FileBird – WordPress Media Library Folders & File Manager Security Vulnerabilities

Takeaways From The Take Command Summit: Navigating Modern SOC Challenges

At our recent Take Command summit, experts delved into the pressing challenges faced by SOC teams. With 2,365 more data breaches in 2023 than in 2022 (74% of which were a direct result of cyber attacks), the need for robust security operations has never been greater. Key takeaways from the 25...

CVE-2024-6441

A vulnerability was found in ORIPA up to 1.72. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/oripa/persistence/doc/loader/LoaderXML.java. The manipulation leads to deserialization. The attack can be launched remotely....

CVE-2024-6441

A vulnerability was found in ORIPA up to 1.72. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/oripa/persistence/doc/loader/LoaderXML.java. The manipulation leads to deserialization. The attack can be launched remotely....

CVE-2024-6441 ORIPA LoaderXML.java deserialization

A vulnerability was found in ORIPA up to 1.72. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file src/main/java/oripa/persistence/doc/loader/LoaderXML.java. The manipulation leads to deserialization. The attack can be launched remotely....

CVE-2024-6439

A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated...

CVE-2024-6440

A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /classes/Master.php?f=delete_category. The manipulation of the argument id leads to sql injection. It is possible to launch the.....

CVE-2024-6438

A vulnerability has been found in Hitout Carsale 1.0 and classified as critical. This vulnerability affects unknown code of the file OrderController.java. The manipulation of the argument orderBy leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the...

CVE-2024-6438

A vulnerability has been found in Hitout Carsale 1.0 and classified as critical. This vulnerability affects unknown code of the file OrderController.java. The manipulation of the argument orderBy leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the...

CVE-2024-6439

A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated...

CVE-2024-6440

A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /classes/Master.php?f=delete_category. The manipulation of the argument id leads to sql injection. It is possible to launch the.....

CVE-2024-4268

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-6099

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated...

CVE-2024-4268

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-6088

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user...

CVE-2024-6099

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated...

CVE-2024-6088

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user...

CVE-2024-6264

The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-6264

The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Exploit for CVE-2024-6387

Document Title - Mitigation Guide for CVE-2024-6387 in...

CVE-2024-6264 Post Meta Data Manager <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-6088 LearnPress – WordPress LMS Plugin <= 4.2.6.8.1 - Missing Authorization to Unauthenticated User Registration Bypass

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user...

CVE-2024-6099 LearnPress – WordPress LMS Plugin <= 4.2.6.8.1 - Unauthenticated Bypass to User Registration

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated...

CVE-2024-4268 Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-6440 SourceCodester Home Owners Collection Management System sql injection

A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /classes/Master.php?f=delete_category. The manipulation of the argument id leads to sql injection. It is possible to launch the.....

CVE-2024-6439 SourceCodester Home Owners Collection Management System unrestricted upload

A vulnerability was found in SourceCodester Home Owners Collection Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated...

How MFA Failures are Fueling a 500% Surge in Ransomware Losses

The cybersecurity threat landscape has witnessed a dramatic and alarming rise in the average ransomware payment, an increase exceeding 500%. Sophos, a global leader in cybersecurity, revealed in its annual "State of Ransomware 2024" report that the average ransom payment has increased 500% in the.....

CVE-2024-6438 Hitout Carsale OrderController.java sql injection

A vulnerability has been found in Hitout Carsale 1.0 and classified as critical. This vulnerability affects unknown code of the file OrderController.java. The manipulation of the argument orderBy leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the...

CVE-2024-6012

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with....

CVE-2024-6011

The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-6011

The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-6012

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with....

CVE-2024-34594

Exposure of sensitive information in proc file system prior to SMR Jul-2024 Release 1 allows local attackers to read kernel memory...

CVE-2024-34594

Exposure of sensitive information in proc file system prior to SMR Jul-2024 Release 1 allows local attackers to read kernel memory...

Exploit for CVE-2024-6387

OpenSSH CVE-2024-6387 Vulnerability Scanner...

CVE-2024-6012 Cost Calculator Builder <= 3.2.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation

The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with....

CVE-2024-6011 Cost Calculator Builder <= 3.2.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-34594

Exposure of sensitive information in proc file system prior to SMR Jul-2024 Release 1 allows local attackers to read kernel memory...

CVE-2024-5260

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to...

CVE-2024-5260

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to...

CVE-2024-6104 vulnerabilities

Vulnerabilities for packages: k3d, flux, actions-runner-controller, fulcio, opentelemetry-collector-contrib, cosign, skopeo, consul, flux-image-reflector-controller, snyk-cli, tekton-chains, gomplate, gh, terragrunt, timestamp-authority, guac, rook, rabbitmq-messaging-topology-operator,...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: prometheus-stackdriver-exporter, dynamic-localpv-provisioner, atlantis, cortex, gobuster, kpt, ingress-nginx-controller, prometheus, spark-operator, hey, kubernetes-csi-livenessprobe, terraform, envoy-ratelimit, coredns, node-problem-detector, aws-efs-csi-driver,...

GHSA-7WW5-4WQC-M92C vulnerabilities

Vulnerabilities for packages: k3d, helm-push, eksctl, helm, melange, zot, kubevela, cilium-cli, skaffold, trivy, up, kots, telegraf, tekton-pipelines, flux-helm-controller, newrelic-infrastructure-agent, kaniko, ctop, flux-source-controller, gitness, neuvector-agent, fuse-overlayfs-snapshotter,...

CVE-2024-25620 vulnerabilities

Vulnerabilities for packages: flux-helm-controller, helm-push, flux-source-controller, k8sgpt, helm-operator, cilium-cli, chartmuseum, trivy, eksctl, up, istio-operator, zarf, k9s, kots, cert-manager, zot,...

GHSA-R53H-JV2G-VPX6 vulnerabilities

Vulnerabilities for packages: flux-helm-controller, helm-push, flux-source-controller, k8sgpt, helm-operator, cilium-cli, chartmuseum, trivy, eksctl, up, istio-operator, zarf, k9s, kots, cert-manager, zot,...

GHSA-JQ35-85CJ-FJ4P vulnerabilities

Vulnerabilities for packages: falco, k3d, chartmuseum, tekton-chains, kpt, skaffold, up, loki, scorecard, prometheus, tekton-pipelines, bom, k3s, aactl, slsa-verifier, ctop, goreleaser, paranoia, cert-manager,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: k3d, kubernetes-dns-node-cache, actions-runner-controller, dagger, prometheus-stackdriver-exporter, dynamic-localpv-provisioner, trillian, skopeo, chartmuseum, atlantis, eksctl, cortex, cluster-proportional-autoscaler, kubeflow-pipelines, prometheus-postgres-exporter,....

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: k3d, kubernetes-dns-node-cache, actions-runner-controller, dagger, helm-push, regclient, dynamic-localpv-provisioner, trillian, yam, chartmuseum, eksctl, oras, cortex, cluster-proportional-autoscaler, kubeflow-pipelines, prometheus-postgres-exporter, mockery, runc,...

GHSA-2C7C-3MJ9-8FQH vulnerabilities

Vulnerabilities for packages: falco, traefik, fulcio, cosign, vault, tekton-chains, terragrunt, oauth2-proxy, cilium-envoy, gitsign, kots, tekton-pipelines, cert-manager, cloudflared, external-secrets-operator, sops, keda, aactl, slsa-verifier, argo-workflows, dex, argo-cd, vexctl,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: k3d, helm-push, trillian, chartmuseum, atlantis, eksctl, terragrunt, kpt, docker-credential-gcr, gobump, flannel-cni-plugin, nri-consul, crossplane-provider-azure, loki, prometheus, pombump, spark-operator, influx, terraform, cadvisor, ytt,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: k3d, kubernetes-dns-node-cache, helm-push, prometheus-stackdriver-exporter, regclient, dynamic-localpv-provisioner, trillian, skopeo, chartmuseum, atlantis, eksctl, neuvector-scanner, oras, cortex, overmind, mockery, extism, runc, kpt, docker-credential-gcr,...