reflected Cross-Site Scripting
CVE-2024-13780 Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Directory Deletion
CVE-2024-13781 Hero Maps Premium - Customizable Google Maps Plugin <= 2.3.9 - Authenticated (Subscriber+) SQL Injection
CVE-2024-13783 FormCraft <= 3.9.11 - Missing Authorization to Plugin Data Export in formcraft-main.php
CVE-2024-13787 VEDA - MultiPurpose WordPress Theme <= 4.2 - Authenticated (Subscriber+) PHP Object Injection
CVE-2024-13789 Ravpage <= 2.31 - PHP Object Injection
CVE-2024-13790 MinimogWP – The High Converting eCommerce WordPress Theme <= 3.7.0 - Unauthenticated Local PHP File Inclusion
CVE-2024-13791 Bit Assist <= 1.5.2 - Path Traversal to Authenticated (Administrator+) Arbitrary File Read via downloadResponseFile Function
S
CVE-2024-13792 WooCommerce Food - Restaurant Menu & Food ordering <= 3.3.2 - Unauthenticated Arbitrary Shortcode Execution via ids
CVE-2024-13793 Wolmart | Multi-Vendor Marketplace WooCommerce Theme <= 1.8.11 - Unauthenticated Arbitrary Shortcode Execution in wolmart_loadmore
CVE-2024-13794 Hide My WP Ghost – Security & Firewall <= 5.3.02 - Unauthenticated Login Page Disclosure
S
CVE-2024-13795 Ecwid by Lightspeed Ecommerce Shopping Cart <= 6.12.27 - Cross-Site Request Forgery to Send Deactivation Message
S
CVE-2024-13796 Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.6 - Unauthenticated User Information Exposure
S
CVE-2024-13797 PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13798 Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.5 - Unauthenticated Paid Order Creation
S
CVE-2024-13799 User Private Files – File Upload & Download Manager with Secure File Sharing <= 2.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting
CVE-2024-13800 Popup Plugin For WordPress - ConvertPlus <= 3.5.30 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
CVE-2024-13801 BWL Advanced FAQ Manager <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
CVE-2024-13802 Bandsintown Events <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13803 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2024-13804 Unauthenticated RCE in HPE Insight Cluster Management Utility...
E
CVE-2024-13805 Advanced File Manager <= 5.2.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload
S
CVE-2024-13806 Authors List <= 2.0.6 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13808 Xpro Elementor Addons - Pro <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution
CVE-2024-13809 Hero Slider - WordPress Slider Plugin <= 1.3.5 - Authenticated (Subscriber+) SQL Injection
CVE-2024-13810 Zass - WooCommerce Theme for Handmade Artists and Artisans <= 3.9.9.10 - Missing Authorization to Authenticated (Subscriber+) Demo Import
CVE-2024-13811 Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme <= 4.5.7 - Missing Authorization to Authenticated (Subscriber+) Demo Import
CVE-2024-13812 Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13813 Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authent...
CVE-2024-13814 Global Gallery - WordPress Responsive Gallery <= 9.1.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
CVE-2024-13815 Listingo - Business Listing and Directory WordPress Theme <= 3.2.7 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-13816 Aiomatic - AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.6 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions
CVE-2024-13817 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in...
R
CVE-2024-13818 Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction <= 3.8.3.9 - Sensitive Information Exposure via Log Files
CVE-2024-13820 Melhor Envio <= 2.15.9 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash
CVE-2024-13821 WP Booking Calendar <= 10.10 - Unauthenticated Post-Confirmation Booking Manipulation
S
CVE-2024-13822 Total Contest Lite <= 2.8.1 - Reflected XSS
E
CVE-2024-13823 360 Product Rotation <= 1.5.8 - Reflected XSS
E
CVE-2024-13824 CiyaShop - Multipurpose WooCommerce Theme <= 4.19.0 - Unauthenticated PHP Object Injection
CVE-2024-13825 Email Keep <= 1.1 - Reflected XSS
E
CVE-2024-13826 Email Keep <= 1.1 - Email Deletion via CSRF
E
CVE-2024-13827 Razorpay Subscription Button Elementor Plugin <= 1.0.3 - Reflected Cross-Site Scripting via add_query_arg and remove_query_arg Functions
CVE-2024-13828 Badgearoo <= 1.0.14 - Reflected XSS
E
CVE-2024-13829 WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.8 - Unauthenticated Sensitive Information Exposure
CVE-2024-13830 Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before versi...
CVE-2024-13831 Tabs for WooCommerce <= 1.0.0 - Authentiated (Shop Manager+) PHP Object Injection in product_has_custom_tabs
CVE-2024-13832 Ultra Addons Lite for Elementor <= 1.1.8 - Authenticated (Contributor+) Restricted Post Disclosure
CVE-2024-13833 Album Gallery – WordPress Gallery <= 1.6.3 - Authenticated (Editor+) PHP Object Injection via Gallery Meta
CVE-2024-13834 Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme <= 3.1.4 - Authenticated (Contributor+) Blind Server-Side Request Forgery via remote_request
S
CVE-2024-13835 Post Meta Data Manager <= 1.4.3 - Authentciated (Admin+) Multisite Privilege Escalation
CVE-2024-13836 WP Login Control <= 2.0.0 - Reflected XSS
E
CVE-2024-13837 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in...
R
CVE-2024-13838 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.2 - Authenticated (Admin+) Server-Side Request Forgery via Webhook
S
CVE-2024-13839 Company Directory <= 4.3 - Reflected Cross-Site Scripting via add_query_arg Function
CVE-2024-13841 Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 - Authenticated (Contributor+) Post Disclosure
CVE-2024-13842 A hardcoded key in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before ver...
CVE-2024-13843 Cleartext storage of information in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy ...
CVE-2024-13844 Post SMTP <= 3.1.2 - Authenticated (Administrator+) SQL Injection via columns Parameter
S
CVE-2024-13845 Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook
CVE-2024-13846 Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter
CVE-2024-13847 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in...
R
CVE-2024-13848 Reaction Buttons <= 2.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
CVE-2024-13849 Cookie Notice Bar <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
CVE-2024-13850 Simple add pages or posts <= 2.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
S
CVE-2024-13851 Modal Portfolio <= 1.7.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
CVE-2024-13852 Option Editor <= 1.0 - Cross-Site Request Forgery to Arbitrary Options Update
CVE-2024-13853 SEO Tools <= 4.0.7 - Reflected XSS
E
CVE-2024-13854 Education Addon for Elementor <= 1.3.1 - Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode
CVE-2024-13855 Prime Addons for Elementor <= 2.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode
CVE-2024-13856 Make Builder <= 1.1.10 - Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function
CVE-2024-13857 WPGet API <= 2.2.10 - Authenticated (Administrator+) Server-Side Request Forgery
CVE-2024-13858 BuddyBoss Platform and BuddyBoss Theme <= Multiple Versions - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'invitee_name'
CVE-2024-13859 BuddyBoss Platform <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bp_nouveau_ajax_media_save' function
CVE-2024-13860 BuddyBoss Platform <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bbp_topic_title'
CVE-2024-13861 A code injection vulnerability in the Debian package component of Taegis Endpoint Agent (Linux) vers...
CVE-2024-13862 S3Bubble Media Streaming <= 8.0 - Reflected XSS
E
CVE-2024-13863 Stylish Google Sheet Reader < 4.1 - Reflected XSS
E
CVE-2024-13864 Countdown Timer <= 1.0 - Reflected XSS
E
CVE-2024-13865 drm-protected-video-streaming <= 4.2.1 - Reflected XSS
E
CVE-2024-13866 Simple Notification <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
CVE-2024-13867 Listivo - Classified Ads WordPress Theme <= 2.3.67 - Reflected Cross-Site Scripting
CVE-2024-13868 Easy Broken Link Checker <= 9.0.2 - Reflected XSS
E
CVE-2024-13869 Migration, Backup, Staging – WPvivid <= 0.9.112 - Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file
E S
CVE-2024-13870 Unauthenticated Firmware Downgrade in Bitdefender Box v1
CVE-2024-13871 Unauthenticated Command Injection in Bitdefender BOX v1
S
CVE-2024-13872 Bitdefender Box Insecure Update Mechanism Vulnerability in libboxhermes.so
S
CVE-2024-13873 WP Job Portal <= 2.2.8 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection
S
CVE-2024-13874 Feedify – Web Push Notifications < 2.4.6 - Reflected XSS
E
CVE-2024-13875 WP Programmmanager <= 1.2 - Reflected XSS
E
CVE-2024-13876 Meintopf <= 0.2.1 - Reflected XSS
E
CVE-2024-13877 Passbeemedia Web Push Notifications <= 1.0.0 - Reflected XSS
E
CVE-2024-13878 SpotBot <= 0.1.8 - Reflected XSS
E
CVE-2024-13879 Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery
CVE-2024-13880 My Quota <= 1.0.8 - Reflected XSS
E
CVE-2024-13881 LinkMyPosts <= 1.0 - Reflected XSS
E
CVE-2024-13882 Aiomatic - AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
CVE-2024-13883 WPUpper Share Buttons <= 3.51 - Cross-Site Request Forgery to Custom CSS Update
CVE-2024-13884 Limit Bio <= 1.0 - Reflected XSS
E
CVE-2024-13885 WP E Customers <= 0.0.1 - Reflected XSS
E
CVE-2024-13887 Business Directory Plugin - Easy Listing Directories for WordPress <= 6.4.14 - Insecure Direct Object Reference to Listing Arbitrary Image Addition
CVE-2024-13888 WPMobile.App <= 11.56 - Open Redirect via 'redirect' Parameter
S
CVE-2024-13889 WordPress Importer <= 0.8.3 - Authenticated (Administrator+) PHP Object Injection
CVE-2024-13890 Allow PHP Execute <= 1.0 - Authenticated (Editor+) PHP Code Injection
CVE-2024-13891 Schedule <= 1.0.0 - Reflected XSS
E
CVE-2024-13892 Command Injection in Smartwares cameras
CVE-2024-13893 Shared credentials in Smartwares cameras
CVE-2024-13894 Path traversal in Smartwares cameras
CVE-2024-13895 Code Snippets CPT <= 2.1.0 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
CVE-2024-13896 WP-GeSHi-Highlight <= 1.4.3 - Author+ ReDoS
E
CVE-2024-13897 Moving Media Library <= 1.22 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Deletion
CVE-2024-13898 Simple Banner <= 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
CVE-2024-13899 Mambo Importer <= 1.0 - Authenticated (Administrator+) PHP Object Injection
CVE-2024-13900 Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments
S
CVE-2024-13901 Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site <= 2.0.6 - Authenticated (Administrator+) DOM-Based Stored Cross-Site Scripting
S
CVE-2024-13902 huang-yk student-manage Edit a Student Information Page cross site scripting
E
CVE-2024-13903 quickjs-ng QuickJS qjs quickjs.c JS_GetRuntime stack-based overflow
E S
CVE-2024-13904 Platform.ly for WooCommerce <= 1.1.6 - Unauthenticated Blind Server-Side Request Forgery
S
CVE-2024-13905 OneStore Sites <= 0.1.1 - Unauthenticated Blind Server-Side Request Forgery
S
CVE-2024-13906 Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.7.3 - Authenticated (Administrator+) PHP Object Injection
CVE-2024-13907 Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid <= 1.16.8 - Authenticated (Administrator+) Server-Side Request Forgery
S
CVE-2024-13908 SMTP by BestWebSoft <= 1.1.9 - Authenticated (Administrator+) Arbitrary File Upload
S
CVE-2024-13909 Accredible Certificates & Open Badges <= 1.4.9 - Authenticated (Administrator+) SQL Injection via orderby Parameter
CVE-2024-13910 Database Backup and check Tables Automated With Scheduler 2024 <= 2.36 - Authenticated (Administrator+) Arbitrary File Deletion
CVE-2024-13911 Database Backup and check Tables Automated With Scheduler 2024 <= 2.35 - Authenticated (Administrator+) Sensitive Information Exposure
CVE-2024-13913 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.83 - Cross-Site Request Forgery to Local File Inclusion
CVE-2024-13914 File Manager Advanced Shortcode <= Multiple Versions - Authenticated (Administrator+) Local JavaScript File Inclusion via Shortcode
CVE-2024-13918 Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page
E S
CVE-2024-13919 Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page
E S
CVE-2024-13920 Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
S
CVE-2024-13921 Order Export & Order Import for WooCommerce <= 2.6.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
S
CVE-2024-13922 Order Export & Order Import for WooCommerce <= 2.6.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
S
CVE-2024-13923 Order Export & Order Import for WooCommerce <= 2.6.0 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
S
CVE-2024-13924 Starter Templates by FancyWP <= 2.0.0 - Unauthenticated Blind Server-Side Request Forgery
CVE-2024-13925 Klarna Checkout for WooCommerce < 2.13.5 - DoS via Excessive Logging
E
CVE-2024-13926 WP-Syntax <= 1.2 - Author+ Potential ReDoS
E
CVE-2024-13928 Authenticated SQL Injection
CVE-2024-13929 Authenticated Servlet Command Injection
CVE-2024-13930 Authenticated Unchecked Loop Condition
CVE-2024-13931 Authenticated Relative Path Traversal
CVE-2024-13933 FoodBakery | Delivery Restaurant Directory WordPress Theme <= 4.7 - Cross-Site Request Forgery in Multiple Functions
CVE-2024-13939 String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string
CVE-2024-13940 Ninja Forms Webhooks <= 3.0.7 - Authenticated (Admin+) Server-Side Request Forgery via Form Webhook
CVE-2024-13941 ouch-org ouch zip.rs convert_zip_date_time memory corruption
E S
CVE-2024-13943 Tesla Model S Iris Modem QCMAP_ConnectionManager Improper Input Validation Sandbox Escape Vulnerability
CVE-2024-13944 Link Following Local Privilege Escalation Vulnerability in NortonUtilitiesSvc in Norton Utilities Ultimate (Also affects Avast CleanUp and AVG TuneUp)
S
CVE-2024-13945 Stored Absolute Path Traversal
CVE-2024-13946 Binary Planting / LoadLibrary DLL's not Signed
CVE-2024-13947 External System or Configuration Control
CVE-2024-13948 Insecure Permissions
CVE-2024-13949 Log Forging
CVE-2024-13950 Log Injection
CVE-2024-13951 One way hash with predictable salt
CVE-2024-13952 Remote Code Execution
CVE-2024-13953 Sensitive Information disclosed in log files
CVE-2024-13954 Serialization / Deserialization of configuration data
CVE-2024-13955 SQL Injection 2nd Order
CVE-2024-13956 SSL Verification Bypass
CVE-2024-13957 SSRF Server Side Request Forgery
CVE-2024-13958 Stored Cross Site Scripting
CVE-2024-13959 Link Following Local Privilege Escalation Vulnerability in AVG TuneUp 24.2.16593.9844
S
CVE-2024-13960 Link Following Local Privilege Escalation Vulnerability in AVG TuneUp Version 23.4
S
CVE-2024-13961 Avast Cleanup Premium TuneupSvc Link Following Local Privilege Escalation Vulnerability
S
CVE-2024-13962 Link Following Local Privilege Escalation Vulnerability in Avast Cleanup Premium Version 24.2.16593.17810
S
CVE-2024-13964 Rejected reason: wrong year...
R
CVE-2024-13965 Rejected reason: wrong year...
R
CVE-2024-13966 ZKTeco BioTime default password
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.