CVE-2023-2794

ofono on Linux is affected by a stack-based buffer overflow in decode_deliver() during SMS decoding, due to a missing bound check that exists in decode_submit(). This can enable remote code execution when an attacker sends crafted SMS or via a compromised modem/malicious base station. Connected a...

CVE-2024-2243

CVE-2024-2243 affects the csmock component used with OSH (OAuth? Kerberos-based) in Tencent/TencentOS and Fedora/RHEL packaging. The vulnerability allows a regular OSH-service user (anyone with a Kerberos ticket) to disclose the confidential Snyk authentication token and to run arbitrary commands...

CVE-2023-6385

CVE-2023-6385 affects the WordPress Ping Optimizer plugin up to version 2.35.1.3.0. The vulnerability stems from missing CSRF checks in certain areas, enabling an attacker to cause logged-in users to perform unwanted actions (e.g., clearing logs) via CSRF. Several trusted sources (NVD, CVE feeds,...

CVE-2022-4965

The CVE-2022-4965 entry concerns the Invitation Code Content Restriction Plugin for WordPress by CreativeMinds. It describes a reflected Cross-Site Scripting (XSS) vulnerability via the target_id parameter present in all versions up to and including 1.5.4, caused by insufficient input sanitizatio...

CVE-2024-1412

CVE-2024-1412 concerns the WordPress Memberpress plugin. Connected sources confirm a reflected Cross‑Site Scripting (XSS) vulnerability in the plugin’s handling of the message and error parameters, affecting all versions up to 1.11.26. The vulnerability is unauthenticated and could allow an attac...

CVE-2024-2138

CVE-2024-2138 concerns the WordPress plugin JetWidgets For Elementor. The Red Hat and Wordfence entries describe a stored cross-site scripting (XSS) vulnerability in the Animated Box widget, affecting all versions up to and including 1.0.15. The issue arises from insufficient input sanitization a...

CVE-2024-2866

CVE-2024-2866 is a placeholder entry that has been superseded by CVE-2024-2509 for the Kadence Blocks WordPress plugin. Connected data show that CVE-2024-2509 details a Stored Cross-Site Scripting (XSS) vulnerability in the Gutenberg Blocks by Kadence Blocks plugin prior to version 3.2.26 , where...

CVE-2024-2957

CVE-2024-2957 is a duplicate of CVE-2024-1983. The linked Red Hat/NVD details show Simple Ajax Chat for WordPress (before 20240223) suffers a stored XSS via the name field, reflecting unsanitized input to other users. This confirms the vulnerability context, affected component, and root cause; CV...

CVE-2024-2093

CVE-2024-2093 affects the VK All in One Expansion Unit WordPress plugin. All versions up to and including 9.95.0.1 are vulnerable to Sensitive Information Exposure via social meta tags, allowing unauthenticated attackers to view limited password‑protected content. Root cause: improper handling of...

CVE-2024-1458

CVE-2024-1458 : Elementor Addons by Livemesh for WordPress is vulnerable to stored XSS via the Animated Text widget’s text_alignment attribute in all versions up to and including 8.3.4 due to insufficient input sanitization and output escaping. An authenticated attacker with contributor-level acc...

CVE-2024-1461

Elementor Addons by Livemesh (WordPress) contains a Stored XSS in Team Members widget via the style attribute in all versions up to 8.3.4 due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor+ access can inject scripts that execute for users visiting...

CVE-2024-2344

CVE-2024-2344 (Avada Theme for WordPress) : SQL Injection via the 'entry' parameter affects all versions up to 7.11.6. Root cause: insufficient escaping of user input and inadequate preparation of the existing SQL query. Exploitation requires editor-level access or higher (authenticated). Impact ...

CVE-2024-2117

CVE-2024-2117 affects Elementor Website Builder – More than Just a Page Builder (WordPress) via the Path Widget. All versions up to 3.20.2 are vulnerable due to insufficient output escaping on user-supplied attributes, enabling stored XSS. Exploitation requires an authenticated attacker with cont...

CVE-2024-1424

CVE-2024-1424 affects GiveWP – Donation Plugin and Fundraising Platform for WordPress. All versions up to 3.5.1 are vulnerable to Stored Cross-Site Scripting via shortcode attributes due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-l...

CVE-2024-1587

CVE-2024-1587 affects the WordPress Newsmatic theme up to version 1.3.0. It enables Sensitive Information Exposure via the newsmatic_filter_posts_load_tab_content, allowing unauthenticated users to view draft posts and post content. The CVSS v3.1 base score is 5.3 (Medium) with network attack vec...

CVE-2024-2222

CVE-2024-2222 (Advanced Classifieds & Directory Pro for WordPress) : Vulnerability due to a missing capability check in ajax_callback_delete_attachment across all versions up to 3.0.0. This allows authenticated users with subscriber+ access to delete arbitrary media uploads, i.e., unauthorized da...

CVE-2024-2325

CVE-2024-2325 concerns the WordPress Link Library plugin. Affected versions up to and including 7.6.6 are vulnerable to a Reflected Cross‑Site Scripting (XSS) flaw via the searchll parameter, caused by insufficient input sanitization and output escaping. This can enable unauthenticated attackers ...

CVE-2024-1999

The WordPress plugin Gutenberg Blocks by Kadence Blocks – Page Builder Features is affected by CVE-2024-1999: Stored XSS via the Testimonial Widget anchor style parameter in versions up to 3.2.25. Exploitation requires at least Contributor‑level access and can lead to stored scripts executing on ...

CVE-2024-2287

CVE-2024-2287 — Knight Lab Timeline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in versions up to 3.9.3.3 due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level permissions (or higher) can inject sc...

CVE-2024-2348

Gum Elementor Addon for WordPress ≤ 1.3.2 is vulnerable to Stored Cross-Site Scripting via the Post Meta widget due to insufficient input sanitization/output escaping. Exploitation requires authenticated access (subscriber or higher). A fixed version, 1.3.3, is available; updating to >1.3.2 is...