CVE-2024-13908

The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveoptions' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to...

WordPress plugin I Am Gloria 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

WordPress plugin Everest Forms 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...

WordPress plugin All-Images.ai 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...

CVE-2024-21574

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or...

CVE-2024-5853

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the sirvuploadfilebychanks AJAX action in all versions up to, and including, 7.2.6. This makes it possible for authenticated attackers, with...

CVE-2024-9660

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mjsmgtloaddocumetsnew and mjsmgtloaddocumets functions in all versions up to, and including, 91.5.0. This makes it possible for authenticated attacker...

CVE-2025-1028

The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site'...

CVE-2024-13425

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the enforcedelete function due to missing validation on a user controlled key. This makes it...

CVE-2024-13428

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the deleteCompanyLogo due to missing validation on a user controlled key. This makes it possibl...

CVE-2024-13448

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trxaddonsuploadssavedata' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

CVE-2024-13091

The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcldwpcfbfileupload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on th...

CVE-2024-13333 Advanced File Manager 5.2.12 - 5.2.13 - Authenticated (Subscriber+) Arbitrary File Upload

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fmalocalfilesystem' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload...

CVE-2024-12853

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to uploa...

WordPress plugin Modula Image Gallery 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...

CVE-2024-12132

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated...

Cross-site Scripting (XSS)

Overview collaborative-article-sharing is a Command-line interface for interacting with the CAS API Affected versions of this package are vulnerable to Cross-site Scripting XSS due to missing validations of the redirectUri parameter. Details A cross-site scripting attack occurs when the attacker...

CVE-2024-52591

Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet and HttpRequestService.getActivityJson allows an attacker to create fake user profiles and forged notes. The spoofed users will appear to be from a different instance...

CVE-2024-52590 Missing validation allows spoofed profiles in Misskey

Misskey is an open source, federated social media platform. In affected versions missing validation in ApRequestService.signedGet allows an attacker to create fake user profiles that appear to be from a different instance than the one where they actually exist. These profiles can be used to...

CVE-2024-52591

CVE-2024-52591 affects Misskey, where missing validation in ApRequestService.signedGet and HttpRequestService.getActivityJson allows forging of user profiles and notes across instances. The attack can impersonate both users and federated peers, with forged objects accepted as valid and full inter...