Lucene search

K

Event Calendar – Calendar (WordPress Plugin) Security Vulnerabilities

cve
cve

CVE-2024-35769

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through...

5.9CVSS

5.7AI Score

0.0004EPSS

2024-06-21 12:15 PM
14
cve
cve

CVE-2024-35779

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

6.5CVSS

6.5AI Score

0.0004EPSS

2024-06-21 12:15 PM
13
nvd
nvd

CVE-2024-35769

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through...

5.9CVSS

0.0004EPSS

2024-06-21 12:15 PM
2
cve
cve

CVE-2024-35774

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D’arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through...

6.5CVSS

6.5AI Score

0.0004EPSS

2024-06-21 12:15 PM
14
nvd
nvd

CVE-2024-35774

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D’arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-21 12:15 PM
1
vulnrichment
vulnrichment

CVE-2024-35769 WordPress Slideshow SE plugin <= 2.5.17 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through...

5.9CVSS

6.7AI Score

0.0004EPSS

2024-06-21 12:07 PM
cvelist
cvelist

CVE-2024-35769 WordPress Slideshow SE plugin <= 2.5.17 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through...

5.9CVSS

0.0004EPSS

2024-06-21 12:07 PM
2
vulnrichment
vulnrichment

CVE-2024-35774 WordPress DImage 360 plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D’arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through...

6.5CVSS

6.8AI Score

0.0004EPSS

2024-06-21 12:05 PM
cvelist
cvelist

CVE-2024-35774 WordPress DImage 360 plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D’arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-21 12:05 PM
3
talosblog
talosblog

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the...

7.5AI Score

2024-06-21 12:00 PM
3
cvelist
cvelist

CVE-2024-35779 WordPress Page Builder: Live Composer plugin <= 1.5.42 - Contributor+ Shortcode Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-21 11:40 AM
3
vulnrichment
vulnrichment

CVE-2024-5058 WordPress Typing Text plugin <= 1.2.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through...

6.5CVSS

6.8AI Score

0.0004EPSS

2024-06-21 11:37 AM
1
cvelist
cvelist

CVE-2024-5058 WordPress Typing Text plugin <= 1.2.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-21 11:37 AM
3
githubexploit
githubexploit

Exploit for Unrestricted Upload of File with Dangerous Type in Wpallimport Wp All Import

WordPress Plugin WP All Import &lt;= 3.6.7 - Thực thi mã từ xa...

7.2CVSS

7.1AI Score

0.015EPSS

2024-06-21 11:08 AM
71
cve
cve

CVE-2024-6027

The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

9.8CVSS

9.7AI Score

0.001EPSS

2024-06-21 10:15 AM
16
nvd
nvd

CVE-2024-6027

The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

9.8CVSS

0.001EPSS

2024-06-21 10:15 AM
2
githubexploit
githubexploit

Exploit for Unrestricted Upload of File with Dangerous Type in Elementor Website Builder

WordPress Plugin - Elementor 3.6.0 3.6.1 3.6.2 Thực thi mã từ...

8.8CVSS

7AI Score

0.96EPSS

2024-06-21 10:05 AM
63
cvelist
cvelist

CVE-2024-6027 Themify - WooCommerce Product Filter <= 1.4.9 - Unauthenticated SQL Injection via conditions Parameter

The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

9.8CVSS

0.001EPSS

2024-06-21 09:39 AM
5
cbl_mariner
cbl_mariner

CVE-2022-29526 affecting package sriov-network-device-plugin for versions less than 3.7.0-1

CVE-2022-29526 affecting package sriov-network-device-plugin for versions less than 3.7.0-1. An upgraded version of the package is available that resolves this...

5.3CVSS

6.2AI Score

0.002EPSS

2024-06-21 09:32 AM
cbl_mariner
cbl_mariner

CVE-2022-1996 affecting package sriov-network-device-plugin for versions less than 3.7.0-1

CVE-2022-1996 affecting package sriov-network-device-plugin for versions less than 3.7.0-1. An upgraded version of the package is available that resolves this...

9.1CVSS

7.8AI Score

0.002EPSS

2024-06-21 09:32 AM
cbl_mariner
cbl_mariner

CVE-2022-41717 affecting package sriov-network-device-plugin for versions less than 3.7.0-1

CVE-2022-41717 affecting package sriov-network-device-plugin for versions less than 3.7.0-1. An upgraded version of the package is available that resolves this...

5.3CVSS

5.7AI Score

0.003EPSS

2024-06-21 09:32 AM
cbl_mariner
cbl_mariner

CVE-2022-32149 affecting package sriov-network-device-plugin for versions less than 3.7.0-1

CVE-2022-32149 affecting package sriov-network-device-plugin for versions less than 3.7.0-1. An upgraded version of the package is available that resolves this...

7.5CVSS

6.9AI Score

0.002EPSS

2024-06-21 09:32 AM
cbl_mariner
cbl_mariner

CVE-2023-44487 affecting package sriov-network-device-plugin for versions less than 3.5.1-2

CVE-2023-44487 affecting package sriov-network-device-plugin for versions less than 3.5.1-2. An upgraded version of the package is available that resolves this...

7.5CVSS

8.8AI Score

0.732EPSS

2024-06-21 09:32 AM
github
github

FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the...

5.3CVSS

6.9AI Score

0.0004EPSS

2024-06-21 09:30 AM
2
github
github

events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated...

5.4CVSS

7AI Score

0.0004EPSS

2024-06-21 09:30 AM
1
osv
osv

FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the...

5.3CVSS

6.9AI Score

0.0004EPSS

2024-06-21 09:30 AM
1
osv
osv

events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated...

5.4CVSS

7AI Score

0.0004EPSS

2024-06-21 09:30 AM
cve
cve

CVE-2024-5859

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS

6AI Score

0.0005EPSS

2024-06-21 09:15 AM
11
nvd
nvd

CVE-2024-5859

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS

0.0005EPSS

2024-06-21 09:15 AM
3
cvelist
cvelist

CVE-2024-5859 Appointment Booking and Online Scheduling <= 4.4.2 - Reflected Cross-Site Scripting

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS

0.0005EPSS

2024-06-21 08:39 AM
cve
cve

CVE-2024-6225

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS

4.3AI Score

0.0004EPSS

2024-06-21 08:15 AM
13
nvd
nvd

CVE-2024-6225

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS

0.0004EPSS

2024-06-21 08:15 AM
3
nvd
nvd

CVE-2024-5945

The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have...

6.4CVSS

0.001EPSS

2024-06-21 08:15 AM
2
cve
cve

CVE-2024-5945

The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have...

6.4CVSS

5.8AI Score

0.001EPSS

2024-06-21 08:15 AM
13
cvelist
cvelist

CVE-2024-5945 WP SVG Images <= 4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have...

6.4CVSS

0.001EPSS

2024-06-21 07:39 AM
3
vulnrichment
vulnrichment

CVE-2024-5945 WP SVG Images <= 4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have...

6.4CVSS

6AI Score

0.001EPSS

2024-06-21 07:39 AM
cvelist
cvelist

CVE-2024-6225 Amelia <= 1.1.5 & Amelia (Pro) <= 7.5.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS

0.0004EPSS

2024-06-21 07:39 AM
4
nvd
nvd

CVE-2024-5639

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with.....

4.3CVSS

0.001EPSS

2024-06-21 07:15 AM
2
cve
cve

CVE-2024-38874

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated...

5.4CVSS

7.3AI Score

0.0004EPSS

2024-06-21 07:15 AM
10
cve
cve

CVE-2024-5191

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS

5.8AI Score

0.001EPSS

2024-06-21 07:15 AM
11
nvd
nvd

CVE-2024-38874

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated...

5.4CVSS

0.0004EPSS

2024-06-21 07:15 AM
2
cve
cve

CVE-2024-5639

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with.....

4.3CVSS

4.4AI Score

0.001EPSS

2024-06-21 07:15 AM
11
nvd
nvd

CVE-2024-5191

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS

0.001EPSS

2024-06-21 07:15 AM
2
cvelist
cvelist

CVE-2024-5191 Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.17 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS

0.001EPSS

2024-06-21 06:58 AM
2
cvelist
cvelist

CVE-2024-5639 User Profile Picture <= 2.6.1 - Authenticated (Author+) Insecure Direct Object Reference to Profile Picture Update

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with.....

4.3CVSS

0.001EPSS

2024-06-21 06:58 AM
3
nvd
nvd

CVE-2024-4475

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF...

0.0004EPSS

2024-06-21 06:15 AM
3
cve
cve

CVE-2024-4382

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF...

6.5AI Score

0.0004EPSS

2024-06-21 06:15 AM
11
cve
cve

CVE-2024-4755

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
12
cve
cve

CVE-2024-4969

The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF...

6.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
12
nvd
nvd

CVE-2024-4384

The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:15 AM
1
Total number of security vulnerabilities271183