Lucene search

K

Ragic, Inc. Security Vulnerabilities

cve
cve

CVE-2024-31091

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SparkWeb Interactive, Inc. Custom Field Bulk Editor allows Reflected XSS.This issue affects Custom Field Bulk Editor: from n/a through...

7.1CVSS

9.3AI Score

0.0004EPSS

2024-03-31 08:15 PM
30
cvelist
cvelist

CVE-2024-31091 WordPress Custom Field Bulk Editor plugin <= 1.9.1 - Cross Site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SparkWeb Interactive, Inc. Custom Field Bulk Editor allows Reflected XSS.This issue affects Custom Field Bulk Editor: from n/a through...

7.1CVSS

7.1AI Score

0.0004EPSS

2024-03-31 07:25 PM
cvelist
cvelist

CVE-2024-2109

The Booster Extension plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.0 via the 'booster_extension_authorbox_shortcode_display' function. This makes it possible for unauthenticated attackers to extract sensitive data including user...

5.3CVSS

5.8AI Score

0.0005EPSS

2024-05-02 04:52 PM
cve
cve

CVE-2024-33619

In the Linux kernel, the following vulnerability has been resolved: efi: libstub: only free priv.runtime_map when allocated priv.runtime_map is only allocated when efi_novamap is not set. Otherwise, it is an uninitialized value. In the error path, it is freed unconditionally. Avoid passing an...

6.7AI Score

0.0004EPSS

2024-06-21 11:15 AM
20
cvelist
cvelist

CVE-2024-33619 efi: libstub: only free priv.runtime_map when allocated

In the Linux kernel, the following vulnerability has been resolved: efi: libstub: only free priv.runtime_map when allocated priv.runtime_map is only allocated when efi_novamap is not set. Otherwise, it is an uninitialized value. In the error path, it is freed unconditionally. Avoid passing an...

0.0004EPSS

2024-06-21 10:18 AM
cvelist
cvelist

CVE-2024-34567 WordPress Easy Notify Lite plugin <= 1.1.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in GhozyLab, Inc. Popup Builder allows Stored XSS.This issue affects Popup Builder: from n/a through...

5.9CVSS

6.1AI Score

0.0004EPSS

2024-05-17 06:07 AM
vulnrichment
vulnrichment

CVE-2024-34567 WordPress Easy Notify Lite plugin <= 1.1.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in GhozyLab, Inc. Popup Builder allows Stored XSS.This issue affects Popup Builder: from n/a through...

5.9CVSS

6.8AI Score

0.0004EPSS

2024-05-17 06:07 AM
cve
cve

CVE-2024-4887

The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level...

7.5CVSS

7.5AI Score

0.001EPSS

2024-06-07 04:15 AM
23
cve
cve

CVE-2024-4636

The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS

5.7AI Score

0.001EPSS

2024-05-15 07:15 AM
7
nvd
nvd

CVE-2024-4551

The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and...

6.4CVSS

0.0004EPSS

2024-06-15 09:15 AM
2
cvelist
cvelist

CVE-2024-3555 Social Link Pages: link-in-bio landing pages for your social media profiles <= 1.6.9 - Missing Authorization to Arbitrary Page Creation and Cross-Site Scripting

The Social Link Pages: link-in-bio landing pages for your social media profiles plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_link_pages() function in all versions up to, and including, 1.6.9. This makes it possible for unauthenticated...

7.2CVSS

6.8AI Score

0.0005EPSS

2024-06-04 05:32 AM
2
cve
cve

CVE-2024-3945

The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_manage() function. This makes it possible for unauthenticated attackers to add new todo items via a forged...

4.3CVSS

6.3AI Score

0.0005EPSS

2024-05-30 05:15 AM
22
vulnrichment
vulnrichment

CVE-2024-3945 WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_manage()

The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_manage() function. This makes it possible for unauthenticated attackers to add new todo items via a forged...

4.3CVSS

6.5AI Score

0.0005EPSS

2024-05-30 04:31 AM
cve
cve

CVE-2023-3204

The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with.....

6.5CVSS

6.2AI Score

0.001EPSS

2024-06-20 02:15 AM
22
cvelist
cvelist

CVE-2024-4636 Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF <= 3.12.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

The Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and including, 3.12.10 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS

6AI Score

0.001EPSS

2024-05-15 06:51 AM
2
cve
cve

CVE-2024-31110

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Katz Web Services, Inc. Contact Form 7 Newsletter allows Reflected XSS.This issue affects Contact Form 7 Newsletter: from n/a through...

7.1CVSS

9.3AI Score

0.0004EPSS

2024-03-31 07:15 PM
28
vulnrichment
vulnrichment

CVE-2024-5613 Formula <= 0.5.1 - Reflected Cross-Site Scripting via quality_customizer_notify_dismiss_action

The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'quality_customizer_notify_dismiss_action' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS

6.4AI Score

0.001EPSS

2024-06-08 05:44 AM
nvd
nvd

CVE-2024-5152

The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 6.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS

5.7AI Score

0.0004EPSS

2024-06-06 04:15 AM
1
nvd
nvd

CVE-2024-3945

The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_manage() function. This makes it possible for unauthenticated attackers to add new todo items via a forged...

4.3CVSS

4.7AI Score

0.0005EPSS

2024-05-30 05:15 AM
2
cve
cve

CVE-2024-4788

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with...

4.3CVSS

6.8AI Score

0.0004EPSS

2024-06-06 02:15 AM
3
cvelist
cvelist

CVE-2024-31110 WordPress Contact Form 7 Newsletter plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Katz Web Services, Inc. Contact Form 7 Newsletter allows Reflected XSS.This issue affects Contact Form 7 Newsletter: from n/a through...

7.1CVSS

7.1AI Score

0.0004EPSS

2024-03-31 06:57 PM
cvelist
cvelist

CVE-2024-4887 Qi Addons For Elementor <= 1.7.2 - Authenticated (Contributor+) Local File Inclusion

The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level...

7.5CVSS

0.001EPSS

2024-06-07 03:21 AM
vulnrichment
vulnrichment

CVE-2024-4277 LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_html Parameter

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_html’ parameter in all versions up to, and including, 4.2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with....

6.4CVSS

5.8AI Score

0.0004EPSS

2024-05-10 09:32 AM
nvd
nvd

CVE-2024-26024

SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in Substation...

8.4CVSS

8.6AI Score

0.0004EPSS

2024-05-28 05:15 PM
cve
cve

CVE-2024-3943

The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodo_addcomment function. This makes it possible for unauthenticated attackers to add comments to to do items via....

4.3CVSS

6.3AI Score

0.0004EPSS

2024-05-30 05:15 AM
22
nvd
nvd

CVE-2024-5613

The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'quality_customizer_notify_dismiss_action' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS

0.001EPSS

2024-06-08 06:15 AM
2
cvelist
cvelist

CVE-2024-4788 Boostify Header Footer Builder for Elementor <= 1.3.3 - Missing Authorization to Page/Post Creation

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-06-06 02:02 AM
1
cvelist
cvelist

CVE-2024-1943

The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings...

4.3CVSS

4.5AI Score

0.0004EPSS

2024-02-28 06:46 AM
cve
cve

CVE-2024-2026

The Passster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_protector shortcode in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated....

6.4CVSS

7.6AI Score

0.0004EPSS

2024-04-09 07:15 PM
24
cvelist
cvelist

CVE-2024-4329 Thim Elementor Kit <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The Thim Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access.....

6.4CVSS

6AI Score

0.0004EPSS

2024-05-11 06:43 AM
cvelist
cvelist

CVE-2024-4361 Page Builder by SiteOrigin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'siteorigin_widget' Shortcode

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS

5.9AI Score

0.001EPSS

2024-05-21 11:02 AM
nvd
nvd

CVE-2024-4788

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-06-06 02:15 AM
1
cvelist
cvelist

CVE-2024-1779

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to...

5.3CVSS

5.3AI Score

0.0004EPSS

2024-02-23 06:48 AM
cve
cve

CVE-2024-4634

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hfe_svg_mime_types’ function in versions up to, and including, 1.6.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS

5.7AI Score

0.001EPSS

2024-05-16 11:15 AM
27
cve
cve

CVE-2024-2334

The Template Kit – Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template upload functionality in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author....

6.4CVSS

7.7AI Score

0.0004EPSS

2024-04-09 07:15 PM
31
cve
cve

CVE-2024-0431

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the....

4.3CVSS

5.2AI Score

0.0004EPSS

2024-02-28 09:15 AM
63
cvelist
cvelist

CVE-2024-0431

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the....

4.3CVSS

4.5AI Score

0.0004EPSS

2024-02-28 08:33 AM
2
cve
cve

CVE-2024-1778

The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to...

4.3CVSS

5.3AI Score

0.0004EPSS

2024-02-23 07:15 AM
49
nvd
nvd

CVE-2024-28042

SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM...

8.4CVSS

8.6AI Score

0.0004EPSS

2024-05-15 05:15 PM
2
nvd
nvd

CVE-2024-6251

A vulnerability, which was classified as problematic, was found in playSMS 1.4.3. Affected is an unknown function of the file /index.php?app=main&inc=feature_phonebook&op=phonebook_list of the component New Phonebook Handler. The manipulation of the argument name/email leads to basic cross site...

2.4CVSS

0.0004EPSS

2024-06-22 12:15 PM
1
cve
cve

CVE-2024-4361

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS

5.7AI Score

0.001EPSS

2024-05-21 11:15 AM
31
nvd
nvd

CVE-2024-2088

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract...

8.5CVSS

8.2AI Score

0.001EPSS

2024-05-22 07:15 AM
3
cve
cve

CVE-2024-4364

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button widgets in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated....

6.4CVSS

6AI Score

0.0004EPSS

2024-06-06 04:15 AM
24
cvelist
cvelist

CVE-2024-3313 SUBNET PowerSYSTEM Server and Substation Server Reliance on Insufficiently Trustworthy Component

SUBNET Solutions Inc. has identified vulnerabilities in third-party components used in PowerSYSTEM Server 2021 and Substation Server...

8.4CVSS

8.7AI Score

0.0004EPSS

2024-04-09 10:40 PM
1
cve
cve

CVE-2024-6251

A vulnerability, which was classified as problematic, was found in playSMS 1.4.3. Affected is an unknown function of the file /index.php?app=main&inc=feature_phonebook&op=phonebook_list of the component New Phonebook Handler. The manipulation of the argument name/email leads to basic cross site...

2.4CVSS

3.4AI Score

0.0004EPSS

2024-06-22 12:15 PM
18
vulnrichment
vulnrichment

CVE-2024-4630 Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS

5.8AI Score

0.001EPSS

2024-05-11 04:30 AM
cvelist
cvelist

CVE-2024-6251 playSMS New Phonebook cross site scripting

A vulnerability, which was classified as problematic, was found in playSMS 1.4.3. Affected is an unknown function of the file /index.php?app=main&inc=feature_phonebook&op=phonebook_list of the component New Phonebook Handler. The manipulation of the argument name/email leads to basic cross site...

2.4CVSS

0.0004EPSS

2024-06-22 11:31 AM
3
cve
cve

CVE-2024-5646

The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘header_size’ attribute within the Advanced Text Block widget in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated....

6.4CVSS

5.7AI Score

0.001EPSS

2024-06-11 09:15 PM
23
cve
cve

CVE-2024-1716

The Admin Bar Remover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_form() function in all versions up to, and including, 1.0.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above,...

4.3CVSS

6.3AI Score

0.001EPSS

2024-05-02 05:15 PM
21
cvelist
cvelist

CVE-2024-4213 Shopping Cart & eCommerce Store <= 5.6.4 - Sensitive Information Exposure

The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.4 via the order report functionality. This makes it possible for unauthenticated attackers to extract sensitive data including order details such as...

5.3CVSS

6.5AI Score

0.0005EPSS

2024-05-10 09:32 PM
Total number of security vulnerabilities288601