WordPress BuddyPress Plugin <= 14.1.0 is vulnerable to Directory Traversal

Software BuddyPress Type Plugin Vulnerable versions = 14.1.0 Fixed in 14.2.1 OWASP Top 10 A3: Injection Classification Directory Traversal CVE CVE-2024-10011 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 06408034e9a6 Credits Domons Required privilege Subscriber Publish...

WordPress File Upload Types Plugin <= 1.4.0 is vulnerable to Cross Site Scripting (XSS)

Software File Upload Types Type Plugin Vulnerable versions = 1.4.0 Fixed in 1.5.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10016 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID d655bda3dd64 Credits Francesco Carlucci...

WordPress Contact Form 7 - Repeatable Fields Plugin <= 2.0.1 is vulnerable to Cross Site Scripting (XSS)

Software Contact Form 7 - Repeatable Fields Type Plugin Vulnerable versions = 2.0.1 Fixed in 2.0.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-10180 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID d39a0f706c9a Credits Pete...

WordPress Envo's Elementor Templates & Widgets for WooCommerce Plugin <= 1.4.19 is vulnerable to Cross Site Scripting (XSS)

Software Envo's Elementor Templates & Widgets for WooCommerce Type Plugin Vulnerable versions = 1.4.19 Fixed in 1.4.20 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50447 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 28c4d14cb691 Credits...

WordPress YITH WooCommerce Product Add-Ons Plugin <= 4.14.1 is vulnerable to Cross Site Scripting (XSS)

Software YITH WooCommerce Product Add-Ons Type Plugin Vulnerable versions = 4.14.1 Fixed in 4.14.2 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50448 Patch priority Medium CVSS severity Medium 7.1 Developer YITH PSID c89cdca7b8b3 Credits Le Ngoc Anh Required...

WordPress Firelight Lightbox Plugin <= 2.3.3 is vulnerable to Cross Site Scripting (XSS)

Software Firelight Lightbox Type Plugin Vulnerable versions = 2.3.3 Fixed in 2.3.4 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-50460 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 2edb2390ea9c Credits Robert DeVore Required privilege...

WordPress Elementor – Header, Footer & Blocks Template Plugin <= 1.6.43 is vulnerable to Sensitive Data Exposure

Software Elementor – Header, Footer & Blocks Template Type Plugin Vulnerable versions = 1.6.43 Fixed in 1.6.44 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-10050 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 22957639a0e5...

WordPress EventPrime Plugin <= 4.0.4.7 is vulnerable to Cross Site Scripting (XSS)

Software EventPrime Type Plugin Vulnerable versions = 4.0.4.7 Fixed in 4.0.4.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9865 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID b2193c9ee308 Credits zer0gh0st Required...

WordPress Terms descriptions Plugin <= 3.4.6 is vulnerable to Cross Site Scripting (XSS)

Software Terms descriptions Type Plugin Vulnerable versions = 3.4.6 Fixed in 3.4.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9374 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 8fca607d99fe Credits vgo0 Required...

WordPress WC Marketplace Plugin <= 4.2.4 is vulnerable to Broken Access Control

Software WC Marketplace Type Plugin Vulnerable versions = 4.2.4 Fixed in 4.2.5 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9531 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 7dab4da2d17f Credits Tieu Pham Trong Nhan Required...

Malicious npm Packages Target Developers' Ethereum Wallets with SSH Backdoor

Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell SSH protocol. The packages attempt to "gain SSH access to the victim's machine by...

WordPress Download Plugin Plugin <= 2.2.0 is vulnerable to Broken Access Control

Software Download Plugin Type Plugin Vulnerable versions = 2.2.0 Fixed in 2.2.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-9829 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID da1ab1cf4af2 Credits WordFence Required...

This Week in Spring - October 22nd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring. I write this to you in an Uber speeding down the autobahn near Frankfurt, Germany. What a time to be alive! At the rate this driver's going, I won't have much time to write this before we've arrived, so let's dive right into...

WordPress WooCommerce Order Proposal Plugin <= 2.0.5 is vulnerable to Broken Authentication

Software WooCommerce Order Proposal Type Plugin Vulnerable versions = 2.0.5 Fixed in 2.0.6 OWASP Top 10 A7: Identification and Authentication Failures Classification Broken Authentication CVE CVE-2024-9927 Patch priority Low CVSS severity Low 7.2 Developer Claim ownership PSID d873b6f7fa89 Credit...

WordPress Schema & Structured Data for WP & AMP Plugin <= 1.3.5 is vulnerable to Sensitive Data Exposure

Software Schema & Structured Data for WP & AMP Type Plugin Vulnerable versions = 1.3.5 Fixed in 1.36 OWASP Top 10 A1: Broken Access Control Classification Sensitive Data Exposure CVE CVE-2024-49683 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID fb194b3fd454 Credits Joshua...

WordPress Woocommerce Custom Profile Picture Plugin <= 1.0 is vulnerable to Arbitrary File Upload

Software Woocommerce Custom Profile Picture Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-49658 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID a92aac6ed113 Credits stealthcopter Required...

WordPress Simple Custom Admin Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)

Software Simple Custom Admin Type Plugin Vulnerable versions = 1.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-49647 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 3970364b5682 Credits Mika Required privilege...

WordPress HD Quiz – Save Results Light Plugin <= 0.5 is vulnerable to Broken Access Control

Software HD Quiz – Save Results Light Type Plugin Vulnerable versions = 0.5 Fixed in 0.6 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-49689 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 904268a13b03 Credits Fariq Fadillah Gusti...

WordPress WP Sessions Time Monitoring Full Automatic Plugin <= 1.0.9 is vulnerable to SQL Injection

Software WP Sessions Time Monitoring Full Automatic Type Plugin Vulnerable versions = 1.0.9 Fixed in 1.1.0 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-49681 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 5ddec7a4af4c Credits stealthcopter Requir...

WordPress News Kit Elementor Addons Plugin <= 1.2.1 is vulnerable to Sensitive Data Exposure

Software News Kit Elementor Addons Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.2.2 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-9541 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1aff69c2a359 Credits Nishiv Required...