iPanorama 360 WordPress Virtual Tour Builder < 1.8.2 - Missing Authorization

Description The iPanorama 360 WordPress Virtual Tour Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on a REST API endpoint in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to view deactivated...

BIT-ACTIVEMQ-2024-32114

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context where the Jolokia JMX REST API and the Message REST API are located.It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker using Jolokia JM...

Improper Access Control

Apache ActiveMQ is vulnerable to Improper Access Control. The vulnerability is due to a default configuration which does not secure the API web context, allowing unrestricted use of the Jolokia JMX REST API and the Message REST API. This vulnerability potentially enables anyone to interact with t...

CVE-2024-32114

A flaw was found in Apache ActiveMQ. This vulnerability contains an insecure default configuration in Jolokia and REST API, allowing any user to bypass security restrictions. The vulnerability exists due to missing authorization in the application's REST API. The default configuration doesn't...

CVE-2024-1678

The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post...

CVE-2024-2667 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for...

CVE-2024-2667 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for...

CVE-2024-2667

CVE-2024-2667 affects the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. The root cause is insufficient file validation in the REST API endpoint /wp-json/instawp-connect/v1/config, affecting all versions up to 0.1.0.22. This enables unauthenticated attackers to upload arbi...

CVE-2024-1678 Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post...

CVE-2024-1678 Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

The Subway – Private Site Option plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's private site feature and view restricted page and post...

CVE-2024-32114

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context where the Jolokia JMX REST API and the Message REST API are located. It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker using Jolokia J...

CVE-2024-32114

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context where the Jolokia JMX REST API and the Message REST API are located. It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker using Jolokia J...

CVE-2024-32114 Apache ActiveMQ: Jolokia and REST API were not secured with default configuration

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context where the Jolokia JMX REST API and the Message REST API are located. It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker using Jolokia J...

CVE-2024-32114 Apache ActiveMQ: Jolokia and REST API were not secured with default configuration

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context where the Jolokia JMX REST API and the Message REST API are located. It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker using Jolokia J...

WordPress plugin Subway 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-3591

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2024-3591 WordPress Geo Controller < 8.6.5 - PHP Object Injection

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2024-3591 WordPress Geo Controller < 8.6.5 - PHP Object Injection

The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2024-3591

CVE-2024-3591 affects the WordPress plugin Geo Controller up to version 8.6.5. The issue arises from unserializing user input in certain AJAX actions and REST API routes, enabling unauthenticated users to perform a PHP Object Injection if a suitable gadget is present on the blog. Evidence across ...

VulnCheck KEV: CVE-2024-33939

The Masteriyo LMS Plugin for WordPress is vulnerable to an insecure direct object reference that could allow unauthenticated adversaries to view other users course progress. Versions up to and including 1.7.3 are vulnerable via the REST API...