36 matches found
CVE-2025-11889 AIO Forms <= 1.3.18 - Authenticated (Admin+) Arbitrary File Upload via Zip Import
The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access...
EUVD-2023-32757
Malicious code in bioql PyPI...
CVE-2024-8031 Secure Downloads < 1.2.3 - Admin+ Arbitrary File Download
The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php...
CVE-2024-28875
A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The backdoor string can be...
PT-2024-22620 · Levelone · Levelone Wbr-6012
Name of the Vulnerable Software and Affected Versions: LevelOne WBR-6012 affected versions not specified Description: A security issue exists due to hard-coded credentials in the web services of the affected device. This allows attackers to gain unauthorized access within the first 30 seconds aft...
rke's credentials are stored in the RKE1 Cluster state ConfigMap
Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: -...
Pricing Table by Supsystic < 1.9.13 - Admin+ Content Injection
Description The Pricing Table by Supsystic plugin for WordPress is vulnerable to content injection in all versions up to, and including, 1.9.12. This makes it possible for authenticated attackers, with admin-level access and above, to inject arbitrary content. This is not a security issue by...
CVE-2024-3054
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstggetcustomexcludepathfree action. This is due to the plugin not providing sufficient path validation on the...
CVE-2024-3054 WPvivid Backup & Migration Plugin <= 0.9.99 - Authenticated (Admin+) PHAR Deserialization
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstggetcustomexcludepathfree action. This is due to the plugin not providing sufficient path validation on the...
CVE-2024-3054 WPvivid Backup & Migration Plugin <= 0.9.99 - Authenticated (Admin+) PHAR Deserialization
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstggetcustomexcludepathfree action. This is due to the plugin not providing sufficient path validation on the...
PT-2024-15688 · WordPress · Content Views – Post Grid
Name of the Vulnerable Software and Affected Versions: Content Views – Post Grid, Slider, Accordion Gutenberg Blocks and Shortcode plugin for WordPress versions up to, and including, 3.6.2 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient inpu...
CVE-2023-6842 Formidable Forms <= 6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 inclusive due to insufficient input...
INEA ME RTU (CVE-2023-29155)
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the root account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system. This plugin only works with Tenable.ot. Please visit...
Slick Popup: Contact Form 7 Popup Plugin < 1.7.15 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The Slick Popup: Contact Form 7 Popup Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the main heading parameter in all versions up to 1.7.15 exclusive due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2023-29155
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system...
CVE-2023-29155
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system...
CVE-2023-29155 INEA ME RTU Missing Authentication for Critical Function
Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the "root" account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system...
CVE-2023-40060
A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely...
Authentication flaw
A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely...
Authentication Bypass Vulnerabilities in VMware Workspace ONE Assist
Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Several security vulnerabilities exist in VMwares Workspace ONE Assist solution, some of which can be exploited for authentication bypassing to gain admin-level access. A vulnerability in VMware...