WordPress Newsletter Plugin – Noptin Security Vulnerabilities

CVE-2024-5601 Create by Mediavine <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode

The Create by Mediavine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Schema Meta shortcode in all versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-5601 Create by Mediavine <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Schema Meta Shortcode

The Create by Mediavine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Schema Meta shortcode in all versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-4704

The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their...

CVE-2024-4704

The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their...

CVE-2024-4664

The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2024-4664

The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2024-3111

The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting...

CVE-2024-3111

The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting...

CVE-2024-1330

The kadence-blocks-pro WordPress plugin before 2.3.8 does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the...

CVE-2024-1330

The kadence-blocks-pro WordPress plugin before 2.3.8 does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the...

CVE-2024-4704 Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect

The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their...

CVE-2024-3111 H5P < 1.15.8 - Contributor+ Stored XSS

The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting...

CVE-2024-4664 WP Chat App < 3.6.5 - Admin+ Stored XSS

The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2024-1330 Kadence Blocks Pro < 2.3.8 - Contributor+ Arbitrary Option Access

The kadence-blocks-pro WordPress plugin before 2.3.8 does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the...

CVE-2024-6283

The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL parameter of the De Gallery widget in all versions up to and including 2.1.5 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for....

CVE-2024-6283

The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL parameter of the De Gallery widget in all versions up to and including 2.1.5 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for....

CVE-2024-6283 DethemeKit For Elementor <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Parameter of the De Gallery Widget

The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL parameter of the De Gallery widget in all versions up to and including 2.1.5 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for....

CVE-2024-39460

Jenkins Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some...

CVE-2024-39458

When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system...

CVE-2024-39459

In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with...

CVE-2024-4570

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-4570

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-4569

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-4569

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-4570 Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-4569 Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-6054

The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above....

CVE-2024-5289

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget parameters in all versions up to, and including, 3.2.42 due to insufficient input sanitization and output escaping. This makes it possible....

CVE-2024-6054

The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above....

CVE-2024-5289

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget parameters in all versions up to, and including, 3.2.42 due to insufficient input sanitization and output escaping. This makes it possible....

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: gatekeeper, nats-server, helm, prometheus-elasticsearch-exporter, lazygit, ctop, hubble-ui, chartmuseum, cni-plugins, nri-rabbitmq, secrets-store-csi-driver-provider-aws, cue, rqlite, bazelisk, tctl, k8ssandra-operator, nvidia-device-plugin, pulumi,...

GHSA-VVPX-J8F3-3W6H vulnerabilities

Vulnerabilities for packages: go, hey, dynamic-localpv-provisioner, k3d, wireguard-go, gke-gcloud-auth-plugin, restic, grpcurl,...

CVE-2024-21626 vulnerabilities

Vulnerabilities for packages: ctop, docker, trivy, ingress-nginx-controller, cadvisor, zarf, nvidia-device-plugin, kubernetes, kaniko, grype, datadog-agent, k9s, telegraf, k3d, kots, k3s, wolfictl, newrelic-infrastructure-agent, buildkitd, skaffold, syft, skopeo, runc, kubescape, nerdctl,...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: gatekeeper, git-lfs, helm, prometheus-elasticsearch-exporter, cue, rqlite, tctl, tomcat, traefik, nvidia-device-plugin, pulumi, keda, flux-notification-controller, terraform-provider-aws, argo-cd, hey, gitness, spark-operator, kubernetes-csi-livenessprobe,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: gatekeeper, rook, melange, helm, prometheus-elasticsearch-exporter, ctop, hubble-ui, chartmuseum, newrelic-nri-kube-events, secrets-store-csi-driver-provider-aws, rqlite, vault, tctl, k8ssandra-operator, osv-scanner, traefik, grafana-agent-operator,...

CVE-2022-41723 vulnerabilities

Vulnerabilities for packages: go, hey, dynamic-localpv-provisioner, k3d, wireguard-go, gke-gcloud-auth-plugin, restic, grpcurl,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: nats-server, git-lfs, harbor-registry, cue, bazelisk, osv-scanner, aws-network-policy-agent, vexctl, prometheus-mysqld-exporter, volume-modifier-for-k8s, bincapz, keda, k9s, tfsec, gitness, chezmoi, k3d, kube-rbac-proxy, nri-haproxy, boring-registry, regclient,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: nats-server, multus-cni, git-lfs, melange, helm, lazygit, ctop, harbor-registry, hubble-ui, chartmuseum, step, extism, secrets-store-csi-driver-provider-aws, cue, osv-scanner, traefik, go, grafana-agent-operator, nvidia-device-plugin, gobump,...

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: nats-server, multus-cni, git-lfs, melange, helm, lazygit, ctop, harbor-registry, hubble-ui, chartmuseum, step, extism, secrets-store-csi-driver-provider-aws, cue, osv-scanner, traefik, go, grafana-agent-operator, nvidia-device-plugin, gobump,...

CVE-2023-45285 vulnerabilities

Vulnerabilities for packages: amass, configmap-reload, mage, sops, docker-cli, petname, aws-flb-cloudwatch, cass-operator, go-md2man, ctop, kubernetes-dashboard-metrics-scraper, gitlab-logger, render-template, cni-plugins, prometheus-stackdriver-exporter, grpcurl, nats, goreleaser, gosu,...

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: gatekeeper, git-lfs, helm, prometheus-elasticsearch-exporter, chartmuseum, vault, cue, rqlite, tctl, nvidia-device-plugin, pulumi, prometheus-mysqld-exporter, karpenter, keda, flux-notification-controller, external-secrets-operator, argo-cd, hey, gitness, k3d,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: gatekeeper, rook, melange, helm, prometheus-elasticsearch-exporter, ctop, hubble-ui, chartmuseum, newrelic-nri-kube-events, secrets-store-csi-driver-provider-aws, rqlite, vault, tctl, k8ssandra-operator, osv-scanner, traefik, grafana-agent-operator,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: gatekeeper, nats-server, helm, prometheus-elasticsearch-exporter, lazygit, ctop, hubble-ui, chartmuseum, cni-plugins, nri-rabbitmq, secrets-store-csi-driver-provider-aws, cue, rqlite, bazelisk, tctl, k8ssandra-operator, nvidia-device-plugin, pulumi,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: gatekeeper, nats-server, helm, prometheus-elasticsearch-exporter, lazygit, ctop, hubble-ui, chartmuseum, cni-plugins, nri-rabbitmq, secrets-store-csi-driver-provider-aws, cue, rqlite, bazelisk, tctl, k8ssandra-operator, nvidia-device-plugin, pulumi,...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: rook, sops, py3-azure-identity, prometheus-operator, kyverno, k8sgpt, harbor-registry, py3-cassandra-medusa, step, sigstore-scaffolding, grafana-mimir, trivy, nuclei, traefik, tekton-pipelines, up, zarf, flux-kustomize-controller, goreleaser, grafana-agent-operator,...

GHSA-M5VV-6R4H-3VJ9 vulnerabilities

Vulnerabilities for packages: rook, sops, py3-azure-identity, prometheus-operator, kyverno, k8sgpt, harbor-registry, py3-cassandra-medusa, step, sigstore-scaffolding, grafana-mimir, trivy, nuclei, traefik, tekton-pipelines, up, zarf, flux-kustomize-controller, goreleaser, grafana-agent-operator,...

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: rook, nats-server, git-lfs, harbor-registry, bazelisk, osv-scanner, vexctl, prometheus-mysqld-exporter, volume-modifier-for-k8s, teleport, keda, k9s, hey, tfsec, gitness, chezmoi, k3d, nri-haproxy, wolfictl, boring-registry, regclient, controller-gen, cloud-sql-proxy,....

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: gatekeeper, git-lfs, helm, prometheus-elasticsearch-exporter, chartmuseum, vault, cue, rqlite, tctl, go, nvidia-device-plugin, pulumi, prometheus-mysqld-exporter, karpenter, kubernetes-dns-node-cache, keda, flux-notification-controller, external-secrets-operator,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: nats-server, git-lfs, harbor-registry, cue, bazelisk, osv-scanner, aws-network-policy-agent, vexctl, prometheus-mysqld-exporter, volume-modifier-for-k8s, bincapz, keda, k9s, tfsec, gitness, chezmoi, k3d, kube-rbac-proxy, nri-haproxy, boring-registry, regclient,...

GHSA-2JWV-JMQ4-4J3R vulnerabilities

Vulnerabilities for packages: nats-server, multus-cni, git-lfs, melange, helm, lazygit, ctop, harbor-registry, hubble-ui, chartmuseum, step, extism, secrets-store-csi-driver-provider-aws, cue, osv-scanner, traefik, go, grafana-agent-operator, nvidia-device-plugin, gobump,...