PDF Invoices & Packing Slips for WooCommerce < 3.8.1 - Unauthenticated Stored Cross-Site Scripting
Description The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
7.2CVSS
6.2AI Score
0.001EPSS
Description The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_team_members_image_rounded parameter in the Team Members widget in all versions up to, and including,...
6.4CVSS
5.9AI Score
0.0004EPSS
PDF Invoices & Packing Slips for WooCommerce < 3.8.1 - Unauthenticated Server-Side Request Forgery
Description The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.8.0 via the transform() function. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from....
7.2CVSS
7.1AI Score
0.0005EPSS
Active Products Tables for WooCommerce < 1.0.6.3 - Missing Authorization
Description The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the get_smth() function in all versions up to, and including, 1.0.6.2. This makes it...
5.3CVSS
7AI Score
0.0004EPSS
Description The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on...
6.5CVSS
8AI Score
0.001EPSS
Description The Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 13.2.5 due to insufficient input sanitization and output...
7.1CVSS
6.5AI Score
0.0004EPSS
Description The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping......
5.9CVSS
5.8AI Score
0.0004EPSS
Import Content in WordPress & WooCommerce with Excel < 4.3 - Reflected Cross-Site Scripting
Description The Import Content in WordPress & WooCommerce with Excel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
7.1CVSS
6.5AI Score
0.0004EPSS
Synapse V2 state resolution weakness allows Denial of Service (DoS)
Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database...
6.5CVSS
7AI Score
0.0004EPSS
Synapse V2 state resolution weakness allows Denial of Service (DoS)
Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in how the auth chain cover index is calculated. This can induce high CPU consumption and accumulate excessive data in the database...
6.5CVSS
6.8AI Score
0.0004EPSS
Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise
Rapid7 vulnerability researcher Ryan Emmons contributed to this blog. On Friday, April 19, 2024, managed file transfer vendor CrushFTP released information to a private mailing list on a new zero-day vulnerability affecting versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions) across...
10CVSS
10AI Score
0.966EPSS
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
6.4CVSS
5.7AI Score
0.0004EPSS
GitHub Comments Abused to Spread Malware in Fake Microsoft Repositories
By Deeba Ahmed Hackers are exploiting GitHub comments to spread malware disguised as Microsoft software downloads tricking users into downloading malware. This is a post from HackRead.com Read the original post: GitHub Comments Abused to Spread Malware in Fake Microsoft...
7.2AI Score
CrushFTP VFS - Sandbox Escape LFR
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS...
10CVSS
9.2AI Score
0.966EPSS
WP Social Comments < 1.7.4 - Missing Authorization via wpfc_allow_comments()
Description The WP Social Comments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_allow_comments() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level.....
4.3CVSS
6.5AI Score
0.0004EPSS
Multi Currency For WooCommerce < 1.5.6 - Missing Authorization
Description The Multi Currency For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the AddAdminAjaxAction() function in all versions up to, and including, 1.5.5. This makes it possible for authenticated attackers, with subscriber-level...
4.3CVSS
4.4AI Score
0.0004EPSS
Order Limit for WooCommerce < 2.0.1 - Missing Authorization
Description The Order Limit for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_rules, save_wcol_options, xsollwc_support_form, and wcol_load_new_row functions in versions up to, and including, 2.0.0. This makes it possible for...
6.5CVSS
6.6AI Score
0.0004EPSS
Custom Order Statuses for WooCommerce <= 1.5.2 - Missing Authorization
Description The Custom Order Statuses for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above,...
4.3CVSS
4.4AI Score
0.0004EPSS
Custom Thank You Page Customize For WooCommerce by Binary Carpenter < 1.4.14 - Missing Authorization
Description The Custom Thank You Page Customize For WooCommerce by Binary Carpenter plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the activation_callback() function in all versions up to, and including, 1.4.13. This makes it possible for...
4.3CVSS
4.4AI Score
0.0004EPSS
GG Woo Feed for WooCommerce Shopping Feed < 1.2.7 - Missing Authorization
Description The GG Woo Feed for WooCommerce Shopping Feed on Google Facebook and Other Channels plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the /inc/Core/ajax-functions.php file in all versions up to, and...
4.3CVSS
4.4AI Score
0.0004EPSS
WPC Grouped Product for WooCommerce < 4.4.3 - Missing Authorization
Description The WPC Grouped Product for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_update_search_settings, ajax_get_plugins, and ajax_get_essential_kit functions in all versions up to, and including, 4.4.2. This makes it...
4.3CVSS
4.4AI Score
0.0004EPSS
Open Close WooCommerce Store < 4.9.2 - Missing Authorization
Description The Open Close WooCommerce Store – Best Business Schedules Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_active and ajax_update_timezone functions in all versions up to, and including, 4.9.1. This...
4.3CVSS
4.4AI Score
0.0004EPSS
TrackShip for WooCommerce < 1.7.6 - Missing Authorization
Description The TrackShip for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.5. This makes it possible for unauthenticated attackers to perform an unauthorized...
5.3CVSS
6.6AI Score
0.0004EPSS
WPC Frequently Bought Together for WooCommerce < 7.0.4 - Missing Authorization
Description The WPC Frequently Bought Together for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_get_search_results, ajax_import_export, and ajax_import_export_save functions in versions up to, and including, 7.0.3. This makes...
4.3CVSS
6.5AI Score
0.0004EPSS
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code...
10CVSS
10AI Score
0.966EPSS
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code...
CVE-2024-4040 Unauthenticated arbitrary file read and remote code execution in CrushFTP
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code...
9.8CVSS
10AI Score
0.966EPSS
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
Impact A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during.....
5.9CVSS
7.5AI Score
0.001EPSS
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
Impact A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during.....
5.9CVSS
7.5AI Score
0.001EPSS
Using Legitimate GitHub URLs for Malware
Interesting social-engineering attack vector: McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the "C++ Library Manager for Windows, Linux, and MacOS," known as vcpkg. The attacker is exploiting a property...
7.2AI Score
Missing Authorization vulnerability in WPClever WPC Frequently Bought Together for WooCommerce.This issue affects WPC Frequently Bought Together for WooCommerce: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
Missing Authorization vulnerability in realmag777 Active Products Tables for WooCommerce.This issue affects Active Products Tables for WooCommerce: from n/a through...
5.3CVSS
6.8AI Score
0.0004EPSS
Missing Authorization vulnerability in WPClever WPC Frequently Bought Together for WooCommerce.This issue affects WPC Frequently Bought Together for WooCommerce: from n/a through...
4.3CVSS
4.7AI Score
0.0004EPSS
Missing Authorization vulnerability in realmag777 Active Products Tables for WooCommerce.This issue affects Active Products Tables for WooCommerce: from n/a through...
5.3CVSS
5.3AI Score
0.0004EPSS
Billions of scraped Discord messages up for sale
Four billions public Discord messages are for sale on an internet scraping service called Spy.pet. At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard.....
6.8AI Score
Missing Authorization vulnerability in WPClever WPC Frequently Bought Together for WooCommerce.This issue affects WPC Frequently Bought Together for WooCommerce: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
Missing Authorization vulnerability in realmag777 Active Products Tables for WooCommerce.This issue affects Active Products Tables for WooCommerce: from n/a through...
5.3CVSS
5.6AI Score
0.0004EPSS
ownCloud < 10.13.3 Improper Input Validation Vulnerability
ownCloud is prone to an improper input validation ...
7.3AI Score
EPSS
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code...
10CVSS
10AI Score
0.966EPSS
Automattic: Authentication & Registration Bypass in Newspack Extended Access
Summary: The Newspack Extended Access plugin omits to validate JWT signing on the registration and login JSON endpoint. This permits registration of accounts with arbitrary (user-supplied) details, and auth bypass and account hijack if a target account email is known. Platform(s) Affected: Any...
7.6AI Score
Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks
Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and...
10CVSS
10AI Score
0.966EPSS
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuite_button' shortcode in all versions up to, and including, 2.8.1 due to insufficient...
6.4CVSS
5.7AI Score
0.0004EPSS
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuite_button' shortcode in all versions up to, and including, 2.8.1 due to insufficient...
6.4CVSS
5.7AI Score
0.0004EPSS
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuite_button' shortcode in all versions up to, and including, 2.8.1 due to insufficient...
6.4CVSS
5.8AI Score
0.0004EPSS
[SECURITY] Fedora 40 Update: yyjson-0.9.0-1.fc40
A high performance JSON library written in ANSI C. Features - Fast: can read or write gigabytes per second JSON data on modern CPUs. - Portable: complies with ANSI C (C89) for cross-platform compatibility. - Strict: complies with RFC 8259 JSON standard, ensuring strict number format and UTF-8...
6.3AI Score
0.0004EPSS
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
6.1CVSS
6.3AI Score
0.0004EPSS
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
6.1CVSS
6AI Score
0.0004EPSS
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
6.1CVSS
6.2AI Score
0.0004EPSS
Denial of Service in Comments API - ownCloud
Insufficient input validation in the Comments Plugin may allow an authenticated attacker to cause a Denial of...
6.8AI Score
EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 219 vulnerabilities disclosed in 209...
8.8AI Score
EPSS