CVE-2024-3808 Porto Theme - Functionality <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the 'portoportfolios' shortcode 'portfoliolayout' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions,...

CVE-2024-3808

CVE-2024-3808 pertains to the Porto Theme – Functionality plugin for WordPress. The vulnerability enables authenticated attackers with contributor-level privileges or higher to perform a Local File Inclusion via the porto_portfolios shortcode and its portfolio_layout attribute, enabling arbitrary...

CVE-2024-3806 Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'portoajaxposts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in...

CVE-2024-3806 Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'portoajaxposts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in...

CVE-2024-4441 XML Sitemap & Google News <= 5.4.8 - Unauthenticated Local File Inclusion

The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any P...

CVE-2024-4441

CVE-2024-4441 affects the WordPress plugin XML Sitemap & Google News. The vulnerability is Local File Inclusion via the feed parameter in all versions up to 5.4.8, allowing unauthenticated attackers to include and execute arbitrary server-side files (PHP) and potentially bypass access controls or...

CVE-2024-3807 Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'portopageheadershortcodetype', 'slideshowtype' and 'postlayout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to...

XML Sitemap & Google News < 5.4.9 - Unauthenticated Local File Inclusion

Description The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

CVE-2024-3500

The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...

CVE-2024-3500 ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...

CVE-2024-3499

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the generatenavigationmarkup function of the Onepage Scroll module. This makes it possible for authenticated attackers, with contributor-level access and...

CVE-2024-3499

The CVE-2024-3499 entry concerns ElementsKit Elementor addons and Templates Library for WordPress. Impact arises from a Local File Inclusion in the Onepage Scroll module’s generate_navigation_markup function, enabling an authenticated attacker with contributor+ privileges to include and execute a...

PT-2024-26279 · WordPress · Elementskit Elementor Addons

Name of the Vulnerable Software and Affected Versions: ElementsKit Elementor addons plugin for WordPress versions prior to 3.1.1 Description: The issue allows authenticated attackers with contributor-level access and above to include and execute arbitrary files on the server via the generate...

XStore < 9.3.9 - Unauthenticated Local File Inclusion

Description The theme is vulnerable to Local File Inclusion, allowing unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution...

XforWooCommerce <= 2.0.2 - Authenticated (Subscriber+) Local File Inclusion

Description The XforWooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the...

CVE-2023-46304

modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file executed on every page load...

PT-2024-13351 · Vtiger · Vtiger Crm

Name of the Vulnerable Software and Affected Versions: Vtiger CRM version 7.5.0 Description: The issue allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file, which is executed on every page load...

Click to Chat – HoliThemes < 4.0 - Contributor+ LFI

Description The plugin is vulnerable to Local File Inclusion, allowing authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensiti...

CVE-2024-3136

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP cod...

CVE-2024-3136 MasterStudy LMS <= 3.3.3 - Unauthenticated Local File Inclusion via template

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP cod...