π¨ CVE-2024-0719
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
π@cveNotify
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
π@cveNotify
WPScan
Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
See details on Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting CVE 2024-0719. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-1307
The Smart Forms WordPress plugin before 2.6.94 does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions
π@cveNotify
The Smart Forms WordPress plugin before 2.6.94 does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions
π@cveNotify
WPScan
Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control
See details on Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control CVE 2024-1307. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-2857
The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
π@cveNotify
The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
π@cveNotify
WPScan
Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS
See details on Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS CVE 2024-2857. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-2404
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.
π@cveNotify
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.
π@cveNotify
WPScan
Better Comments < 1.5.6 - Subscriber+ Stored XSS
See details on Better Comments < 1.5.6 - Subscriber+ Stored XSS CVE 2024-2404. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-0151
Insufficient argument checking in Secure state Entry functions in software using Cortex-M Security Extensions (CMSE), that has been compiled using toolchains that implement 'Arm v8-M Security Extensions Requirements on Development Tools' prior to version 1.4, allows an attacker to pass values to Secure state that are out of range for types smaller than 32-bits. Out of range values might lead to incorrect operations in secure state.
π@cveNotify
Insufficient argument checking in Secure state Entry functions in software using Cortex-M Security Extensions (CMSE), that has been compiled using toolchains that implement 'Arm v8-M Security Extensions Requirements on Development Tools' prior to version 1.4, allows an attacker to pass values to Secure state that are out of range for types smaller than 32-bits. Out of range values might lead to incorrect operations in secure state.
π@cveNotify
π¨ CVE-2024-34683
An authenticated attacker can upload malicious
file to SAP Document Builder service. When the victim accesses this file, the
attacker is allowed to access, modify, or make the related information
unavailable in the victimβs browser.
π@cveNotify
An authenticated attacker can upload malicious
file to SAP Document Builder service. When the victim accesses this file, the
attacker is allowed to access, modify, or make the related information
unavailable in the victimβs browser.
π@cveNotify
π¨ CVE-2024-34688
Due to unrestricted access to the Meta Model
Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks
on the application, which may prevent legitimate users from accessing it. This
can result in no impact on confidentiality and integrity but a high impact on
the availability of the application.
π@cveNotify
Due to unrestricted access to the Meta Model
Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks
on the application, which may prevent legitimate users from accessing it. This
can result in no impact on confidentiality and integrity but a high impact on
the availability of the application.
π@cveNotify
π¨ CVE-2019-16572
Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
π@cveNotify
Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
π@cveNotify
π¨ CVE-2024-1232
The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack
π@cveNotify
The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack
π@cveNotify
WPScan
CM Download Manager < 2.9.0 - Download Deletion via CSRF
See details on CM Download Manager < 2.9.0 - Download Deletion via CSRF CVE 2024-1232. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2023-7201
The Everest Backup WordPress plugin before 2.2.5 does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
π@cveNotify
The Everest Backup WordPress plugin before 2.2.5 does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
π@cveNotify
WPScan
Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload
See details on Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload CVE 2023-7201. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-1306
The Smart Forms WordPress plugin before 2.6.94 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk.
π@cveNotify
The Smart Forms WordPress plugin before 2.6.94 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk.
π@cveNotify
WPScan
Smart Forms < 2.6.94 - Edit Entries via CSRF
See details on Smart Forms < 2.6.94 - Edit Entries via CSRF CVE 2024-1306. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-0868
The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value
π@cveNotify
The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value
π@cveNotify
WPScan
coreActivity < 2.1 - Unauthenticated IP Spoofing
See details on coreActivity < 2.1 - Unauthenticated IP Spoofing CVE 2024-0868. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-2429
The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
π@cveNotify
The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
π@cveNotify
WPScan
Salon booking system < 9.6.6 - Settings Update via CSRF
See details on Salon booking system < 9.6.6 - Settings Update via CSRF CVE 2024-2429. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-34621
Out-of-bounds read in applying binary with data in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
Out-of-bounds read in applying binary with data in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
π¨ CVE-2024-34624
Out-of-bounds read in applying paragraphs in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
Out-of-bounds read in applying paragraphs in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
π¨ CVE-2024-34625
Out-of-bounds read in applying connection point in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
Out-of-bounds read in applying connection point in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
π¨ CVE-2024-34626
Out-of-bounds read in applying own binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
Out-of-bounds read in applying own binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
π¨ CVE-2024-34627
Out-of-bounds read in parsing implemention in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
Out-of-bounds read in parsing implemention in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
π¨ CVE-2024-34628
Out-of-bounds read in applying binary with path in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
Out-of-bounds read in applying binary with path in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
π@cveNotify
π¨ CVE-2023-6585
The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server
π@cveNotify
The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server
π@cveNotify
WPScan
JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE
See details on JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE CVE 2023-6585. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-1564
The wp-schema-pro WordPress plugin before 2.7.16 does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode
π@cveNotify
The wp-schema-pro WordPress plugin before 2.7.16 does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode
π@cveNotify
WPScan
Schema Pro < 2.7.16 - Contributor+ Custom Field Access
See details on Schema Pro < 2.7.16 - Contributor+ Custom Field Access CVE 2024-1564. View the latest Plugin Vulnerabilities on WPScan.