Lucene search

K

Decorator – WooCommerce Email Customizer Security Vulnerabilities

nvd
nvd

CVE-2024-5756

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied...

9.8CVSS

EPSS

2024-06-21 05:15 AM
1
cve
cve

CVE-2024-5756

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied...

9.8CVSS

9.7AI Score

EPSS

2024-06-21 05:15 AM
4
cvelist
cvelist

CVE-2024-5756 Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied...

9.8CVSS

EPSS

2024-06-21 04:34 AM
3
nvd
nvd

CVE-2024-3961

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

5.3CVSS

EPSS

2024-06-21 04:15 AM
3
cve
cve

CVE-2024-3961

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

5.3CVSS

5.1AI Score

EPSS

2024-06-21 04:15 AM
4
cvelist
cvelist

CVE-2024-3961 ConvertKit <= 2.4.9 - Missing Authorization

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

5.3CVSS

EPSS

2024-06-21 03:49 AM
4
cvelist
cvelist

CVE-2024-5455 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level.....

8.8CVSS

EPSS

2024-06-21 03:24 AM
5
nvd
nvd

CVE-2024-1639

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with...

6.5CVSS

EPSS

2024-06-21 02:15 AM
2
cve
cve

CVE-2024-1639

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with...

6.5CVSS

6.2AI Score

EPSS

2024-06-21 02:15 AM
3
cvelist
cvelist

CVE-2024-1639 License Manager for WooCommerce <= 3.0.7 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with...

6.5CVSS

EPSS

2024-06-21 02:05 AM
2
krebs
krebs

KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO

On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The...

6.8AI Score

2024-06-20 07:16 PM
2
nvd
nvd

CVE-2024-37897

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is...

5.4CVSS

EPSS

2024-06-20 06:15 PM
5
cve
cve

CVE-2024-37897

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is...

5.4CVSS

5.6AI Score

EPSS

2024-06-20 06:15 PM
3
talosblog
talosblog

Tabletop exercises are headed to the next frontier: Space

I think we can all agree that tabletop exercises are a good thing. They allow organizations of all sizes to test their incident response plans without the potentially devastating effects of a real-world cyber attack or intrusion. As part of my role at Talos, I've read hundreds of tabletop...

9.8CVSS

8.2AI Score

0.321EPSS

2024-06-20 06:00 PM
cvelist
cvelist

CVE-2024-37897 Insufficient access control for password reset in sftpgo

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is...

5.4CVSS

EPSS

2024-06-20 05:32 PM
3
osv
osv

SFTPGo has insufficient access control for password reset

Impact SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Patches Fixed in v2.6.1....

5.4CVSS

7.4AI Score

EPSS

2024-06-20 04:11 PM
github
github

SFTPGo has insufficient access control for password reset

Impact SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Patches Fixed in v2.6.1....

5.4CVSS

7.1AI Score

EPSS

2024-06-20 04:11 PM
aix
aix

AIX is vulnerable to security restrictions bypass due to cURL libcurl (CVE-2024-0853)

IBM SECURITY ADVISORY First Issued: Thu Jun 20 15:10:42 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/curl_advisory5.asc Security Bulletin: AIX is vulnerable to security restrictions bypass due to cURL libcurl...

5.3CVSS

6.2AI Score

0.001EPSS

2024-06-20 03:10 PM
cve
cve

CVE-2024-5156

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

5.8AI Score

EPSS

2024-06-20 02:15 PM
1
nvd
nvd

CVE-2024-5156

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

EPSS

2024-06-20 02:15 PM
1
cvelist
cvelist

CVE-2024-5156 Flatsome <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

EPSS

2024-06-20 02:00 PM
2
vulnrichment
vulnrichment

CVE-2024-5156 Flatsome <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with.....

6.4CVSS

5.8AI Score

EPSS

2024-06-20 02:00 PM
thn
thn

French Diplomatic Entities Targeted in Russian-Linked Cyber Attacks

State-sponsored actors with ties to Russia have been linked to targeted cyber attacks aimed at French diplomatic entities, the country's information security agency ANSSI said in an advisory. The attacks have been attributed to a cluster tracked by Microsoft under the name Midnight Blizzard...

7AI Score

2024-06-20 02:00 PM
3
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 10, 2024 to June 16, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

10CVSS

9.3AI Score

EPSS

2024-06-20 01:40 PM
2
ics
ics

Westermo L210-F2G

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Westermo Equipment: L210-F2G Lynx Vulnerabilities: Cleartext Transmission of Sensitive Information, Improper Control of Interaction Frequency 2. RISK EVALUATION Successful exploitation of...

7.5CVSS

8AI Score

EPSS

2024-06-20 12:00 PM
thn
thn

Tool Overload: Why MSPs Are Still Drowning with Countless Cybersecurity Tools in 2024

Highlights Complex Tool Landscape: Explore the wide array of cybersecurity tools used by MSPs, highlighting the common challenge of managing multiple systems that may overlap in functionality but lack integration. Top Cybersecurity Challenges: Discuss the main challenges MSPs face, including...

7AI Score

2024-06-20 10:49 AM
5
veracode
veracode

SQL Injection

magento/community-edition is vulnerable to SQL Injection. The vulnerability is due to improper user input sanitization in email templates, allowing an authenticated user with access to these templates to send malicious SQL queries and gain access to sensitive database...

6.5CVSS

7.1AI Score

0.001EPSS

2024-06-20 10:09 AM
malwarebytes
malwarebytes

TikTok facing fresh lawsuit in US over children&#8217;s privacy

The Federal Trade Commission (FTC) has announced it's referred a complaint against TikTok and parent company ByteDance to the Department of Justice. The investigation originally focused on Musical.ly which was acquired by ByteDance on November 10, 2017, and merged it into TikTok. The FTC started a....

6.8AI Score

2024-06-20 09:58 AM
1
veracode
veracode

SQL Injection

Magento is vulnerable to SQL injection. The vulnerability is due to a user with store manipulation privileges being able to execute arbitrary SQL queries by accessing the database connection through a group instance in email...

8.8CVSS

8.1AI Score

0.001EPSS

2024-06-20 08:38 AM
veracode
veracode

SQL Injection

magento/community-edition is vulnerable to SQL injection. The vulnerability is due to improper sanitization of input in email template variables, allowing a user with marketing privileges to execute arbitrary SQL queries in the database. Attackers can exploit this to manipulate the database,...

8.8CVSS

7.6AI Score

0.001EPSS

2024-06-20 07:27 AM
nvd
nvd

CVE-2024-6113

A vulnerability was found in itsourcecode Monbela Tourist Inn Online Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file login.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The...

7.3CVSS

0.0004EPSS

2024-06-20 06:15 AM
3
cve
cve

CVE-2024-6113

A vulnerability was found in itsourcecode Monbela Tourist Inn Online Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file login.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The...

7.3CVSS

7.5AI Score

0.0004EPSS

2024-06-20 06:15 AM
3
cvelist
cvelist

CVE-2024-6113 itsourcecode Monbela Tourist Inn Online Reservation System login.php sql injection

A vulnerability was found in itsourcecode Monbela Tourist Inn Online Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file login.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The...

7.3CVSS

0.0004EPSS

2024-06-20 05:18 AM
4
cve
cve

CVE-2024-5432

The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it possible for unauthenticated attackers to log in as...

9.8CVSS

9.7AI Score

0.001EPSS

2024-06-20 02:15 AM
4
nvd
nvd

CVE-2024-5432

The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it possible for unauthenticated attackers to log in as...

9.8CVSS

0.001EPSS

2024-06-20 02:15 AM
3
nvd
nvd

CVE-2024-3602

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This.....

4.3CVSS

0.0004EPSS

2024-06-20 02:15 AM
1
cve
cve

CVE-2024-3602

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This.....

4.3CVSS

4.3AI Score

0.0004EPSS

2024-06-20 02:15 AM
3
vulnrichment
vulnrichment

CVE-2024-5432 Lifeline Donation <= 1.2.6 - Authentication Bypass

The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it possible for unauthenticated attackers to log in as...

9.8CVSS

7.2AI Score

0.001EPSS

2024-06-20 02:08 AM
1
cvelist
cvelist

CVE-2024-5432 Lifeline Donation <= 1.2.6 - Authentication Bypass

The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it possible for unauthenticated attackers to log in as...

9.8CVSS

0.001EPSS

2024-06-20 02:08 AM
5
cvelist
cvelist

CVE-2024-3602 Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0 - Missing Authorization

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This.....

4.3CVSS

0.0004EPSS

2024-06-20 02:08 AM
1
trendmicroblog
trendmicroblog

Worldwide 2023 Email Phishing Statistics and Examples

Explore the need for going beyond built-in Microsoft 365 and Google Workspace™ security based on email threats detected in...

7.4AI Score

2024-06-20 12:00 AM
trendmicroblog
trendmicroblog

Worldwide 2023 Email Phishing Statistics and Examples

Explore the need for going beyond built-in Microsoft 365 and Google Workspace™ security based on email threats detected in...

7.4AI Score

2024-06-20 12:00 AM
github
github

TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Impact A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. Patches This...

6.1CVSS

6.7AI Score

0.0004EPSS

2024-06-19 03:07 PM
4
osv
osv

TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Impact A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. Patches This...

6.1CVSS

6.5AI Score

0.0004EPSS

2024-06-19 03:07 PM
github
github

TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

Impact A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. Patches This vulnerability has been patched in TinyMCE 7.2.0,.....

6.1CVSS

6.8AI Score

0.0004EPSS

2024-06-19 03:07 PM
1
osv
osv

TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

Impact A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. Patches This vulnerability has been patched in TinyMCE 7.2.0,.....

6.1CVSS

6.5AI Score

0.0004EPSS

2024-06-19 03:07 PM
qualysblog
qualysblog

TotalCloud Insights: Protect Your AWS Environment by Managing Access Keys Securely

Introduction With the average cost of a data breach coming in at $4.45M in 2023, safeguarding sensitive information and maintaining the security of cloud environments is more critical than ever. Instances of compromised access keys, not exclusive to AWS (Amazon Web Services) but prevalent across...

7.3AI Score

2024-06-19 03:02 PM
2
nvd
nvd

CVE-2023-37872

Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-19 02:15 PM
cve
cve

CVE-2023-37872

Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through...

6.5CVSS

6.5AI Score

0.0004EPSS

2024-06-19 02:15 PM
4
vulnrichment
vulnrichment

CVE-2023-37872 WordPress WooCommerce Ship to Multiple Addresses plugin <= 3.8.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through...

6.5CVSS

6.9AI Score

0.0004EPSS

2024-06-19 01:44 PM
1
Total number of security vulnerabilities112837