Total
304757 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-51157 | 1 Zkteco | 1 Wdms | 2024-10-02 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in ZKTeco WDMS v.5.1.3 Pro allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the Emp Name parameter. | |||||
| CVE-2024-8349 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2024-10-02 | N/A | 7.2 HIGH |
| The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access. | |||||
| CVE-2024-8483 | 1 Madrasthemes | 1 Mas Static Content | 2024-10-02 | N/A | 6.5 MEDIUM |
| The MAS Static Content plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.8 via the static_content() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract potentially sensitive information from private static content pages. | |||||
| CVE-2024-8741 | 1 Outtheboxthemes | 1 Beam Me Up Scotty | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Beam me up Scotty – Back to Top Button plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-47305 | 1 Dineshkarki | 1 Use Any Font | 2024-10-02 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Dnesscarkey Use Any Font allows Cross Site Request Forgery.This issue affects Use Any Font: from n/a through 6.3.08. | |||||
| CVE-2024-46489 | 1 Ferrislucas | 1 Promptr | 2024-10-02 | N/A | 8.8 HIGH |
| A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL. | |||||
| CVE-2024-8713 | 1 Pierros | 1 Kodex Posts Likes | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Kodex Posts likes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-46488 | 1 Asg017 | 1 Sqlite-vec | 2024-10-02 | N/A | 5.5 MEDIUM |
| sqlite-vec v0.1.1 was discovered to contain a heap buffer overflow via the npy_token_next function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file. | |||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
| The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8. | |||||
| CVE-2024-8485 | 1 Jianbo | 1 Rest Api To Miniprogram | 2024-10-02 | N/A | 9.8 CRITICAL |
| The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators. | |||||
| CVE-2024-5480 | 2024-10-02 | N/A | N/A | ||
| Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||||
| CVE-2024-7772 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
| The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in all versions up to, and including, 4.6.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2024-8621 | 1 Mmrs151 | 1 Daily Prayer Time | 2024-10-02 | N/A | 6.5 MEDIUM |
| The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-8549 | 1 Xtendify | 1 Simple Calendar | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-7617 | 1 Itpathsolutions | 1 Contact Form To Any Api | 2024-10-02 | N/A | 6.1 MEDIUM |
| The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fields in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-46655 | 1 Ellevo | 1 Ellevo | 2024-10-02 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Ellevo 6.2.0.38160 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload or URL. | |||||
| CVE-2023-52950 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 5.3 MEDIUM |
| Missing encryption of sensitive data vulnerability in login component in Synology Active Backup for Business Agent before 2.7.0-3221 allows adjacent man-in-the-middle attackers to obtain user credential via unspecified vectors. | |||||
| CVE-2023-52949 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 5.5 MEDIUM |
| Missing authentication for critical function vulnerability in proxy settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors. | |||||
| CVE-2023-52948 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 5.0 MEDIUM |
| Missing encryption of sensitive data vulnerability in settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors. | |||||
| CVE-2023-52947 | 1 Synology | 1 Active Backup For Business Agent | 2024-10-02 | N/A | 3.3 LOW |
| Missing authentication for critical function vulnerability in logout functionality in Synology Active Backup for Business Agent before 2.6.3-3101 allows local users to logout the client via unspecified vectors. The backup functionality will continue to operate and will not be affected by the logout. | |||||