Wordfence Intelligence Weekly WordPress Vulnerability Report (December 2, 2024 to December 8, 2024)

💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025:

• All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
• All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
• All plugins and themes hosted in the WordPress.org repository with any install count are in scope for our preset list of high threat vulnerabilities.
• $150 bonus awarded when a researcher submits at least 15 valid high threat vulnerabilities, and then a $50 bonus awarded for every 5 submitted thereafter.
• Minimum bounty of $5 for all valid in-scope submissions.
• All researchers earn automatic bonuses of between 5% to 180% for valid submissions
• Pending report limits are increased for all
• It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 198 vulnerabilities disclosed in 183 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 62 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 20,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-774 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-775 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-776 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-777 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-778 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-779 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-780 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-781 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-782 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
vgo0	23
Peter Thaleikis	19
Francesco Carlucci	11
João Pedro Soares de Alcântara	9
Mika	8
Dave Jong	8
SOPROBRO	7
Colin Xu	7
Gab	5
Tieu Pham Trong Nhan	5
Arkadiusz Hydzik	5
zer0gh0st	4
stealthcopter	4
zaim	4
zakaria	4
Bob Matyas	4
Ananda Dhakal	3
ardias	3
Webbernaut	3
Lucio Sá	3
shaman0x01	3
wesley (wcraft)	3
Trương Hữu Phúc (truonghuuphuc)	3
Hakiduck	3
João G. Barbosa (4rCanJ0x!)	3
Khalid Yusuf	2
Manab Jyoti Dowarah	2
BrokenAC ignore	2
István Márton	2
theviper17y	2
tmrswrr	2
tahu.datar	2
abrahack	1
a00n	1
Ngô Thiên An (ancorn_)	1
Abdi Pranata	1
thiennv	1
mikemyers	1
Nirmal Kavaiya	1
trongnb02	1
Régis SENET	1
Frissi0n	1
Kevin Murphy (knmurphy)	1
Pritam Dash	1
luc	1
TANG Cheuk Hei (siunam)	1
Foxyyy	1
Nishiv	1
Rafie Muhammad	1
Lam Que Chi	1
yudha	1
Certus Cybersecurity	1
1337_Wannabe	1
Joshua Martinelle	1
Krzysztof Zając	1
Michael	1
mike harris (mikeyh)	1
Noah Stead (TurtleBurg)	1
Eduardo Bido	1
Joshua Provoste	1
nvthien	1
Marco Wotschka	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Revy <= 1.18 - Unauthenticated Arbitrary File Upload

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2024-54214

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Revy

Researcher

Dave Jong

More Details >

Pie Register Premium < 3.8.3.3 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-53822

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Pie Register Premium

Researcher

Ananda Dhakal

More Details >

SV100 Companion <= 2.0.02 - Missing Authorization to Unuathenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12155

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
SV100 Companion

Researcher

Lucio Sá

More Details >

Sweet Date <= 3.7.3 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-43222

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Sweet Date

Researcher

luc

More Details >

WP Umbrella: Update Backup Restore & Monitoring <= 2.17.0 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12209

Patch Status
Patched

Published
Dec 7, 2024

Affected Software
WP Umbrella: Update Backup Restore & Monitoring

Researcher

Arkadiusz Hydzik

More Details >

Simple User Registration <= 5.5 - Missing Authorization to User Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2024-53810

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Simple User Registration

Researcher

stealthcopter

More Details >

Accessibility by AllAccessible <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11643

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Accessibility by AllAccessible

Researcher

1337_Wannabe

More Details >

AI Quiz | Quiz Maker <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11323

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
AI Quiz | Quiz Maker

Researcher

vgo0

More Details >

All Bootstrap Blocks <= 1.3.19 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-53824

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
All Bootstrap Blocks

Researcher

Ngô Thiên An (ancorn_)

More Details >

Designer <= 1.3.3 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54225

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Designer – Addons for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials <= 3.3.3 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11429

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials

Researcher

Peter Thaleikis

More Details >

Funnelforms Free <= 3.7.5 - Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-10587

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Researcher

Peter Thaleikis

More Details >

Gallery <= 1.3 - Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11501

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Gallery

Researcher

Francesco Carlucci

More Details >

Pubnews <= 1.0.7 - Unauthenticated Arbitrary Plugin Installation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-10578

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Pubnews

Researcher

Kevin Murphy (knmurphy)

More Details >

WP Mailster <= 1.8.16.0 - Authenticated (Contributor+) SQL Injection via orderby

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-53807

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP Mailster

Researcher

Lam Que Chi

More Details >

FAT Services Booking <= 5.6 - Unauthenticated SQL Injection

8.6

CVSS Rating
High (8.6)

CVE-ID
CVE-2024-54221

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
FAT Services Booking

Researcher

Dave Jong

More Details >

Login With OTP <= 1.4.2 - Authentication Bypass via Weak OTP

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-11178

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Login With OTP

Researcher

István Márton

More Details >

Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Social Sites Login <= 1.7.9 - Authentication Bypass

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-11293

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Pie Register - Social Sites Login (Add on)

Researcher

wesley (wcraft)

More Details >

s2Member (Pro) <= 241114 - Unauthenticated Remote Code Execution

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-51815

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Researcher

Hakiduck

More Details >

Soledad <= 8.5.9 - Unauthenticated Limited Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-11289

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Soledad

Researcher

Foxyyy

More Details >

Swift Performance Lite <= 2.3.7.1 - Unauthenticated Local PHP File Inclusion via 'ajaxify'

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-10516

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Swift Performance Lite

Researcher

Arkadiusz Hydzik

More Details >

ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read

7.7

CVSS Rating
High (7.7)

CVE-ID
CVE-2024-54216

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11391

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Advanced File Manager

Researcher

Joshua Provoste

More Details >

Beautiful Taxonomy Filters <= 2.4.4 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12270

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Beautiful taxonomy filters

Researcher

Frissi0n

More Details >

Classic Addons – WPBakery Page Builder <= 3.0 - Authenticated (Contributor+) Limited Local PHP File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11952

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Classic Addons – WPBakery Page Builder

Researcher

Nishiv

More Details >

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11728

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)

Researcher

shaman0x01

More Details >

Revy <= 1.18 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-54215

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Revy

Researcher

Dave Jong

More Details >

TI WooCommerce Wishlist <= 2.9.1 - Missing Authorization to Unauthenticated Plugin Setup Wizard Access

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-10567

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
TI WooCommerce Wishlist

Researcher

abrahack

More Details >

Verowa Connect <= 3.0.1 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11460

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Verowa Connect

Researcher

Colin Xu

More Details >

WordPress Auction Plugin <= 3.7 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-51615

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
WordPress Auction Plugin

Researcher

Hakiduck

More Details >

WP Hide & Security Enhancer <= 2.5.1 - Missing Authorization to Unauthenticated Arbitrary File Contents Deletion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11585

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
WP Hide & Security Enhancer

Researcher

mikemyers

More Details >

WP Mailster <= 1.8.16.0 - Missing Authorization

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-53805

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP Mailster

Researcher

Mika

More Details >

Authors List <= 2.0.4 - Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-10952

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Authors List

Researcher

Arkadiusz Hydzik

More Details >

AIO Contact <= 2.8.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-54219

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
AIO Contact

Researcher

Dave Jong

More Details >

FileOrganizer <= 1.1.4 - Authenticated (Administrator+) Local JavaScript File Inclusion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-11010

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
FileOrganizer – Manage WordPress and Website Files

Researcher

TANG Cheuk Hei (siunam)

More Details >

WDesignkit <= 1.0.40 - Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-53811

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder

Researcher

tahu.datar

More Details >

YouTube Gallery and Vimeo Gallery Plugin <= 2.4.2 - Authenticated (Administrator+) SQL Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-10247

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Video Gallery – YouTube Gallery and Vimeo Gallery

Researcher

tmrswrr

More Details >

Library Management System <= 3.0.0 - Authenticated (Admin+) SQL Injection

6.8

CVSS Rating
Medium (6.8)

CVE-ID
CVE-2024-8679

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Library Management System – Manage e-Digital Books Library

Researcher

Eduardo Bido

More Details >

AIO Contact <= 2.8.1 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-54218

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
AIO Contact

Researcher

Dave Jong

More Details >

ARForms Form Builder <= 1.7.1 - HTML Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-54223

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Contact Form, Survey, Quiz & Popup Form Builder – ARForms

Researcher

Pritam Dash

More Details >

BP Profile Shortcodes Extra <= 2.6.0 - Authenticated (Contributor+) SQL Injection via tab Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11732

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
BP Profile Shortcodes Extra

Researcher

Peter Thaleikis

More Details >

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Authenticated (Doctor/Receptionist+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11730

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)

Researcher

shaman0x01

More Details >

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11729

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
KiviCare – Clinic & Patient Management System (EHR)

Researcher

shaman0x01

More Details >

Pinpoint Booking System <= 2.9.9.5.1 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-53815

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Pinpoint Booking System – #1 WordPress Booking Plugin

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP Mailster <= 1.8.16.0 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-53803

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP Mailster

Researcher

Mika

More Details >

WP Project Manager <= 2.6.16 - Authenticated (Project Manager+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12015

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Researcher

Joshua Martinelle

More Details >

WP Travel <= 9.6.0 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-53813

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP Travel – Ultimate Travel Booking System, Tour Management Engine

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54253

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
140+ Widgets | Xpro Addons For Elementor – FREE

Researcher

João Pedro Soares de Alcântara

More Details >

ABCBiz Addons for Elementor <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54247

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
ABCBiz Addons for Elementor

Researcher

Gab

More Details >

Advanced Element Bucket Addons for Elementor <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54210

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Advanced Element Bucket Addons for Elementor

Researcher

Gab

More Details >

Arkhe Blocks <= 2.27.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53794

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Arkhe Blocks

Researcher

João Pedro Soares de Alcântara

More Details >

B Testimonial – testimonial plugin for WP <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11880

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
B Testimonial – Testimonial plugin for WP

Researcher

Peter Thaleikis

More Details >

Beaver Builder <= 2.8.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53797

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Beaver Builder – WordPress Page Builder

Researcher

João Pedro Soares de Alcântara

More Details >

Blocksy <= 2.0.77 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11420

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Blocksy

Researcher

zer0gh0st

More Details >

BMLT Tabbed Map <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11866

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
BMLT Tabbed Map

Researcher

Peter Thaleikis

More Details >

Bold Page Builder <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53801

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Bold Page Builder

Researcher

Nirmal Kavaiya

More Details >

Captivate Sync <= 2.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53820

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Captivate Sync

Researcher

theviper17y

More Details >

CMSMasters Elementor Addon <= 1.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9694

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
CMSMasters Elementor Addon

Researcher

István Márton

More Details >

Contact Form Builder <= 4.10.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10056

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Contact Form Builder by vcita

Researcher

Peter Thaleikis

More Details >

Contact Form, Survey & Form Builder – MightyForms <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11897

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
Contact Form, Survey & Form Builder – MightyForms

Researcher

zaim

More Details >

Cookielay <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via cookielay Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10320

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Cookielay

Researcher

Peter Thaleikis

More Details >

Element Pack Elementor Addons <= 5.10.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9058

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Researcher

zer0gh0st

More Details >

ElementsReady Addons for Elementor <= 6.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54224

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
ElementsReady Addons for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Email Address Obfuscation <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11935

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Email Address Obfuscation

Researcher

theviper17y

More Details >

FAT Services Booking <= 5.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54220

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
FAT Services Booking

Researcher

Dave Jong

More Details >

Flower Delivery by Florist One <= 3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11769

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Flower Delivery by Florist One

Researcher

zaim

More Details >

Futurio Extra <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via header_size tag

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53802

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Futurio Extra

Researcher

João Pedro Soares de Alcântara

More Details >

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10178

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Researcher

Webbernaut

More Details >

jAlbum Bridge <= 2.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11853

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
jAlbum Bridge

Researcher

Peter Thaleikis

More Details >

Listdom – Business Directory and Classified Ads Listings WordPress Plugin <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11854

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Listdom – Business Directory and Classified Ads Listings WordPress Plugin

Researcher

Peter Thaleikis

More Details >

Magical Addons For Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54212

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library )

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

Mini Program API <= 1.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11380

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Mini Program API

Researcher

SOPROBRO

More Details >

Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-5020

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Responsive Lightbox & Gallery
WPC Smart Quick View for WooCommerce
Accordion Slider
FV Flowplayer Video Player
Gallery Plugin for WordPress – Envira Photo Gallery
Colibri Page Builder
Visual Portfolio, Photo Gallery & Post Grid
Getwid – Gutenberg Blocks
Firelight Lightbox
FancyBox for WordPress
and 4 more...

Researcher

Webbernaut

More Details >

myCred – Loyalty Points and Rewards plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11201

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program.

Researcher

Peter Thaleikis

More Details >

News Kit Elementor Addons <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54260

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
News Kit Elementor Addons

Researcher

Gab

More Details >

NewsMash <= 1.0.71 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10849

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
NewsMash

Researcher

stealthcopter

More Details >

NewsMunch <= 1.0.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10848

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
NewsMunch

Researcher

stealthcopter

More Details >

ONLYOFFICE Docs <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11450

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
ONLYOFFICE Docs

Researcher

zakaria

More Details >

PostX <= 4.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53818

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX

Researcher

João Pedro Soares de Alcântara

More Details >

Responsive Videos <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11747

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
Responsive Videos

Researcher

zakaria

More Details >

RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54232

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
RRAddons for Elementor

Researcher

Michael

More Details >

Scratch & Win – Giveaways and Contests <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11898

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

Researcher

Peter Thaleikis

More Details >

SearchIQ – The Search Solution <= 4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10885

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
SearchIQ – The Search Solution

Researcher

Peter Thaleikis

More Details >

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel <= 3.2.1- Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-4633

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel

Researcher

wesley (wcraft)

More Details >

Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11339

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Smart PopUp Blaster

Researcher

SOPROBRO

More Details >

Spectra – WordPress Gutenberg Blocks <= 2.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10484

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Spectra – WordPress Gutenberg Blocks

Researcher

zer0gh0st

More Details >

The Plus Addons for Elementor Page Builder Lite <= 5.6.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53823

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Researcher

wesley (wcraft)

More Details >

Themesflat Addons For Elementor <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-53796

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Themesflat Addons For Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

TwentyTwenty <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11352

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
TwentyTwenty

Researcher

yudha

More Details >

Unlock Addons for Elementor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54230

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Unlock Addons for Elementor

Researcher

Gab

More Details >

WIP WooCarousel Lite <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11779

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
WIP WooCarousel Lite

Researcher

zaim

More Details >

WordPress Page Builder – Zion Builder <= 3.6.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54213

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
WordPress Page Builder – Zion Builder

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11453

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout

Researcher

Peter Thaleikis

More Details >

Wot Elementor Widgets <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54228

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Wot Elementor Widgets

Researcher

Gab

More Details >

WP eCards <= 1.3.904 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11903

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
WP eCards

Researcher

zaim

More Details >

WP Mailster <= 1.8.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11782

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP Mailster

Researcher

Peter Thaleikis

More Details >

WP-SVG <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11644

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
WP-SVG

Researcher

Bob Matyas

More Details >

WPBITS Addons For Elementor Page Builder <= 1.5.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-8962

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
WPBITS Addons For Elementor Page Builder

Researcher

Francesco Carlucci

More Details >

Zooom <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11451

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Zooom

Researcher

zakaria

More Details >

코드엠샵 소셜톡 <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11904

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
코드엠샵 소셜톡

Researcher

Peter Thaleikis

More Details >

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup <= 4.0.51 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-10681

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup

Researcher

Arkadiusz Hydzik

More Details >

Pojo Forms <= 1.4.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via form_preview_shortcode

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-10909

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Pojo Forms

Researcher

Arkadiusz Hydzik

More Details >

Accounting for WooCommerce <= 1.6.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11324

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Accounting for WooCommerce

Researcher

vgo0

More Details >

Additional Custom Order Status for WooCommerce <= 1.6.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11814

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Additional Custom Order Status for WooCommerce

Researcher

vgo0

More Details >

Awesome Shortcodes <= 1.7.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54209

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Awesome Shortcodes

Researcher

SOPROBRO

More Details >

Block Controller <= 1.4.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54208

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Block Controller

Researcher

João Pedro Soares de Alcântara

More Details >

Broadcast <= 51.01 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11379

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Broadcast

Researcher

vgo0

More Details >

Campaign Monitor Forms by Optin Cat <= 2.5.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11326

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Campaign Monitor Forms by Optin Cat

Researcher

vgo0

More Details >

CardGate Payments for WooCommerce <= 3.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12257

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
CardGate Payments for WooCommerce

Researcher

Colin Xu

More Details >

Clickbank WordPress Plugin (Storefront) <= 1.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11336

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Clickbank WordPress Plugin (Storefront)

Researcher

SOPROBRO

More Details >

Comfino Payment Gateway <= 4.1.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11329

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
Comfino Payment Gateway

Researcher

vgo0

More Details >

Country Blocker <= 3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54226

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Country Blocker

Researcher

SOPROBRO

More Details >

Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more! <= 1.4.19 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11436

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
Drag & Drop Builder, Human Face Detector, Pre-built Templates, Spam Protection, User Email Notifications & more!

Researcher

Colin Xu

More Details >

Easy Code Snippets <= 1.0.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11464

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Easy Code Snippets

Researcher

vgo0

More Details >

Feedpress Generator – External RSS Frontend Customizer <= 1.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11457

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Feedpress Generator – External RSS Frontend Customizer

Researcher

nvthien

More Details >

Flixita <= 1.0.82 - Reflected Cross-Site Scripting via id Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-10836

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Flixita

Researcher

vgo0

More Details >

Folder Gallery <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11823

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Folder Gallery

Researcher

zakaria

More Details >

Form Data Collector <= 2.2.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11461

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Form Data Collector

Researcher

vgo0

More Details >

ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-10879

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
ForumWP – Forum & Discussion Board

Researcher

Peter Thaleikis

More Details >

ForumWP – Forum & Discussion Board <= 2.1.2 - Reflected Cross-Site Scripting via url Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11204

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
ForumWP – Forum & Discussion Board

Researcher

Peter Thaleikis

More Details >

Goodlayers Core <= 2.0.7 - Reflected Cross-Site Scripting via 'font-family'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11200

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Goodlayers Core

Researcher

mike harris (mikeyh)

More Details >

Intro Tour Tutorial DeepPresentation <= 6.5.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11466

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Intro Tour Tutorial DeepPresentation

Researcher

vgo0

More Details >

Login Widget With Shortcode <= 6.1.2 - Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54255

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Login Widget With Shortcode

Researcher

ardias

More Details >

Mollie for Contact Form 7 <= 5.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12165

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Mollie for Contact Form 7

Researcher

Colin Xu

More Details >

My auctions allegro <= 3.6.17 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11707

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
My auctions allegro

Researcher

vgo0

More Details >

Next-Cart Store to WooCommerce Migration <= 3.9.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11687

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Next-Cart Store to WooCommerce Migration

Researcher

vgo0

More Details >

Ni WooCommerce Order Export <= 3.1.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54231

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Ni WooCommerce Order Export

Researcher

thiennv

More Details >

NPS computy <= 2.8.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11807

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
NPS computy

Researcher

vgo0

More Details >

Paloma Widget <= 1.14 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54205

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Paloma Widget

Researcher

ardias

More Details >

PDF Builder for WooCommerce. Create invoices,packing slips and more <= 1.2.136 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11276

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
PDF Builder for WooCommerce. Create invoices,packing slips and more

Researcher

Colin Xu

More Details >

Pie Register Premium < 3.8.3.3 - Unauthenticated Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-53821

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Pie Register Premium

Researcher

Ananda Dhakal

More Details >

Posti Shipping <= 3.10.3 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via generate_notices_html Function

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-10832

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
Posti Shipping

Researcher

vgo0

More Details >

Pulsating Chat Button <= 1.3.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11813

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
Pulsating Chat Button

Researcher

SOPROBRO

More Details >

Quick License Manager – WooCommerce Plugin <= 2.4.17 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11805

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Quick License Manager – WooCommerce Plugin

Researcher

vgo0

More Details >

Shortcodes Blocks Creator Ultimate <= 2.2.0 - Reflected Cross-Site Scripting via _wpnonce

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12167

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Shortcodes Blocks Creator Ultimate

Researcher

vgo0

More Details >

Shortcodes Blocks Creator Ultimate <= 2.2.0 - Reflected Cross-Site Scripting via 'page'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12166

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Shortcodes Blocks Creator Ultimate

Researcher

Colin Xu

More Details >

Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Reflected Cross-Site Scripting via monthly_sales_current_year Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12128

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal

Researcher

vgo0

More Details >

Smoove connector for Elementor forms <= 4.1.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11367

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Smoove connector for Elementor forms

Researcher

vgo0

More Details >

Splash Sync <= 2.0.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11368

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Splash Sync

Researcher

vgo0

More Details >

TWChat – Send or receive messages from users <= 4.0.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11374

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
TWChat – Send or receive messages from users

Researcher

vgo0

More Details >

WP GeoNames <= 1.8 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-53812

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP GeoNames

Researcher

ardias

More Details >

WP Job Manager – Company Profiles <= 1.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2023-6978

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
WP Job Manager – Company Profiles

Researcher

Krzysztof Zając

More Details >

WP Media Optimizer (.webp) <= 1.4.0 - Reflected Cross-Site Scripting via wpmowebp-css-resources and wpmowebp-js-resources Parameters

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12060

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
WP Media Optimizer (.webp)

Researcher

vgo0

More Details >

WP System <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12003

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
WP System

Researcher

vgo0

More Details >

افزونه پیامک ووکامرس Persian WooCommerce SMS <= 7.0.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-10046

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
افزونه پیامک ووکامرس Persian WooCommerce SMS

Researcher

Webbernaut

More Details >

워드프레스 결제 심플페이 – 우커머스 결제 플러그인 <= 5.2.2 - Reflected Cross-Site Scripting via add_query_arg Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11943

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Researcher

Peter Thaleikis

More Details >

Borderless <= 1.5.8 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-54211

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg

Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

SG Helper <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-11093

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
SG Helper

Researcher

Francesco Carlucci

More Details >

WordPress Auction Plugin <= 3.7 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2024-54207

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
WordPress Auction Plugin

Researcher

Hakiduck

More Details >

ARForms <= 6.4.1 - Missing Authorization to Plugin Settings Change

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-54217

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
ARforms

Researcher

Dave Jong

More Details >

Event Tickets with Ticket Scanner <= 2.4.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-9866

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Event Tickets with Ticket Scanner

Researcher

zer0gh0st

More Details >

FloristPress <= 7.3.0 - Missing Authorization to Arbitrary Content Deletion

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-53798

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
FloristPress – Customize your Woo store for your Florist

Researcher

Mika

More Details >

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-9872

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

stealthcopter

More Details >

Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update / Data Access

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12253

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal

Researcher

Lucio Sá

More Details >

Church Admin <= 5.0.8 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-53795

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Church Admin

Researcher

Mika

More Details >

Client Invoicing by Sprout Invoices <= 20.8.0 - Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-53819

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

Researcher

Manab Jyoti Dowarah

More Details >

Connexion Logs <= 3.0.2 - Cross-Site Request Forgery to Log Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11373

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Connexion Logs

Researcher

Bob Matyas

More Details >

Friends <= 3.2.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12028

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Friends

Researcher

Colin Xu

More Details >

If Menu <= 0.19.1 - Missing Authorization to License Key Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-7894

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
If Menu – Visibility control for Menus

Researcher

Marco Wotschka

More Details >

Minimum and Maximum Quantity for WooCommerce <= 2.0.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-54227

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Minimum and Maximum Quantity for WooCommerce

Researcher

Abdi Pranata

More Details >

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins <= 2.0.58 - Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-10937

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins

Researcher

Francesco Carlucci

More Details >

Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Unauthenticated Template Activation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-9706

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Ultimate Coming Soon & Maintenance

Researcher

Tieu Pham Trong Nhan

More Details >

WP Mailster <= 1.8.16.0 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-53804

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WP Mailster

Researcher

Mika

More Details >

WP Private Content Plus <= 3.6.1 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11292

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
WP Private Content Plus

Researcher

Francesco Carlucci

More Details >

WPCasa <= 1.2.13 - Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-53826

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
WPCasa

Researcher

Manab Jyoti Dowarah

More Details >

AWeber Forms by Optin Cat <= 2.5.7 - Reflected Cross-Site Scripting

5.2

CVSS Rating
Medium (5.2)

CVE-ID
CVE-2024-11325

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
AWeber Forms by Optin Cat

Researcher

vgo0

More Details >

Connexion Logs <= 3.0.2 - Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-11372

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Connexion Logs

Researcher

Régis SENET

More Details >

NEX-Forms – Ultimate Form Builder <= 8.7.8 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-53808

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
NEX-Forms – Ultimate Form Builder – Contact forms and much more

Researcher

trongnb02

More Details >

Product Labels For Woocommerce <= 1.5.8 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-53817

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Product Labels For Woocommerce (Sale Badges)

Researcher

tahu.datar

More Details >

Float Block <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-11645

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
float block

Researcher

Bob Matyas

More Details >

Video Gallery <= 2.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-9769

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Video Gallery – YouTube Gallery and Vimeo Gallery

Researcher

tmrswrr

More Details >

Z-Downloads <= 1.11.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-54206

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Z-Downloads

Researcher

Certus Cybersecurity

More Details >

Analytify <= 5.4.3 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-53814

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy)

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

AnyWhere Elementor <= 1.2.11 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10777

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
AnyWhere Elementor

Researcher

Francesco Carlucci

More Details >

Charity Addon for Elementor <= 1.3.2 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12062

Patch Status
Unpatched

Published
Dec 2, 2024

Affected Software
Charity Addon for Elementor

Researcher

Francesco Carlucci

More Details >

CLUEVO LMS, E-Learning Platform <= 1.13.2 - Cross-Site Request Forgery to Module Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11444

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
CLUEVO LMS, E-Learning Platform

Researcher

Peter Thaleikis

More Details >

DN Shipping by Weight for WooCommerce <= 1.1.1 - Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11842

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
DN Shipping by Weight for WooCommerce

Researcher

Bob Matyas

More Details >

Dollie Hub – Build Your Own WordPress Cloud Platform <= 6.2.0 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12099

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Dollie Hub – Build Your Own WordPress Cloud Platform

Researcher

Francesco Carlucci

More Details >

Eleblog – Elementor Blog And Magazine Addons <= 1.8 - Missing Authorization to Authenticated (Subscriber+) Deactivation Submission

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10663

Patch Status
Unpatched

Published
Dec 3, 2024

Affected Software
Eleblog – Elementor Blog And Magazine Addons

Researcher

Tieu Pham Trong Nhan

More Details >

Filebird <= 6.3.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-53825

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
FileBird – WordPress Media Library Folders & File Manager

Researcher

Rafie Muhammad

More Details >

FloristPress <= 7.3.0 - Missing Authorization to Sensitive Data Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-53799

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
FloristPress – Customize your Woo store for your Florist

Researcher

Mika

More Details >

Gold Addons for Elementor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) License Activation/Deactivation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12110

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Gold Addons for Elementor

Researcher

BrokenAC ignore

More Details >

IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11844

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
IdeaPush

Researcher

Lucio Sá

More Details >

Knowledge Base documentation & wiki plugin – BasePress Docs <= 2.16.3.3 - Missing Authorization to Authenticated (Subscriber+) Database Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10664

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
Knowledge Base documentation & wiki plugin – BasePress Docs

Researcher

BrokenAC ignore

More Details >

LA-Studio Element Kit for Elementor <= 1.4.4 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10787

Patch Status
Patched

Published
Dec 3, 2024

Affected Software
LA-Studio Element Kit for Elementor

Researcher

Francesco Carlucci

More Details >

Maspik – Spam blacklist <= 2.2.7 - Cross-Site Request Forgery to Plugin Settings Change

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-53806

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Maspik – Advanced Spam Protection

Researcher

Mika

More Details >

Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Filter Updates/Deletions

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12027

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Message Filter for Contact Form 7

Researcher

Tieu Pham Trong Nhan

More Details >

Message Filter for Contact Form 7 <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) New Filter Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12026

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
Message Filter for Contact Form 7

Researcher

Tieu Pham Trong Nhan

More Details >

Namaste! LMS <= 2.6.4.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-53809

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Namaste! LMS

Researcher

a00n

More Details >

Poll Maker <= 5.5.4 - Cross-Site Request Forgery to Poll Duplication

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12115

Patch Status
Patched

Published
Dec 6, 2024

Affected Software
Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Researcher

Noah Stead (TurtleBurg)

More Details >

PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.8.1 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10692

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
PowerPack Elementor Addons (Free Widgets, Extensions and Templates)

Researcher

Francesco Carlucci

More Details >

Prodigy Commerce <= 3.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54250

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Prodigy Commerce

Researcher

Khalid Yusuf

More Details >

Prodigy Commerce <= 3.0.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54251

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
Prodigy Commerce

Researcher

Khalid Yusuf

More Details >

Simple Redirection <= 1.5 - Cross-Site Request Forgery to Arbitrary Site Redirect

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11341

Patch Status
Patched

Published
Dec 4, 2024

Affected Software
Simple Redirection

Researcher

SOPROBRO

More Details >

SMS for Lead Capture Forms <= 1.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11353

Patch Status
Unpatched

Published
Dec 6, 2024

Affected Software
SMS for Lead Capture Forms

Researcher

Mika

More Details >

Tutor LMS Elementor Addons <= 2.1.5 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-53816

Patch Status
Patched

Published
Dec 2, 2024

Affected Software
Tutor LMS Elementor Addons

Researcher

Ananda Dhakal

More Details >

Ultimate Coming Soon & Maintenance <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Template Name Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-9705

Patch Status
Unpatched

Published
Dec 5, 2024

Affected Software
Ultimate Coming Soon & Maintenance

Researcher

Tieu Pham Trong Nhan

More Details >

XLTab – Accordions and Tabs for Elementor Page Builder <= 1.4 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10689

Patch Status
Patched

Published
Dec 5, 2024

Affected Software
XLTab – Accordions and Tabs for Elementor Page Builder

Researcher

Francesco Carlucci

More Details >