Lucene search
K

269 matches found

Packet Storm News
Packet Storm News
added 2025/04/24 12:0 a.m.11 views

Identity Control Plane: the Unifying Layer for Zero Trust Infrastructure

This paper introduces the Identity Control Plane ICP, an architectural framework for enforcing identity-aware Zero Trust access across human users, workloads, and automation systems. The ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials v...

6.9AI score
Exploits0
Positive Technologies
Positive Technologies
added 2025/04/24 12:0 a.m.12 views

PT-2025-17717

Name of the Vulnerable Software and Affected Versions Flynax Bridge plugin for WordPress versions up to, and including, 2.2.0 Description The issue is related to privilege escalation via account takeover due to the plugin not properly validating a user's identity prior to updating their details,...

9.8CVSS7.3AI score0.00607EPSS
Exploits1References14
Cvelist
Cvelist
added 2025/04/18 11:3 a.m.35 views

CVE-2024-49808 IBM Sterling Connect:Direct Web Services improper authorization

IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions...

6.3CVSS0.00294EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/04/08 12:0 a.m.8 views

PT-2025-15318 · WordPress · Streamit

Name of the Vulnerable Software and Affected Versions: Streamit theme for WordPress versions prior to 4.0.3 Description: The issue allows for privilege escalation via account takeover due to improper validation of a user's identity prior to updating their details, such as email, in the st...

8.8CVSS9.6AI score0.00519EPSS
Exploits0References10
NVD
NVD
added 2025/03/19 12:15 p.m.5 views

CVE-2024-13442

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to 1 performing a post-booking auto-login or 2 updating their profile...

9.8CVSS0.00402EPSS
Exploits0References2
CVE
CVE
added 2025/03/19 11:10 a.m.49 views

CVE-2024-13442

CVE-2024-13442 affects the WordPress plugin Service Finder Bookings up to and including version 5.0, causing unauthenticated privilege escalation via account takeover. The root cause is inadequate user identity validation before post-booking auto-login or profile updates (e.g., password changes),...

9.8CVSS9.8AI score0.00402EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/03/14 9:33 a.m.15 views

CVE-2024-13446

The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to 1 performing a social auto-login or 2 updating their profile details e.g. password...

9.8CVSS9.8AI score0.00402EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/03/14 4:22 a.m.4 views

CVE-2024-11286 WP JobHunt <= 7.1 - Authentication Bypass

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the csparserequest function. This makes it possible for unauthenticated...

9.8CVSS9.6AI score0.00593EPSS
Exploits0References2
CVE
CVE
added 2025/03/14 4:22 a.m.52 views

CVE-2024-11284

CVE-2024-11284 (WP JobHunt) affects the WordPress WP JobHunt plugin, with privilege escalation via account takeover due to improper identity validation in the account_settings_save_callback(). Unauthenticated actors can change arbitrary user passwords (including administrators) and gain account a...

9.8CVSS9.8AI score0.00496EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2025/03/07 9:15 a.m.31 views

CVE-2025-1315

The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to...

9.8CVSS0.00464EPSS
Exploits0References2
NVD
NVD
added 2025/03/07 9:15 a.m.7 views

CVE-2024-9658

The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email and password...

8.8CVSS0.0034EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/03/07 8:21 a.m.13 views

CVE-2024-9658 School Management System for Wordpress <= 93.0.0 - Authenticated (Student+) Account Takeover and Privilege Escalation

The School Management System for Wordpress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 93.0.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email and password...

8.8CVSS0.0034EPSS
Exploits0References2
CVE
CVE
added 2025/03/07 8:21 a.m.44 views

CVE-2024-9658

CVE-2024-9658 affects the WordPress plugin “School Management System for Wordpress” up to version 93.0.0. The root causes are improper identity validation during updates to user data (email/password) via mj_smgt_update_user() and mj_smgt_add_admission(), and a local file inclusion vulnerability. ...

8.8CVSS7.5AI score0.0034EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2025/03/01 6:39 a.m.51 views

CVE-2024-13373

CVE-2024-13373 affects Exertio Framework plugin for WordPress (all versions up to 1.3.1). The issue enables unauthenticated users to perform an arbitrary password update via fl_forgot_pass_new(), leading to privilege escalation and potential account takeover (including administrators). Mitigation...

8.1CVSS7.6AI score0.00386EPSS
Exploits0References2
Drupal
Drupal
added 2025/02/26 12:0 a.m.14 views

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when flushing a cache...

8.8CVSS7.2AI score0.0021EPSS
Exploits0References3
Drupal
Drupal
added 2025/02/26 12:0 a.m.14 views

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...

8.1CVSS7.3AI score0.00193EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/02/18 4:21 a.m.8 views

CVE-2024-13677 GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details...

8.8CVSS8.9AI score0.0048EPSS
Exploits0References2
CVE
CVE
added 2025/02/18 4:21 a.m.58 views

CVE-2024-13677

CVE-2024-13677 is associated with the GetBookingsWP WordPress plugin (Appointments Booking Calendar). The Wordfence vulnerability entry documents a privilege-escalation/account-takeover path in which an attacker with subscriber-level access or higher can update another user’s email without proper...

8.8CVSS7.2AI score0.0048EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2025/02/18 4:21 a.m.12 views

CVE-2024-13677 GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details...

8.8CVSS0.0048EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/02/05 10:36 a.m.7 views

CVE-2024-12264

The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setti...

9.8CVSS7AI score0.00721EPSS
Exploits0References1
Rows per page
Query Builder