CVE-2024-43658

CVE-2024-43658 concerns Iocharger Home firmware prior to 25010801. The issue is a patch traversal/external control of file name or path vulnerability that allows an authenticated attacker to delete arbitrary files on the charging station, potentially removing binaries and compromising integrity a...

CVE-2024-43653 Authenticated command injection in the <redacted> action leads to full remote code execution as root on the charging station

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability allows OS Command Injection as root This issue affects Iocharger firmware for AC model chargers before version 24120701. Likelihood: Moderate – The binary does not seem to be used by the web interface,...

CVE-2024-11830

The PDF Flipbook, 3D Flipbook—DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to 2.3.52 due to insufficient input sanitization and output escaping on user-supplied data. This makes it possible for authenticated attackers with...

CVE-2024-11830

CVE-2024-11830 affects Dear Flipbook – PDF Flipbook, 3D Flipbook (WordPress plugin) up to version 2.3.52, enabling Stored XSS via outline settings with authenticated (contributor+) access. Wordfence notes patched status (no exploit/vector details provided in the documents). Red Hat and other entr...

CVE-2024-12328 MAS Elementor <= 1.1.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

The MAS Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, ...

CVE-2024-54006

CVE-2024-54006 affects the Hewlett Packard Enterprise 501 Wireless Client Bridge web interface. Multiple command-injection vulnerabilities allow authenticated remote command execution, enabling an attacker with administrative credentials to run arbitrary commands as a privileged OS user. The CVSS...

CVE-2024-12495

CVE-2024-12495 – Bootstrap Blocks for WP Editor (WordPress) Stored XSS Affected product: Bootstrap Blocks for WP Editor plugin, WordPress. Vulnerability type: Stored Cross-Site Scripting in the gtb-bootstrap/column block due to insufficient input sanitization and output escaping. Root cause: lack...

CVE-2024-12073

CVE-2024-12073 affects the Meteor Slides WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) in the slide_url_value parameter across all versions up to and including 1.5.7, arising from insufficient input sanitization and output escaping. Exploitation requires authenticatio...

CVE-2024-9702 Social Rocket <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2024-11445

CVE-2024-11445 describes a stored cross-site scripting vulnerability in the WordPress plugin Image Magnify . The issue affects all versions up to and including 1.1 and stems from insufficient input sanitization and output escaping on attributes supplied to the plugin’s shortcode image_magnify . W...

CVE-2024-11899

CVE-2024-11899 : Slider Pro Lite (WordPress) is vulnerable to Stored Cross-Site Scripting via the plugin shortcode sliderpro in all versions up to and including 1.4.1. Root cause: insufficient input sanitization and output escaping on user-supplied attributes. Impact: authenticated attackers with...

CVE-2024-12195 WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.16 - Authenticated (Subscriber+) SQL Injection

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'projectid' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 d...

CVE-2024-11930

CVE-2024-11930 affects the Taskbuilder – WordPress Project & Task Management plugin for WordPress. The vulnerability is Stored Cross‑Site Scripting via the wppm_tasks shortcode in versions up to and including 3.0.6, caused by insufficient input sanitization and output escaping on user-supplied at...

CVE-2024-12583

CVE-2024-12583 affects the Dynamics 365 Integration plugin for WordPress (versions up to and including 1.3.23). Root cause: missing input validation on the render function enables Twig Server-Side Template Injection. Impact: authenticated attackers with Contributor-level access and above can exec...

CVE-2024-12856

CVE-2024-12856 affects Four-Faith router models F3x24 and F3x36. The OS command-injection vulnerability exists in the adjust_sys_time functionality exposed via /apply.cgi, allowing an authenticated user to modify system time and execute arbitrary OS commands over HTTP. In firmware v2.0, default c...

CVE-2024-11885

CVE-2024-11885 affects NinjaTeam Chat for Telegram plugin for WordPress. It is a stored cross-site scripting (XSS) in the njtele_button shortcode caused by insufficient input sanitization and output escaping of user-supplied attributes. Exploitation requires authenticated access at Contributor le...

ABB Cylon Aspect 3.08.02 (WatchDogServlet) Authenticated Reflected XSS

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB BMS/BAS controller suffers from an authenticated reflected...

CVE-2024-11774 Outdooractive Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Outdooractive Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list2go' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-11783 Financial Calculator <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Financial Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'financecalculator' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-11776

CVE-2024-11776 affects the PCRecruiter Extensions plugin for WordPress. It is a Stored XSS vulnerability in the plugin’s PCRecruiter shortcode, exploitable by authenticated users with contributor-level access or higher, due to insufficient input sanitization and output escaping in versions up to ...