Lucene search

K

Ivory Search – WordPress Search Plugin Security Vulnerabilities

nvd
nvd

CVE-2024-2747

CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could cause privilege escalation when a valid user replaces a trusted file name on the system and reboots the...

7.8CVSS

0.0004EPSS

2024-06-12 06:15 PM
5
cve
cve

CVE-2024-2747

CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could cause privilege escalation when a valid user replaces a trusted file name on the system and reboots the...

7.8CVSS

7.9AI Score

0.0004EPSS

2024-06-12 06:15 PM
20
cvelist
cvelist

CVE-2024-2747

CWE-428: Unquoted search path or element vulnerability exists in Easergy Studio, which could cause privilege escalation when a valid user replaces a trusted file name on the system and reboots the...

7.8CVSS

0.0004EPSS

2024-06-12 05:12 PM
2
github
github

Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter,...

6.5CVSS

7AI Score

0.0004EPSS

2024-06-12 03:31 PM
4
wordfence
wordfence

Introducing the 0-day Threat Hunt Bug Bounty Promo Through July 11th, 2024!

At Wordfence our mission is to Secure The Web. WordPress powers over 40% of the Web, and Wordfence secures over 5 million WordPress websites. That's why we’ve decided to run another exciting and new promotion for our Bug Bounty Program. With this promotion, our goal is to get more of the highest...

7.8AI Score

2024-06-12 03:17 PM
2
osv
osv

CVE-2024-37297

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

6AI Score

0.0004EPSS

2024-06-12 03:15 PM
1
cve
cve

CVE-2024-37297

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

5.2AI Score

0.0004EPSS

2024-06-12 03:15 PM
17
nvd
nvd

CVE-2024-37297

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

0.0004EPSS

2024-06-12 03:15 PM
nvd
nvd

CVE-2024-31217

Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause...

5.3CVSS

0.0004EPSS

2024-06-12 03:15 PM
osv
osv

CVE-2024-31217

Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause...

5.3CVSS

6.8AI Score

0.0004EPSS

2024-06-12 03:15 PM
1
cve
cve

CVE-2024-34065

Strapi is an open-source content management system. By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and...

7.1CVSS

7.3AI Score

0.001EPSS

2024-06-12 03:15 PM
18
cve
cve

CVE-2024-31217

Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause...

5.3CVSS

5.3AI Score

0.0004EPSS

2024-06-12 03:15 PM
17
nvd
nvd

CVE-2024-34065

Strapi is an open-source content management system. By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and...

7.1CVSS

0.001EPSS

2024-06-12 03:15 PM
osv
osv

CVE-2024-29181

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create....

2.3CVSS

6.7AI Score

0.0004EPSS

2024-06-12 03:15 PM
nvd
nvd

CVE-2024-29181

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create....

2.3CVSS

0.0004EPSS

2024-06-12 03:15 PM
cve
cve

CVE-2024-29181

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create....

2.3CVSS

3.6AI Score

0.0004EPSS

2024-06-12 03:15 PM
17
cvelist
cvelist

CVE-2024-37297 WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

0.0004EPSS

2024-06-12 03:05 PM
1
vulnrichment
vulnrichment

CVE-2024-37297 WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

6AI Score

0.0004EPSS

2024-06-12 03:05 PM
cvelist
cvelist

CVE-2024-34065 @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Strapi is an open-source content management system. By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and...

7.1CVSS

0.001EPSS

2024-06-12 02:54 PM
2
cvelist
cvelist

CVE-2024-31217 @strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling

Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause...

5.3CVSS

0.0004EPSS

2024-06-12 02:50 PM
vulnrichment
vulnrichment

CVE-2024-29181 @strapi/plugin-content-manager leaks data via relations via the Admin Panel

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create....

2.3CVSS

7AI Score

0.0004EPSS

2024-06-12 02:46 PM
2
cvelist
cvelist

CVE-2024-29181 @strapi/plugin-content-manager leaks data via relations via the Admin Panel

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create....

2.3CVSS

0.0004EPSS

2024-06-12 02:46 PM
1
nvd
nvd

CVE-2024-23445

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter,...

6.5CVSS

0.0004EPSS

2024-06-12 02:15 PM
1
cve
cve

CVE-2024-23445

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter,...

6.5CVSS

6.6AI Score

0.0004EPSS

2024-06-12 02:15 PM
22
cvelist
cvelist

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter,...

6.5CVSS

0.0004EPSS

2024-06-12 01:58 PM
3
thn
thn

Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters

Cybersecurity researchers have warned of an ongoing cryptojacking campaign targeting misconfigured Kubernetes clusters to mine Dero cryptocurrency. Cloud security firm Wiz, which shed light on the activity, said it's an updated variant of a financially motivated operation that was first documented....

7.6AI Score

2024-06-12 01:42 PM
2
cve
cve

CVE-2024-5674

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

6.5AI Score

0.0005EPSS

2024-06-12 11:15 AM
27
nvd
nvd

CVE-2024-5674

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

0.0005EPSS

2024-06-12 11:15 AM
5
nvd
nvd

CVE-2024-1766

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access....

4.4CVSS

0.0004EPSS

2024-06-12 11:15 AM
5
nvd
nvd

CVE-2024-4898

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site...

9.8CVSS

0.001EPSS

2024-06-12 11:15 AM
3
nvd
nvd

CVE-2024-3492

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'event_category' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and output...

6.4CVSS

0.0004EPSS

2024-06-12 11:15 AM
3
cve
cve

CVE-2024-3492

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'event_category' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and output...

6.4CVSS

5.7AI Score

0.0004EPSS

2024-06-12 11:15 AM
17
cve
cve

CVE-2024-1766

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access....

4.4CVSS

4.4AI Score

0.0004EPSS

2024-06-12 11:15 AM
17
cve
cve

CVE-2024-4898

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site...

9.8CVSS

9.4AI Score

0.001EPSS

2024-06-12 11:15 AM
23
vulnrichment
vulnrichment

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

7.2AI Score

0.0005EPSS

2024-06-12 11:05 AM
2
cvelist
cvelist

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

0.0005EPSS

2024-06-12 11:05 AM
4
cvelist
cvelist

CVE-2024-1766 Download Manager <= 3.2.86 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access....

4.4CVSS

0.0004EPSS

2024-06-12 11:05 AM
3
cvelist
cvelist

CVE-2024-3492 Events Manager – Calendar, Bookings, Tickets, and more! <= 6.4.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via event, location, and event_category Shortcodes

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'event_category' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and output...

6.4CVSS

0.0004EPSS

2024-06-12 11:05 AM
2
vulnrichment
vulnrichment

CVE-2024-1766 Download Manager <= 3.2.86 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access....

4.4CVSS

6AI Score

0.0004EPSS

2024-06-12 11:05 AM
1
cvelist
cvelist

CVE-2024-4898 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site...

9.8CVSS

0.001EPSS

2024-06-12 11:05 AM
6
nvd
nvd

CVE-2024-4845

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

8.8CVSS

0.001EPSS

2024-06-12 10:15 AM
4
cve
cve

CVE-2024-4845

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

8.8CVSS

8.7AI Score

0.001EPSS

2024-06-12 10:15 AM
23
cve
cve

CVE-2024-2092

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.4CVSS

5AI Score

0.001EPSS

2024-06-12 10:15 AM
20
nvd
nvd

CVE-2024-2092

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.4CVSS

0.001EPSS

2024-06-12 10:15 AM
3
nvd
nvd

CVE-2023-48280

Missing Authorization vulnerability in Consensu.IO Consensu.Io.This issue affects Consensu.Io: from n/a through...

7.5CVSS

0.0004EPSS

2024-06-12 10:15 AM
5
nvd
nvd

CVE-2023-51413

Missing Authorization vulnerability in Piotnet Forms.This issue affects Piotnet Forms: from n/a through...

5.3CVSS

0.0004EPSS

2024-06-12 10:15 AM
5
nvd
nvd

CVE-2023-51524

Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through...

4.3CVSS

0.0004EPSS

2024-06-12 10:15 AM
5
cve
cve

CVE-2023-51413

Missing Authorization vulnerability in Piotnet Forms.This issue affects Piotnet Forms: from n/a through...

5.3CVSS

5.4AI Score

0.0004EPSS

2024-06-12 10:15 AM
43
cve
cve

CVE-2023-51524

Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through...

4.3CVSS

4.7AI Score

0.0004EPSS

2024-06-12 10:15 AM
36
cve
cve

CVE-2023-48280

Missing Authorization vulnerability in Consensu.IO Consensu.Io.This issue affects Consensu.Io: from n/a through...

7.5CVSS

7.6AI Score

0.0004EPSS

2024-06-12 10:15 AM
61
Total number of security vulnerabilities407425