The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 2.12.6 via the get_block_default_attributes function. This allows authenticated attackers, with contributor-level permissions and above, to read the contents of any files....
4.3CVSS
4.6AI Score
0.001EPSS
A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of...
4.1CVSS
4.5AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 304 vulnerabilities disclosed in 232...
9.1AI Score
EPSS
Combo Blocks < 2.2.76 - Improper Access Control
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such...
7.1AI Score
0.001EPSS
Carousel Slider < 2.2.11 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting...
6.1AI Score
0.0004EPSS
Carousel Slider < 2.2.11 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks PoC 1. Create a new slider and inset: (1212"onmouseover='alert(1)') to "URL View"...
5.8AI Score
0.0004EPSS
Serious Slider <= 1.2.4 - Cross-Site Request Forgery
Description The Serious Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action...
6.7AI Score
0.0004EPSS
Crelly Slider <= 1.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Description The Crelly Slider plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.5 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to...
6.7AI Score
0.0004EPSS
Where does your software (really) come from?
Software is a funny, profound thing: each piece of it is an invisible machine, seemingly made of magic words, designed to run on the ultimate, universal machine. It's not alive, but it has a lifecycle. It starts out as source code--just text files, sitting in a repository somewhere--and then later....
6.9AI Score
With RSAC just a week away, Cisco Talos is gearing up for another year of heading to San Francisco to share in some of the latest major cybersecurity announcements, research and news. We've pulled together the highlights, so you don't miss out on all things Talos. **Tuesday, May 7 ** Joe...
7.2AI Score
Description The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it...
4.3CVSS
6.5AI Score
0.001EPSS
Description The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.78. This makes it possible for unauthenticated attackers to extract...
6.9AI Score
0.0004EPSS
BMC software fails to validate IPMI session.
Overview The Intelligent Platform Management Interface (IPMI) implementations in multiple manufacturer's Baseboard Management Controller (BMC) software are vulnerable to IPMI session hijacking. An attacker with access to the BMC network (with IPMI enabled) can abuse the lack of session integrity...
9.1CVSS
8.2AI Score
0.24EPSS
Description The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in all versions up to, and including, 6.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject...
6.4CVSS
5.7AI Score
0.0004EPSS
Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through...
4.3CVSS
4.7AI Score
0.0004EPSS
Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through...
4.3CVSS
6.9AI Score
0.0004EPSS
Widget Post Slider < 1.3.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The Widget Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
5.9CVSS
5.9AI Score
0.0004EPSS
Image Slider < 1.1.127 - Authenticated (Editor+) Stored Cross-Site Scripting
Description The Image Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.1.125 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions...
5.9CVSS
5.9AI Score
0.0004EPSS
BP Better Messages < 2.4.33 - Missing Authorization
Description The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 2.4.32. This is due to the plugin not properly verifying if a user should have access to a...
5.3CVSS
7AI Score
0.0004EPSS
Advanced Testimonial Carousel for Elementor < 3.0.1 - Missing Authorization
Description The Advanced Testimonial Carousel for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handleAjaxCalls() function in versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with...
6.7AI Score
0.0004EPSS
Description The Grid Gallery – Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input from the awl_gg_settings_ meta value. This makes it possible for authenticated...
7.5CVSS
7.1AI Score
0.001EPSS
Missing Authorization vulnerability in Aazztech Post Slider.This issue affects Post Slider: from n/a through...
5.4CVSS
5.5AI Score
0.0004EPSS
Missing Authorization vulnerability in Aazztech Post Slider.This issue affects Post Slider: from n/a through...
5.4CVSS
6.8AI Score
0.0004EPSS
CVE-2022-40975 WordPress Post Slider plugin <= 1.6.7 - Broken Access Control vulnerability
Missing Authorization vulnerability in Aazztech Post Slider.This issue affects Post Slider: from n/a through...
5.4CVSS
5.8AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cryout Creations Serious Slider.This issue affects Serious Slider: from n/a through...
4.3CVSS
4.6AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cryout Creations Serious Slider.This issue affects Serious Slider: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cryout Creations Serious Slider.This issue affects Serious Slider: from n/a through...
4.3CVSS
7AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cryout Creations Serious Slider.This issue affects Serious Slider: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...
8AI Score
0.0004EPSS
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
7.6AI Score
0.0004EPSS
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.4AI Score
0.0004EPSS
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...
5.6AI Score
0.0004EPSS
CVE-2024-3188 Shortcodes Ultimate < 7.1.0 - Contributor+ Stored XSS
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored...
5.7AI Score
0.0004EPSS
CVE-2024-2310 WP Google Review Slider < 13.6 - Admin+ Stored XSS
The WP Google Review Slider WordPress plugin before 13.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.5AI Score
0.0004EPSS
Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins....
5.2AI Score
0.0004EPSS
Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as...
5.9AI Score
0.0004EPSS
A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the...
6.5CVSS
6.7AI Score
0.0004EPSS
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with....
6CVSS
5.5AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 15, 2024 to April 21, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 209 vulnerabilities disclosed in 169...
9.9AI Score
EPSS
The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and...
6.4CVSS
5.7AI Score
0.0004EPSS
The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and...
6.4CVSS
5.7AI Score
0.0004EPSS
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to...
6.4CVSS
5.7AI Score
0.0004EPSS
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to...
6.4CVSS
5.7AI Score
0.0004EPSS
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to...
6.4CVSS
5.8AI Score
0.0004EPSS
The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and...
6.4CVSS
5.8AI Score
0.0004EPSS
Description The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible.....
6.5CVSS
7.8AI Score
0.0004EPSS
Testimonial Slider < 2.3.8 - Admin+ Stored Cross-Site Scripting
Description The Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
5.5AI Score
0.0004EPSS
Description The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
6.5CVSS
7.8AI Score
0.0004EPSS