SIGMA Lite & Lite + Security Vulnerabilities

CVE-2024-2144

The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,....

CVE-2024-2143

The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2047

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files...

CVE-2024-2047

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files...

CVE-2024-1238

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button ID parameter in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-1238

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button ID parameter in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-1238

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button ID parameter in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2047

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files...

CVE-2024-30496

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-30496

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-30425

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder allows Stored XSS.This issue affects Beaver Builder: from n/a through...

CVE-2024-30425

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder allows Stored XSS.This issue affects Beaver Builder: from n/a through...

CVE-2024-30496 WordPress Element Pack Lite plugin <= 5.5.3 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-30425 WordPress Beaver Builder – WordPress Page Builder plugin <= 2.7.4.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder allows Stored XSS.This issue affects Beaver Builder: from n/a through...

CVE-2024-30425 WordPress Beaver Builder – WordPress Page Builder plugin <= 2.7.4.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder allows Stored XSS.This issue affects Beaver Builder: from n/a through...

CVE-2024-1729

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (app.auth[username] == password) to validate user credentials, which can be exploited to guess...

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Icons Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Icons widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated....

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Heading Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Separator Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for...

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Table Widget

Description The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Info Table widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 94 vulnerabilities disclosed in 81 WordPress.....

Element Pack Elementor Addons < 5.5.4 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the link URL due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute...

DearFlip < 2.2.27 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'force_fit ' parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute...

CVE-2024-1540

A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to unauthorized...

CVE-2024-29807

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive DearFlip allows Stored XSS.This issue affects DearFlip: from n/a through...

CVE-2024-29807

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive DearFlip allows Stored XSS.This issue affects DearFlip: from n/a through...

CVE-2024-30186

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Prime Slider – Addons For Elementor allows Stored XSS.This issue affects Prime Slider – Addons For Elementor: from n/a through...

CVE-2024-30186

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Prime Slider – Addons For Elementor allows Stored XSS.This issue affects Prime Slider – Addons For Elementor: from n/a through...

CVE-2024-30185

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Element Pack Elementor Addons allows Stored XSS.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-30185

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Element Pack Elementor Addons allows Stored XSS.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-29807 WordPress DearFlip plugin <= 2.2.26 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive DearFlip allows Stored XSS.This issue affects DearFlip: from n/a through...

CVE-2024-30186 WordPress Prime Slider plugin <= 3.13.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Prime Slider – Addons For Elementor allows Stored XSS.This issue affects Prime Slider – Addons For Elementor: from n/a through...

CVE-2024-30185 WordPress Element Pack Elementor Addons plugin <= 5.5.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BdThemes Element Pack Elementor Addons allows Stored XSS.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-30199

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Reflected XSS.This issue affects WP-Lister Lite for Amazon: from n/a through...

CVE-2024-30199

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Reflected XSS.This issue affects WP-Lister Lite for Amazon: from n/a through...

CVE-2024-30199 WordPress WP-Lister Lite for Amazon plugin <= 2.6.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Reflected XSS.This issue affects WP-Lister Lite for Amazon: from n/a through...

CVE-2024-2206

An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the /proxy route. Attackers can exploit this vulnerability by manipulating the self.replica_urls set through the X-Direct-Url header in requests to the / and /config routes, allowing the...

Hubbub Lite – Fast, Reliable Social Network Sharing Buttons < 1.33.2 - PHP Object Injection

Description The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpsp_maybe_unserialize' function. This makes it possible for authenticated...

CVE-2023-28687

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in perfectwpthemes Glaze Blog Lite, themebeez Fascinate, themebeez Cream Blog, themebeez Cream Magazine allows Reflected XSS.This issue affects Glaze Blog Lite: from n/a through &lt;= 1.1.4; Fascinate...

CVE-2023-28687

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in perfectwpthemes Glaze Blog Lite, themebeez Fascinate, themebeez Cream Blog, themebeez Cream Magazine allows Reflected XSS.This issue affects Glaze Blog Lite: from n/a through &lt;= 1.1.4; Fascinate...

CVE-2023-28687 Reflected Cross-Site Scripting (XSS) vulnerability in multiple WordPress themes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in perfectwpthemes Glaze Blog Lite, themebeez Fascinate, themebeez Cream Blog, themebeez Cream Magazine allows Reflected XSS.This issue affects Glaze Blog Lite: from n/a through &lt;= 1.1.4; Fascinate...

CVE-2024-2889

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Stored XSS.This issue affects WP-Lister Lite for Amazon: from n/a through...

CVE-2024-2889

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Stored XSS.This issue affects WP-Lister Lite for Amazon: from n/a through...

CVE-2024-2889 WordPress WP-Lister Lite for Amazon plugin <= 2.6.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Stored XSS.This issue affects WP-Lister Lite for Amazon: from n/a through...

This Week in Spring - March 26th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! Sam Brannen shares some good news: a null-safe Index operator for the Spring Expression Language (SpEL) is coming to Spring Framework 6.2! This is interesting, and a nice application of AI (do I even need to spell out...

Ubuntu: Security Advisory (USN-6712-1)

The remote host is missing an update for...

libnet-cidr-lite-perl vulnerability

It was discovered that Net::CIDR::Lite incorrectly handled extra zero characters at the beginning of IP address strings. A remote attacker could possibly use this issue to bypass access...

Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.

Summary IBM Storage Protect Server uses IBM Db2 and may be affected by multiple vulnerabilities which could lead to denial of service, remote code execution or loss of confidentiality, integrity or availability. CVE-2015-8383, CVE-2015-8381, CVE-2015-8386, CVE-2015-8388, CVE-2015-8385,...

Net::CIDR::Lite vulnerability

Releases Ubuntu 20.04 LTS Packages libnet-cidr-lite-perl - module for merging IPv4 or IPv6 CIDR address ranges Details It was discovered that Net::CIDR::Lite incorrectly handled extra zero characters at the beginning of IP address strings. A remote attacker could possibly use this issue to...