Lucene search

K

Album Gallery – WordPress Gallery Security Vulnerabilities

nvd
nvd

CVE-2024-1955

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor...

4.3CVSS

0.001EPSS

2024-06-21 02:15 AM
3
cve
cve

CVE-2024-1955

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor...

4.3CVSS

4.3AI Score

0.001EPSS

2024-06-21 02:15 AM
20
cve
cve

CVE-2024-1639

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with...

6.5CVSS

6.2AI Score

0.0005EPSS

2024-06-21 02:15 AM
22
nvd
nvd

CVE-2023-3352

The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for...

4.3CVSS

0.0004EPSS

2024-06-21 02:15 AM
5
cve
cve

CVE-2023-3352

The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-06-21 02:15 AM
21
cvelist
cvelist

CVE-2023-3352 Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion

The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for...

4.3CVSS

0.0004EPSS

2024-06-21 02:05 AM
cvelist
cvelist

CVE-2024-1955 Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor...

4.3CVSS

0.001EPSS

2024-06-21 02:05 AM
3
vulnrichment
vulnrichment

CVE-2024-1955 Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor...

4.3CVSS

6.5AI Score

0.001EPSS

2024-06-21 02:05 AM
cvelist
cvelist

CVE-2024-3610 WP Child Theme Generator <= 1.1.1 - Missing Authorization to Unauthenticated Child Theme Creation/Activation

The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child...

5.3CVSS

0.001EPSS

2024-06-21 02:05 AM
3
vulnrichment
vulnrichment

CVE-2024-3610 WP Child Theme Generator <= 1.1.1 - Missing Authorization to Unauthenticated Child Theme Creation/Activation

The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child...

5.3CVSS

6.6AI Score

0.001EPSS

2024-06-21 02:05 AM
vulnrichment
vulnrichment

CVE-2024-1639 License Manager for WooCommerce <= 3.0.7 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with...

6.5CVSS

6.6AI Score

0.0005EPSS

2024-06-21 02:05 AM
1
cvelist
cvelist

CVE-2024-1639 License Manager for WooCommerce <= 3.0.7 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with...

6.5CVSS

0.0005EPSS

2024-06-21 02:05 AM
3
cvelist
cvelist

CVE-2024-5503 WP Blog Post Layouts <= 1.1.3 - Authenticated (Contributor+) Local File Inlcusion

The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the...

8.8CVSS

0.001EPSS

2024-06-21 02:05 AM
1
vulnrichment
vulnrichment

CVE-2024-5503 WP Blog Post Layouts <= 1.1.3 - Authenticated (Contributor+) Local File Inlcusion

The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the...

8.8CVSS

7.7AI Score

0.001EPSS

2024-06-21 02:05 AM
1
cvelist
cvelist

CVE-2024-5344 The Plus Addons for Elementor Page Builder <= 5.5.6 - Reflected Cross-Site Scripting via WP Login and Register Widget

The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping....

6.1CVSS

0.0005EPSS

2024-06-21 02:05 AM
3
wpvulndb
wpvulndb

Greenshift – animation and page builder blocks < 8.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social share block in all versions up to, and including, 8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes....

6.5CVSS

5.9AI Score

0.0004EPSS

2024-06-21 12:00 AM
osv
osv

Malicious code in wordpress-theme-core (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (11ba6949abd5e27add3ceeb9c4709ae17be63d4831af09c7f34ca236d3b06b8e) The OpenSSF Package Analysis project identified 'wordpress-theme-core' @ 0.0.123 (npm) as malicious. It is considered malicious because: The...

7.3AI Score

2024-06-20 03:28 PM
cve
cve

CVE-2024-37222

Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through...

7.1CVSS

6.5AI Score

0.0004EPSS

2024-06-20 03:15 PM
21
nvd
nvd

CVE-2024-37222

Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through...

7.1CVSS

0.0004EPSS

2024-06-20 03:15 PM
3
cve
cve

CVE-2024-5156

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

5.8AI Score

0.0004EPSS

2024-06-20 02:15 PM
20
nvd
nvd

CVE-2024-5156

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

0.0004EPSS

2024-06-20 02:15 PM
1
cvelist
cvelist

CVE-2024-37222 WordPress Master Slider plugin <= 3.9.10 - Reflected Cross Site Scripting (XSS) vulnerability

Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through...

7.1CVSS

0.0004EPSS

2024-06-20 02:12 PM
vulnrichment
vulnrichment

CVE-2024-37222 WordPress Master Slider plugin <= 3.9.10 - Reflected Cross Site Scripting (XSS) vulnerability

Cross Site Scripting (XSS) vulnerability in Averta Master Slider allows Reflected XSS.This issue affects Master Slider: from n/a through...

7.1CVSS

6AI Score

0.0004EPSS

2024-06-20 02:12 PM
1
cvelist
cvelist

CVE-2024-5156 Flatsome <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

0.0004EPSS

2024-06-20 02:00 PM
3
vulnrichment
vulnrichment

CVE-2024-5156 Flatsome <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

5.8AI Score

0.0004EPSS

2024-06-20 02:00 PM
2
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 10, 2024 to June 16, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

10CVSS

9.3AI Score

EPSS

2024-06-20 01:40 PM
4
cve
cve

CVE-2024-5036

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.5.4 due to insufficient input...

6.4CVSS

5.7AI Score

0.001EPSS

2024-06-20 11:15 AM
20
nvd
nvd

CVE-2024-5036

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.5.4 due to insufficient input...

6.4CVSS

0.001EPSS

2024-06-20 11:15 AM
4
cvelist
cvelist

CVE-2024-5036 Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.5.4 due to insufficient input...

6.4CVSS

0.001EPSS

2024-06-20 11:06 AM
nvd
nvd

CVE-2024-4098

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code.....

9.8CVSS

0.001EPSS

2024-06-20 07:15 AM
4
cve
cve

CVE-2024-4098

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code.....

9.8CVSS

10AI Score

0.001EPSS

2024-06-20 07:15 AM
24
cvelist
cvelist

CVE-2024-4098 Shariff Wrapper <= 4.6.13 - Unauthenticated Local File Inclusion

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code.....

9.8CVSS

0.001EPSS

2024-06-20 06:58 AM
5
cve
cve

CVE-2024-5522

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection...

7.3AI Score

0.0004EPSS

2024-06-20 06:15 AM
26
nvd
nvd

CVE-2024-5522

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection...

0.0004EPSS

2024-06-20 06:15 AM
5
nvd
nvd

CVE-2024-5475

The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

0.0004EPSS

2024-06-20 06:15 AM
3
cve
cve

CVE-2024-5475

The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.6AI Score

0.0004EPSS

2024-06-20 06:15 AM
25
cve
cve

CVE-2024-4565

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct...

6.4AI Score

0.0004EPSS

2024-06-20 06:15 AM
27
nvd
nvd

CVE-2024-4565

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct...

0.0004EPSS

2024-06-20 06:15 AM
3
vulnrichment
vulnrichment

CVE-2024-5522 HTML5 Video Player < 2.5.27 - Unauthenticated SQLi

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection...

7.6AI Score

0.0004EPSS

2024-06-20 06:00 AM
cvelist
cvelist

CVE-2024-5522 HTML5 Video Player < 2.5.27 - Unauthenticated SQLi

The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection...

0.0004EPSS

2024-06-20 06:00 AM
5
cvelist
cvelist

CVE-2024-5475 Responsive video embed < 0.5.1 - Contributor+ Stored XSS

The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

0.0004EPSS

2024-06-20 06:00 AM
3
vulnrichment
vulnrichment

CVE-2024-5475 Responsive video embed < 0.5.1 - Contributor+ Stored XSS

The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

5.8AI Score

0.0004EPSS

2024-06-20 06:00 AM
cvelist
cvelist

CVE-2024-4565 Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access

The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct...

0.0004EPSS

2024-06-20 06:00 AM
4
nvd
nvd

CVE-2024-5605

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

8.8CVSS

0.001EPSS

2024-06-20 04:15 AM
7
cve
cve

CVE-2024-5686

The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes....

6.4CVSS

5.7AI Score

0.001EPSS

2024-06-20 04:15 AM
26
nvd
nvd

CVE-2024-5686

The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes....

6.4CVSS

0.001EPSS

2024-06-20 04:15 AM
4
cve
cve

CVE-2024-5605

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

8.8CVSS

8.7AI Score

0.001EPSS

2024-06-20 04:15 AM
28
nvd
nvd

CVE-2024-4390

The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress...

6.5CVSS

0.001EPSS

2024-06-20 04:15 AM
6
cve
cve

CVE-2024-4390

The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress...

6.5CVSS

6.2AI Score

0.001EPSS

2024-06-20 04:15 AM
25
cvelist
cvelist

CVE-2024-5686 WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget

The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes....

6.4CVSS

0.001EPSS

2024-06-20 03:37 AM
6
Total number of security vulnerabilities99685