4960 matches found
CVE-2024-42194 HCL BigFix Inventory is affected by an access control vulnerability
An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API call...
CVE-2024-5333
The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...
CVE-2024-5333
The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...
CVE-2024-5333 The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure
The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...
CVE-2024-5333
The Events Calendar WordPress plugin (vendor: stellarwp) before version 6.8.2.1 has missing access checks in its REST API, allowing unauthenticated users to access information about password-protected events. The NVD/Nuclei and related sources confirm this information disclosure vector with explo...
CVE-2024-5333 The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure
The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events...
PT-2024-35723
Name of the Vulnerable Software and Affected Versions The Events Calendar WordPress plugin versions prior to 6.8.2.1 Description The issue is related to missing access checks in the REST API, allowing unauthenticated users to access information about password-protected events. Recommendations For...
CVE-2024-11095
The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...
CVE-2024-11095 Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...
CVE-2024-11095 Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...
PT-2024-16756 · WordPress · Visualmodo Elements
Name of the Vulnerable Software and Affected Versions: Visualmodo Elements plugin for WordPress versions up to, and including, 1.0.2 Description: The issue is related to Stored Cross-Site Scripting via REST API SVG File uploads due to insufficient input sanitization and output escaping. This allo...
CVE-2024-11275
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes...
CVE-2024-11275
CVE-2024-11275 affects the WP Timetics WordPress plugin (versions up to 1.0.27). It allows authenticated Timetics Customer or higher to delete arbitrary users due to a missing capability check on the /wp-json/timetics/v1/customers/ REST endpoint, enabling unauthorized data loss. Wordfence notes t...
CVE-2024-12265
The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attacker...
CVE-2024-12265
CVE-2024-12265 affects the Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress up to version 2.12.17. The issue is a missing capability check on the REST endpoint /wp-json/depay/wc/debug, allowing unauthenticated access to debug information (information exposure). Connected documen...
CVE-2024-12265 Web3 Cryptocurrency Payments by DePay for WooCommerce <= 2.12.17 - Missing Authorization to Information Exposure
The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attacker...
Simulation of Wasmd message can cause crashing
CWA-2024-009 Severity Low Marginal + Likely^1 Affected versions: - wasmd 0.53.1 Patched versions: - wasmd 0.53.2 please note that wasmd 0.53.1 is broken and must not be used Description of the bug Blank for now. We'll add more detail once chains had a chance to upgrade. Mitigations Apart from...
CVE-2024-11868 LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course...
CVE-2024-11868 LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course...
Simulation of Wasmd message can cause crashing
CWA-2024-009 Severity Low Marginal + Likely^1 Affected versions: - wasmd 0.53.1 Patched versions: - wasmd 0.53.2 please note that wasmd 0.53.1 is broken and must not be used Description of the bug Blank for now. We'll add more detail once chains had a chance to upgrade. Mitigations Apart from...