SP Project & Document Manager (WordPress Plugin) Security Vulnerabilities

GHSA-45X7-PX36-X8W8 vulnerabilities

Vulnerabilities for packages: caddy, nfs-subdir-external-provisioner, ferretdb, ollama, nats, traefik, k3s, telegraf, kubernetes-dashboard, eksctl, kubeflow-katib, nsc, docker-credential-acr-env, prometheus-nats-exporter, calico, memcached-exporter, apko, dockerize, spark-operator,...

GHSA-M425-MQ94-257G vulnerabilities

Vulnerabilities for packages: src, prometheus, cortex, prometheus-adapter, prometheus-blackbox-exporter, goreleaser, oauth2-proxy, pulumi, pulumi-kubernetes-operator, up, telegraf, ko, kubeflow-katib, slsa-verifier, tctl, gitlab-pages, keda, k3d, calico, cert-manager, aws-efs-csi-driver,...

GHSA-QPPJ-FM5R-HXR3 vulnerabilities

Vulnerabilities for packages: ollama, nats, traefik, telegraf, kubeflow-katib, calico, nginx-mainline, cue, memcached-exporter, spark-operator, flux-source-controller, envoy-ratelimit, nghttp2, bom, argo-cd, prometheus-elasticsearch-exporter, secrets-store-csi-driver, helm, pulumi-language-java,...

CVE-2024-24783 vulnerabilities

Vulnerabilities for packages: caddy, esbuild, ferretdb, nfs-subdir-external-provisioner, filebeat, flannel-cni-plugin, newrelic-prometheus-configurator, nats, nuclei, sonobuoy, k3s, prometheus-operator, telegraf, kubebuilder, kubernetes-dashboard, eksctl, kubeflow-katib, nri-apache,...

GHSA-32CH-6X54-Q4H9 vulnerabilities

Vulnerabilities for packages: caddy, esbuild, ferretdb, nfs-subdir-external-provisioner, filebeat, flannel-cni-plugin, newrelic-prometheus-configurator, nats, nuclei, sonobuoy, k3s, prometheus-operator, telegraf, kubebuilder, kubernetes-dashboard, eksctl, kubeflow-katib, nri-apache,...

CVE-2024-24785 vulnerabilities

Vulnerabilities for packages: caddy, esbuild, ferretdb, nfs-subdir-external-provisioner, filebeat, flannel-cni-plugin, newrelic-prometheus-configurator, nats, nuclei, sonobuoy, k3s, prometheus-operator, telegraf, kubebuilder, kubernetes-dashboard, eksctl, kubeflow-katib, nri-apache,...

GHSA-V53G-5GJP-272R vulnerabilities

Vulnerabilities for packages: helm-operator, cilium-cli, cert-manager, helm-push, istio-operator, trivy, kubescape, k8sgpt, kots, up, zarf, eksctl, k9s, zot, flux-source-controller, chartmuseum,...

GHSA-236W-P7WF-5PH8 vulnerabilities

Vulnerabilities for packages: nri-consul, kubernetes-dashboard, gpu-feature-discovery, harbor-cli, docker-credential-acr-env, tempo, tailscale, prometheus-nats-exporter, govulncheck, mage, memcached-exporter, gosu, bom, dagger, newrelic-nri-kube-events, jitsucom-bulker, vcluster,...

GHSA-XW73-RW38-6VJC vulnerabilities

Vulnerabilities for packages: prometheus, policy-controller, filebeat, goreleaser, pulumi, crane, traefik, cadvisor, k3s, telegraf, up, zarf, nerdctl, eksctl, falcoctl, istio-pilot-agent, kubeflow-katib, slsa-verifier, zot, trivy, docker-credential-gcr, gitsign, helm-operator, argo-workflows,...

CVE-2024-24788 vulnerabilities

Vulnerabilities for packages: caddy, nfs-subdir-external-provisioner, ferretdb, policy-controller, newrelic-prometheus-configurator, crane, traefik, sonobuoy, telegraf, kubebuilder, kubernetes-dashboard, eksctl, wait-for-port, confluent-common-docker, harbor-cli, docker-credential-acr-env,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: caddy, esbuild, ferretdb, nfs-subdir-external-provisioner, filebeat, flannel-cni-plugin, newrelic-prometheus-configurator, nats, nuclei, sonobuoy, k3s, prometheus-operator, telegraf, kubebuilder, kubernetes-dashboard, eksctl, kubeflow-katib, nri-apache,...

GHSA-XR7R-F8XQ-VFVV vulnerabilities

Vulnerabilities for packages: runc, cadvisor, k3s, syft, telegraf, zarf, nerdctl, zot, trivy, k3d, skaffold, ingress-nginx-controller, datadog-agent, grype, docker, kubescape, newrelic-infrastructure-agent, kots, wolfictl, ctop, kubernetes, buildkitd, k9s, kaniko, skopeo,...

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-44487 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5

CVE-2023-39325 affecting package cert-manager for versions less than 1.11.2-5. A patched version of the package is...

Malicious code in iobeya-time-utils (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (5cc94a15fd9feb4f7fd5146415061bfe386fd2d185f1e0d80fc3ecd40ce7adb2) The OpenSSF Package Analysis project identified 'iobeya-time-utils' @ 3.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in kiln-desktop (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (ef3b624dee4eb3ef776b321ad28eddf3bc2d6cde2852fdcb47b0ef795047c6bf) The OpenSSF Package Analysis project identified 'kiln-desktop' @ 2.2.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in bageth (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e0fb8d217f32446aeb4dbf744d45c5aadd152f0917a228ead1ad0183ac18b995) The OpenSSF Package Analysis project identified 'bageth' @ 2.0.0 (npm) as malicious. It is considered malicious because: The package communicates...

CVE-2024-2386

The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2024-2386

The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2024-2386 WordPress Plugin for Google Maps – WP MAPS <= 4.6.1 - Authenticated (Contributor+) SQL Injection

The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2023-4017

The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2023-4017

The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2023-4017 Goya <= 1.0.8.7 - Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters

The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2023-4017 Goya <= 1.0.8.7 - Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters

The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-5819

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-5819

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-5819 Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-5819 Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-5790

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-6363

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-6363

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-5790

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-5666

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5666

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5666 Extensions for Elementor <= 2.0.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5790 Happy Addons for Elementor <= 3.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-6363 Stock Ticker <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-6363 Stock Ticker <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

Exploit for Code Injection in Apache Rocketmq

CVE-2023-33246-mitigation This project is a Maven-based...

CVE-2024-5889

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-5942

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access....

CVE-2024-6265

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied....

CVE-2024-5942

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access....

CVE-2024-6265

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied....

CVE-2024-5889

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-5598

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive...

CVE-2024-5192

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...

CVE-2024-5192

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...