WordPress plugin Traveler 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-2297 Bricksbuilder <= 1.9.6.1 - Authenticated (Contributor+) Privilege Escalation via create_autosave

The Bricks theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.6.1. This is due to insufficient validation checks placed on the createautosave AJAX function. This makes it possible for authenticated attackers, with contributor-level access and above...

CVE-2024-2297

The Bricks WordPress theme (Bricks) is vulnerable to authenticated Privilege Escalation via the create_autosave AJAX function in versions up to and including 1.9.6.1. Exploitation requires Post Builder to be enabled, builder access for contributor-level users, and Code Execution enabled for admin...

CVE-2021-44967

A Remote Code Execution RCE vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be...

CVE-2022-2434

The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site...

CVE-2022-2442

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper...

CVE-2022-2444

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remotedata' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call...

CVE-2024-13408

The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the pgcu shortcode. This makes it possible for authenticated attacker...

PT-2025-2161 · WordPress · Post Grid

Name of the Vulnerable Software and Affected Versions: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress versions up to, and including, 1.6.10 Description: The issue allows authenticated attackers, with Contributor-level access and...

BIT-PHP-MIN-2024-4577 Argument Injection in PHP-CGI

In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3. before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may...

CVE-2024-13297 Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.This issue affects Eloqua: from 7.X- before 7.X-1.15...

CVE-2024-13295

CVE-2024-13295 affects Drupal Node export module for Drupal 7.X-* before 7.X-3.3. Root cause is deserialization of untrusted data, leading to object injection and potential arbitrary code execution. Affected software: Drupal Node export module (7.X-*, prior to 7.X-3.3). Impact per sources: possib...

CVE-2024-13294 POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal POST File allows Cross-Site Scripting XSS.This issue affects POST File: from 0.0.0 before 1.0.2...

CVE-2024-13294

CVE-2024-13294 concerns the Drupal POST File module, where improper neutralization of input during web page generation enables Cross-Site Scripting (XSS). Affected versions are 0.0.0 through 1.0.2. The root cause is input handling in the POST File endpoint; exploitation could permit user-controll...

CVE-2024-13288 Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

Deserialization of Untrusted Data vulnerability in Drupal Monster Menus allows Object Injection.This issue affects Monster Menus: from 0.0.0 before 9.3.4, from 9.4.0 before 9.4.2...

CVE-2024-13265 Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

Improper Neutralization of Directives in Statically Saved Code 'Static Code Injection' vulnerability in Drupal Opigno Learning path allows PHP Local File Inclusion.This issue affects Opigno Learning path: from 0.0.0 before 3.1.2...

WordPress plugin WP Travel Engine 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-11429

The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'stars-testimonials-with-slider-and-masonry-grid' shortcode. This makes it possible for...

PT-2024-17362 · WordPress · Classic Addons – Wpbakery Page Builder

Name of the Vulnerable Software and Affected Versions: Classic Addons – WPBakery Page Builder plugin for WordPress versions up to, and including, 3.0 Description: The issue allows authenticated attackers with Contributor-level access and above, and permissions granted by an Administrator, to...

CVE-2024-10898

CVE-2024-10898 affects the WordPress plugin Contact Form 7 Email Add on (