Wordfence Intelligence Weekly WordPress Vulnerability Report (December 9, 2024 to December 15, 2024)

💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program. Through January 6th, 2025:

• All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
• All plugins and themes with 50-999 active installs hosted in the WordPress.org repository and updated within the last 2 years are in-scope for all researchers!
• All plugins and themes hosted in the WordPress.org repository with any install count are in scope for our preset list of high threat vulnerabilities.
• $150 bonus awarded when a researcher submits at least 15 valid high threat vulnerabilities, and then a $50 bonus awarded for every 5 submitted thereafter.
• Minimum bounty of $5 for all valid in-scope submissions.
• All researchers earn automatic bonuses of between 5% to 180% for valid submissions
• Pending report limits are increased for all
• It’s possible to earn up to $31,200 for high impact vulnerabilities!

Last week, there were 369 vulnerabilities disclosed in 343 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 72 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 21,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• s2Member (Pro) <= 241114 – Unauthenticated Remote Code Execution
• WAF-RULE-783 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
SOPROBRO	66
Mika	28
Peter Thaleikis	25
vgo0	18
João Pedro Soares de Alcântara	18
stealthcopter	15
thiennv	13
ardias	11
zaim	10
LVT-tholv2k	9
Francesco Carlucci	8
zakaria	7
theviper17y	7
yudha	7
Jingle Bells	7
Gab	6
Arkadiusz Hydzik	6
thevietronin	6
Colin Xu	6
Trương Hữu Phúc (truonghuuphuc)	5
Marek Mikita	4
Tieu Pham Trong Nhan	4
zer0gh0st	3
Brian Sans-Souci (liardom)	3
mikemyers	3
ghsinfosec	3
Dhabaleshwar Das	3
hunter85	3
tahu.datar	3
Joshua Chan	3
Le Ngoc Anh	3
Bonds	2
Lucio Sá	2
0xd4rk5id3	2
Pierre Rudloff	2
Zlrqh	2
Rafie Muhammad	2
Tonn	2
Max Boll (_b0lli)	2
Thanh Nam Tran	2
shaman0x01	2
Noah Stead (TurtleBurg)	2
Lokesh Dachepalli	1
Frissi0n	1
Yamil	1
Pham Van Tam	1
Aaron Schlitt	1
Nguyen Khanh Hao	1
Nhien Pham (nhienit)	1
Bob Matyas	1
Ananda Dhakal	1
kslatz	1
villu164	1
SavPhill (Savphill)	1
Khalid Yusuf	1
abrahack	1
minhtuanact	1
Rei Kobayashi	1
Dhabaleshwar Das	1
I8BL	1
cc	1
Sean Murphy	1
Muhammad Zidan Ali Mansur	1
Ala Arfaoui	1
Abdi Pranata	1
Amine SAJID	1
h0j3n	1
HayMiz	1
wesley (wcraft)	1
Malvin Valerian Gultom	1
shinobu	1
0xHarambeHacks	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Axeptio <= 2.5.3 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54270

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Axeptio – Cookie Banner – GDPR Consent & Compliance with a friendly touch

Researcher

h0j3n

More Details >

CE21 Suite <= 2.2.0 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54293

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
CE21 Suite

Researcher

stealthcopter

More Details >

Code Generator Pro <= 1.2 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55978

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Code Generator Pro

Researcher

LVT-tholv2k

More Details >

CoSchool LMS <= 1.2 - Missing Authorization to Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54296

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
CoSchool LMS – A complete Learning Management System to Create and Sell Your Courses Online

Researcher

stealthcopter

More Details >

Critical Site Intel <= 1.0 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55976

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
This is a Subversion repository; use the 'svnadmin' tool to examine

Researcher

João Pedro Soares de Alcântara

More Details >

eTemplates <= 0.2.1 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55972

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
eTemplates

Researcher

João Pedro Soares de Alcântara

More Details >

Firebase OTP Authentication <= 1.0.1 - Missing Authorization to Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54294

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Firebase OTP Authentication

Researcher

stealthcopter

More Details >

ForumWP <= 2.1.0 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54367

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
ForumWP – Forum & Discussion Board

Researcher

Mika

More Details >

LaunchPage.app Importer <= 1.1 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55977

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
LaunchPage.app Importer

Researcher

João Pedro Soares de Alcântara

More Details >

ListApp Mobile Manager <= 1.7.7 - Missing Authorization to Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54295

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
ListApp Mobile Manager

Researcher

stealthcopter

More Details >

Mail Picker <= 1.0.14 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54273

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Newsletter, Email Marketing, Email Subscriber – Mail Picker

Researcher

Bonds

More Details >

Nabz Image Gallery <= v1.00 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55981

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Nabz Image Gallery

Researcher

LVT-tholv2k

More Details >

Navayan CSV Export <= 1.0.9 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55988

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Navayan CSV Export

Researcher

João Pedro Soares de Alcântara

More Details >

Projectopia <= 5.1.7 - Missing Authorization to Privilege Escalation via pto_reset_password()

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54336

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Projectopia – WordPress Project Management

Researcher

stealthcopter

More Details >

Share Buttons – Social Media <= 1.0.2 - Unauthenticated SQL Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-55982

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Share Buttons – Social Media

Researcher

LVT-tholv2k

More Details >

Sign In With Google <= 1.8.0 - Authentication Bypass in authenticate_user

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11015

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Sign In With Google

Researcher

shaman0x01

More Details >

Sogrid <= 1.5.6 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54374

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WordPress Post Grid Layouts with Pagination – Sogrid

Researcher

tahu.datar

More Details >

Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-9290

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Super Backup & Clone - Migrate for WordPress

Researcher

Tonn

More Details >

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-10124

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce

Researcher

stealthcopter

More Details >

vBSSO-lite <= 1.4.3 - Missing Authorization to Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54297

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
vBSSO-lite

Researcher

stealthcopter

More Details >

Woffice <= 5.4.14 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-43234

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
Woffice CRM

Researcher

Rafie Muhammad

More Details >

WooCommerce PDF Vouchers < 4.9.9 - Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54383

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WooCommerce - PDF Vouchers

Researcher

Bonds

More Details >

Woolook <= 1.7.0 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54375

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Woocommerce Blocks – Woolook

Researcher

tahu.datar

More Details >

WP Cookies Enabler <= 1.0.1 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54380

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WP Cookies Enabler

Researcher

tahu.datar

More Details >

Wp NssUser Register <= 1.0.0 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54363

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Wp NssUser Register

Researcher

ghsinfosec

More Details >

Zita Site Builder <= 1.0.2 - Missing Authorization to Arbitrary Plugin Installation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-54369

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Zita Site Builder – Elementor, WordPress & Gutenberg Website Builder

Researcher

stealthcopter

More Details >

Advanced What should we write next about <= 1.0.3 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-55987

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Advanced What should we write next about

Researcher

LVT-tholv2k

More Details >

de:branding <= 1.0.2 - Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11443

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
de:branding

Researcher

Mika

More Details >

Dr Affiliate <= 1.2.3 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-55975

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Dr Affiliate

Researcher

LVT-tholv2k

More Details >

EazyDocs <= 2.5.6 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54376

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
EazyDocs – Most Powerful Knowledge base, wiki, Documentation Builder Plugin

Researcher

kslatz

More Details >

EduAdmin Booking <= 5.2.0 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54373

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
EduAdmin Booking

Researcher

theviper17y

More Details >

Flash News / Post (Responsive) <= 4.1 - Cross-Site Request Forgery to Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56012

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Flash News / Post (Responsive)

Researcher

Mika

More Details >

FULL Customer <= 3.1.25 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54313

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
FULL – Cliente

Researcher

João Pedro Soares de Alcântara

More Details >

GitSync <= 1.1.0 - Cross-Site Request Forgery to Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54368

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
GitSync

Researcher

SOPROBRO

More Details >

HQ Rental Software <= 1.5.29 - Cross-Site Request Forgery to Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11689

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
HQ Rental Software

Researcher

vgo0

More Details >

Insertify <= 1.1.4 - Cross-Site Request Forgery to Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54372

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Insertify – Ad,HTML,CSS,JS,PHP,PDF,Header & Footer

Researcher

SOPROBRO

More Details >

KH Easy User Settings <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54365

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
KH Easy User Settings

Researcher

Mika

More Details >

Mimoos <= 1.2 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-55974

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Mimoos

Researcher

João Pedro Soares de Alcântara

More Details >

Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54379

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Minterpress

Researcher

Mika

More Details >

Opt-In Downloads <= 4.07 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-10590

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Opt-In Downloads

Researcher

Tonn

More Details >

PowerFormBuilder <= 1.0.6 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-55983

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
PowerFormBuilder – Contact Form Database Manager for WordPress

Researcher

LVT-tholv2k

More Details >

Product Carousel Slider & Grid Ultimate for WooCommerce <= 1.9.10 - Authenticated (Contributor+) Local File Inclusion via 'theme'

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12040

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Product Carousel Slider & Grid Ultimate for WooCommerce

Researcher

theviper17y

More Details >

Quietly Insights <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54378

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Quietly Insights

Researcher

Mika

More Details >

Saksh Escrow System <= 2.4 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-55984

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Saksh Escrow System

Researcher

ghsinfosec

More Details >

Service <= 1.0.4 - Authenticated (Subscriber+) SQL Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-55986

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Service

Researcher

Mika

More Details >

Sogrid <= 1.5.2 - Cross-Site Request Forgery to Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54352

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WordPress Post Grid Layouts with Pagination – Sogrid

Researcher

Mika

More Details >

Video & Photo Gallery for Ultimate Member <= 1.1.0 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-54370

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Video & Photo Gallery for Ultimate Member

Researcher

theviper17y

More Details >

Wovax IDX <= 1.2.2 - Missing Authorization to Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56013

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Wovax IDX

Researcher

ardias

More Details >

WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

8.5

CVSS Rating
High (8.5)

CVE-ID
CVE-2024-11205

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Researcher

villu164

More Details >

Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Privilege Escalation

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-11721

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Frontend Admin by DynamiApps

Researcher

Max Boll (_b0lli)

More Details >

MainWP Child <= 5.2 - Missing Authorization to Unauthenticated Privilege Escalation

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-10783

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

Researcher

Sean Murphy

More Details >

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.3 - Authentication Bypass

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-10111

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
OAuth Single Sign On – SSO (OAuth Client)

Researcher

wesley (wcraft)

More Details >

Print Science Designer <= 1.3.152 - Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-12312

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Print Science Designer

Researcher

Brian Sans-Souci (liardom)

More Details >

Best WordPress Gallery Plugin – FooGallery <= 2.4.16 - Authenticated (Contributor+) Directory Traversal

7.7

CVSS Rating
High (7.7)

CVE-ID
CVE-2023-6947

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
FooGallery Premium

Researcher

Colin Xu

More Details >

Appsplate <= 2.1.3 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-54292

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Appsplate

Researcher

stealthcopter

More Details >

Instant Appointment <= 1.2 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-54361

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Instant Appointment

Researcher

LVT-tholv2k

More Details >

WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12172

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses

Researcher

Thanh Nam Tran

More Details >

WP Job Portal <= 2.2.1 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11711

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

thevietronin

More Details >

WPBookit <= 1.6.0 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-54280

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WPBookit

Researcher

Jingle Bells

More Details >

Wr Age Verification <= 2.0.0 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-55980

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Wr Age Verification

Researcher

LVT-tholv2k

More Details >

Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.5 - Unauthenticated Arbitrary Shortcode Execution via woot_get_smth

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-10959

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
Active Products Tables for WooCommerce. Use constructor to create tables 

Researcher

Arkadiusz Hydzik

More Details >

Grid Plus – Unlimited grid layout <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via grid_plus_load_by_category

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-10910

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Grid Plus – Unlimited grid layout

Researcher

Arkadiusz Hydzik

More Details >

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting via Form Subject

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-10646

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Researcher

mikemyers

More Details >

Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-9698

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Crafthemes Demo Import

Researcher

Joshua Chan

More Details >

Frontend Admin by DynamiApps <= 3.24.5 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-11720

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Frontend Admin by DynamiApps

Researcher

Max Boll (_b0lli)

More Details >

Hurrakify <= 2.4 - Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-54330

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Hurrakify

Researcher

ardias

More Details >

Mollie for Contact Form 7 <= 5.0.0 - Authenticated (Administrator+) SQL Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-55990

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Mollie for Contact Form 7

Researcher

João Pedro Soares de Alcântara

More Details >

Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.19 - Unauthenticated Stored Cross-Site Scripting via Form Calculations

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-11052

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Ninja Forms – The Contact Form Builder That Grows With You

Researcher

mikemyers

More Details >

Radio Player <= 2.0.82 - Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-54385

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress

Researcher

Malvin Valerian Gultom

More Details >

SeedProd Pro <= 6.18.10 - Authenticated (Editor+) Remote Code Execution

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-54285

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
SeedProd Pro

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Spreadr Woocommerce <= 1.0.4 - Missing Authorization to Arbitrary Content Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-56008

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate

Researcher

Mika

More Details >

WP Mega Menu <= 1.4.2 - Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-54282

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WP Mega Menu

Researcher

Mika

More Details >

WP Simple Pay Lite Manager <= 1.4 - Authenticated (Administrator+) SQL Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-55989

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
WP Simple Pay Lite Manager

Researcher

João Pedro Soares de Alcântara

More Details >

Gaxx Keywords <= 0.2 - Cross-Site Request Forgery to Cross-Site Scripting

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-54438

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Gaxx Keywords

Researcher

SOPROBRO

More Details >

RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-11840

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
RapidLoad – Optimize Web Vitals Automatically

Researcher

Lucio Sá

More Details >

Coupon Affiliates – Affiliate Plugin for WooCommerce <= 5.16.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12421

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Coupon Affiliates – Affiliate Plugin for WooCommerce

Researcher

Arkadiusz Hydzik

More Details >

Hive Support – WordPress Help Desk <= 1.1.2 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-54304

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Researcher

stealthcopter

More Details >

Library Management System <= 3.0.0 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12406

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Library Management System – Manage e-Digital Books Library

Researcher

Frissi0n

More Details >

Responsive Filterable Portfolio <=1.0.8 - Authenticated (Admin+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2019-25221

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Responsive Filterable Portfolio

Researcher

Ala Arfaoui

More Details >

Simple Link Directory <= 8.4.0 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12417

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Simple Link Directory

Researcher

Arkadiusz Hydzik

More Details >

Spreadr Woocommerce <= 1.0.4 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-56009

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate

Researcher

Mika

More Details >

SQL Chart Builder <= 2.3.7.1 - Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11430

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
SQL Chart Builder

Researcher

Peter Thaleikis

More Details >

TSB Occasion Editor <= 1.2.1 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-55973

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
TSB Occasion Editor

Researcher

João Pedro Soares de Alcântara

More Details >

WoodMart <= 8.0.3 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12333

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Woodmart

Researcher

mikemyers

More Details >

WPMobile.App — Android and iOS Mobile Application <= 11.52 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12420

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
WPMobile.App — Android and iOS Mobile Application

Researcher

Arkadiusz Hydzik

More Details >

Wr Age Verification <= 2.0.0 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-55979

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Wr Age Verification

Researcher

LVT-tholv2k

More Details >

YDS Support Ticket System <= 1.0 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-55985

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
YDS Support Ticket System

Researcher

João Pedro Soares de Alcântara

More Details >

Add infos to the events calendar <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11875

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Add infos to The Events Calendar

Researcher

Peter Thaleikis

More Details >

Advanced Blog Post Block <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54287

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Advanced Blog Post Block

Researcher

Gab

More Details >

Advanced Data Table For Elementor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54443

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Advanced Data Table For Elementor

Researcher

Khalid Yusuf

More Details >

Arena.IM – Live Blogging for real-time events <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11384

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Arena.IM – Live Blogging for real-time events

Researcher

SOPROBRO

More Details >

Arena.IM – Live Blogging for real-time events <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via arena_embed_amp Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12463

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Arena.IM – Live Blogging for real-time events

Researcher

Peter Thaleikis

More Details >

Beaver Builder – WordPress Page Builder <= 2.8.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11832

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Beaver Builder – WordPress Page Builder

Researcher

zer0gh0st

More Details >

Bicycleshop <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54345

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Bicycleshop

Researcher

stealthcopter

More Details >

Booking System Trafft <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11754

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Booking System Trafft

Researcher

SOPROBRO

More Details >

Brand <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54348

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Brandy

Researcher

stealthcopter

More Details >

Buk for WordPress <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11869

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Buk for WordPress

Researcher

zakaria

More Details >

Bukza <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11759

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Bukza

Researcher

SOPROBRO

More Details >

Catch Popup <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11427

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Catch Popup

Researcher

zakaria

More Details >

Cognito Forms <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10182

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Cognito Forms

Researcher

Peter Thaleikis

More Details >

Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11867

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Companion Portfolio – Responsive Portfolio Plugin

Researcher

Peter Thaleikis

More Details >

Connatix Video Embed <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11883

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Connatix Video Embed

Researcher

Peter Thaleikis

More Details >

Cricket Live Score <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11877

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Cricket Live Score

Researcher

yudha

More Details >

Currency Converter Widget ⚡ PRO <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11760

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Currency Converter Widget ⚡ PRO

Researcher

SOPROBRO

More Details >

Email Reminders <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11945

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
Email Reminders

Researcher

Peter Thaleikis

More Details >

Eveeno <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11752

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Eveeno

Researcher

yudha

More Details >

Events Addon for Elementor <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54315

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Events Addon for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

FAQ And Answers – Create Frequently Asked Questions Area on WP Sites <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11882

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
FAQ And Answers – Create Frequently Asked Questions Area on WP Sites

Researcher

Peter Thaleikis

More Details >

Ganohrs Toggle Shortcode <= 0.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12459

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Ganohrs Toggle Shortcode

Researcher

yudha

More Details >

GeoDataSource Country Region DropDown <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12474

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
GeoDataSource Country Region DropDown

Researcher

zakaria

More Details >

glomex oEmbed <= 0.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11873

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
glomex oEmbed

Researcher

Peter Thaleikis

More Details >

Gutenberg Blocks and Page Layouts – Attire Blocks <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11914

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Gutenberg Blocks and Page Layouts – Attire Blocks

Researcher

zaim

More Details >

Gutensee <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54360

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Gutensee

Researcher

Gab

More Details >

Hello Event Widgets For Elementor <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54338

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Hello Event Widgets For Elementor

Researcher

Gab

More Details >

Horizontal scroll image slideshow <= 10.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11442

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Horizontal scroll image slideshow

Researcher

zakaria

More Details >

HostFact bestelformulier integratie <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11413

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
HostFact bestelformulier integratie

Researcher

SOPROBRO

More Details >

iChart – Easy Charts and Graphs <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11928

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
iChart – Easy Charts and Graphs

Researcher

Peter Thaleikis

More Details >

IDer Login for WordPress <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11888

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
IDer Login for WordPress

Researcher

zaim

More Details >

IMS Countdown <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11755

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
IMS Countdown

Researcher

SOPROBRO

More Details >

Integrate Firebase <= 0.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11785

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Integrate Firebase

Researcher

theviper17y

More Details >

Koalendar – Events & Appointments Booking Calendar <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11855

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Koalendar – Events & Appointments Booking Calendar

Researcher

Peter Thaleikis

More Details >

Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11876

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site

Researcher

Peter Thaleikis

More Details >

My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11889

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
My IDX Home Search

Researcher

zaim

More Details >

My IDX Home Search <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12502

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
My IDX Home Search

Researcher

Peter Thaleikis

More Details >

NewsmanApp <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11767

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
NewsmanApp

Researcher

yudha

More Details >

Nias course <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54277

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Nias course | دوره ساز نیاس

Researcher

Gab

More Details >

NiceJob <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54318

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
NiceJob

Researcher

SOPROBRO

More Details >

ONLYOFFICE DocSpace <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11750

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
ONLYOFFICE DocSpace

Researcher

zakaria

More Details >

Out of the Block: OpenStreetMap <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via ootb_query Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11827

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Out of the Block: OpenStreetMap

Researcher

Peter Thaleikis

More Details >

Perfect Font Awesome Integration <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11891

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Perfect Font Awesome Integration

Researcher

zaim

More Details >

Plain Post <= 1.0.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54349

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Plain Post

Researcher

stealthcopter

More Details >

Plezi <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11763

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Plezi

Researcher

SOPROBRO

More Details >

Poll Builder <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54276

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Poll, Poll Forms – WordPress Poll plugin by Poll Builder

Researcher

SOPROBRO

More Details >

Post Carousel & Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11770

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Post Carousel & Slider

Researcher

zaim

More Details >

Post to Pdf <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12446

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Post to Pdf

Researcher

zaim

More Details >

Posts and Products Views for WooCommerce <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12448

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Posts and Products Views for WooCommerce

Researcher

zaim

More Details >

PowerBI Embed Reports <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11901

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
PowerBI Embed Reports

Researcher

Peter Thaleikis

More Details >

Primary Addon for Elementor <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54314

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Primary Addon for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Property Hive Mortgage Calculator <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via price Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11940

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
Property Hive Mortgage Calculator

Researcher

Peter Thaleikis

More Details >

Property Hive Stamp Duty Calculator <= 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12465

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Property Hive Stamp Duty Calculator

Researcher

Peter Thaleikis

More Details >

Quran Phrases About Most People Shortcodes <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54334

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Quran Phrases About Most People Shortcodes

Researcher

Gab

More Details >

Radius Blocks – WordPress Gutenberg Blocks <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54272

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Radius Blocks – WordPress Gutenberg Blocks

Researcher

Gab

More Details >

Responsive Google Maps | by imbaa <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56011

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
Responsive Google Maps | by imbaa

Researcher

SOPROBRO

More Details >

Restaurant & Cafe Addon for Elementor <= 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54316

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Restaurant & Cafe Addon for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Simple Locator <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12501

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Simple Locator

Researcher

yudha

More Details >

Smaily for WP <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54286

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Smaily for WP

Researcher

SOPROBRO

More Details >

Smart Agenda – Prise de rendez-vous en ligne <= 4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11781

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Smart Agenda – Prise de rendez-vous en ligne

Researcher

zaim

More Details >

Smart PopUp Blaster <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12458

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Smart PopUp Blaster

Researcher

zaim

More Details >

Social Media Shortcodes <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11871

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Social Media Shortcodes

Researcher

Peter Thaleikis

More Details >

States Map US <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12523

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
States Map US

Researcher

zakaria

More Details >

Stripe Donation <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11879

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Stripe Donation

Researcher

Peter Thaleikis

More Details >

Surbma | SalesAutopilot Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11433

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Surbma | SalesAutopilot Shortcode

Researcher

zakaria

More Details >

Tabs Maker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11865

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Tabs Maker

Researcher

Pham Van Tam

More Details >

TCBD Popover <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11751

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
TCBD Popover

Researcher

yudha

More Details >

The Permalinker <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11894

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
The Permalinker

Researcher

yudha

More Details >

Tithe.ly Giving Button <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11841

Patch Status
Unpatched

Published
Dec 9, 2024

Affected Software
Tithe.ly Giving Button

Researcher

Bob Matyas

More Details >

Top and footer bars for announcements, notifications, advertisements, promotions – YooBar <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11410

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Top and footer bars for announcements, notifications, advertisements, promotions – YooBar

Researcher

SOPROBRO

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.126 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10784

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)

Researcher

zer0gh0st

More Details >

Utech World Time <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54441

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Utech World Time

Researcher

0xd4rk5id3

More Details >

Visualmodo Elements <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11095

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Visualmodo Elements

Researcher

Francesco Carlucci

More Details >

Web Stories <= 1.37.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54317

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Web Stories

Researcher

shinobu

More Details >

WooCommerce Cart Count Shortcode <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12517

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
WooCommerce Cart Count Shortcode

Researcher

Peter Thaleikis

More Details >

WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11766

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more

Researcher

Peter Thaleikis

More Details >

WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11765

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more

Researcher

Peter Thaleikis

More Details >

WP Crowdfunding <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11910

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
WP Crowdfunding

Researcher

theviper17y

More Details >

WP GeoNames <= 1.9.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11757

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WP GeoNames

Researcher

SOPROBRO

More Details >

Wp photo text slider 50 <= 8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11884

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Wp photo text slider 50

Researcher

theviper17y

More Details >

WP-Revive Adserver <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12461

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WP-Revive Adserver

Researcher

zaim

More Details >

Notibar – Notification Bar for WordPress <= 2.1.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via njt_nofi_text

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-11012

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Notibar – Notification Bar for WordPress

Researcher

Arkadiusz Hydzik

More Details >

3D Avatar User Profile <= 1.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54358

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
3D Avatar User Profile

Researcher

Zlrqh

More Details >

addWeather <= 2.5.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54389

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
addWeather

Researcher

ardias

More Details >

Admin Customization <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54431

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Admin Customization

Researcher

SOPROBRO

More Details >

Advanced Fancybox <= 1.1.1 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54401

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Advanced Fancybox

Researcher

SOPROBRO

More Details >

AI Content Writer, RSS Feed to Post, Autoblogging SEO Help <= 6.1.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12156

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
AI Content Writer, RSS Feed to Post, Autoblogging SEO Help

Researcher

Colin Xu

More Details >

Amazon Product Price <= 1.1 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54439

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Amazon Product Price

Researcher

SOPROBRO

More Details >

Analytics Cat – Google Analytics Made Easy <= 1.1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12072

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Analytics Cat – Google Analytics Made Easy

Researcher

0xd4rk5id3

More Details >

Aphorismus <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54429

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Aphorismus

Researcher

SOPROBRO

More Details >

AppMaps <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54400

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
AppMaps

Researcher

SOPROBRO

More Details >

Barcode Scanner with Inventory & Order Manager <= 1.6.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54265

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader.

Researcher

Jingle Bells

More Details >

Bootstrap Buttons <= 1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-49677

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Bootstrap Buttons

Researcher

ardias

More Details >

BP Email Assign Templates <= 1.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12441

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
BP Email Assign Templates

Researcher

vgo0

More Details >

CarDealerPress <= 6.6.2410.02 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54325

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
CarDealerPress

Researcher

Mika

More Details >

Category of Posts <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54427

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Category of Posts

Researcher

SOPROBRO

More Details >

Check Pincode For Woocommerce <= 1.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54333

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Check Pincode For Woocommerce

Researcher

Le Ngoc Anh

More Details >

CK and SyntaxHighlighter <= 3.4.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54407

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
CK and SyntaxHighlighter

Researcher

SOPROBRO

More Details >

CleverNode Related Content <= 1.1.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54329

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
CleverNode Related Content

Researcher

Le Ngoc Anh

More Details >

Comments On Feed <= 1.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54406

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Comments On Feed

Researcher

SOPROBRO

More Details >

Country Blocker <= 3.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11459

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Country Blocker

Researcher

vgo0

More Details >

CRUDLab Google Plus Button <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54399

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
CRUDLab Google Plus Button

Researcher

SOPROBRO

More Details >

CSV to html <= 3.04 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54275

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
CSV to html

Researcher

Le Ngoc Anh

More Details >

dejure.org Vernetzungsfunktion <= 1.97.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11417

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
dejure.org Vernetzungsfunktion

Researcher

SOPROBRO

More Details >

Device Detector <= 4.2.0 - Reflected Cross-Site Scripting via id

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56010

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
Device Detector

Researcher

0xHarambeHacks

More Details >

Display Future Posts <= 0.2.3 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54413

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Display Future Posts

Researcher

SOPROBRO

More Details >

DTC Documents <= 1.1.05 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54418

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
DTC Documents

Researcher

thiennv

More Details >

DX Dark Site <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54337

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
DX Dark Site

Researcher

SOPROBRO

More Details >

ECT Product Carousel <= 1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54412

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
ECT Product Carousel

Researcher

SOPROBRO

More Details >

ECT Social Share <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54405

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
ECT Social Share

Researcher

SOPROBRO

More Details >

EELV Newsletter <= 4.8.2 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54430

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
EELV Newsletter

Researcher

thiennv

More Details >

Evernote Sync <= 3.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54422

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Evernote Sync

Researcher

ardias

More Details >

Fancy Roller Scroller <= 1.4.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54351

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Fancy Roller Scroller

Researcher

SOPROBRO

More Details >

Feedpress Generator <= 1.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54364

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Feedpress Generator – External RSS Frontend Customizer

Researcher

thiennv

More Details >

Filestack Official <= 2.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11462

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Filestack Official

Researcher

vgo0

More Details >

Flaming Forms <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54398

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Flaming Forms

Researcher

SOPROBRO

More Details >

Floating Video Player <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54421

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Floating Video Player

Researcher(s): Unknown

More Details >

FloristPress <= 7.2.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54347

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
FloristPress – Customize your Woo store for your Florist

Researcher(s): Unknown

More Details >

FormFacade <= 1.3.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54301

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
FormFacade – WordPress plugin for Google Forms

Researcher

thiennv

More Details >

GeoFlickr <= 1.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54339

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
GeoFlickr

Researcher

João Pedro Soares de Alcântara

More Details >

Geoportail Shortcode <= 2.4.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54414

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Geoportail Shortcode

Researcher

SOPROBRO

More Details >

Go Animate <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54397

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Go Animate

Researcher

SOPROBRO

More Details >

Hack-Info <= 3.17 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54353

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Hack-Info

Researcher

SOPROBRO

More Details >

Hello in All Languages <= 1.0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12572

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Hello In All Languages

Researcher

Rei Kobayashi

More Details >

hmd <= 2.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54350

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
hmd

Researcher

stealthcopter

More Details >

I Plant A Tree <= 1.7.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54331

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
I Plant A Tree

Researcher

SOPROBRO

More Details >

ICDSoft Reseller Store <= 2.4.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54320

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
ICDSoft Reseller Store

Researcher

hunter85

More Details >

ImageRecycle pdf & image compression <= 3.1.16 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54266

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
ImageRecycle pdf & image compression

Researcher

thiennv

More Details >

ImmoToolBox Connect <= 1.3.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54335

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
ImmoToolBox Connect

Researcher

SOPROBRO

More Details >

Import Eventbrite Events <= 1.7.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12422

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Import Eventbrite Events

Researcher

vgo0

More Details >

Increase Sociability <= 1.3.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54395

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Increase Sociability

Researcher

SOPROBRO

More Details >

Invoice Payment for WooCommerce <= 1.7.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54328

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Invoice Payment for WooCommerce

Researcher

thiennv

More Details >

J&T Express Malaysia <= 2.0.13 - Reflected Cross-Site Scripting via [placeholder]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54305

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
J&T Express Malaysia

Researcher

João Pedro Soares de Alcântara

More Details >

jCarousel <= 1.0 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54437

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
jCarousel for WordPress

Researcher(s): Unknown

More Details >

Jet Footer Code <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54436

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Jet Footer Code

Researcher

SOPROBRO

More Details >

Kundgenerator <= 1.0.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54319

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Kundgenerator

Researcher

João Pedro Soares de Alcântara

More Details >

kvCORE IDX <= 2.3.35 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11723

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
kvCORE IDX

Researcher

vgo0

More Details >

LabelGrid Tools <= 1.3.58 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54341

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
LabelGrid Tools

Researcher

thiennv

More Details >

LDD Directory Lite <= 3.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54288

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
LDD Directory Lite

Researcher

Mika

More Details >

LeaderBoard Plugin <= 1.2.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54426

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
LeaderBoard Plugin

Researcher

SOPROBRO

More Details >

Library Bookshelves <= 5.8 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11359

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Library Bookshelves

Researcher

vgo0

More Details >

Like in Vk.com <= 0.5.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54424

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Like in Vk.com

Researcher

SOPROBRO

More Details >

LionScripts: Site Maintenance & Noindex Nofollow Plugin <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54425

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
LionScripts: Site Maintenance & Noindex Nofollow Plugin

Researcher

SOPROBRO

More Details >

Mandrill WP <= 1.0.5 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54394

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Mandrill WP – Email Form Under Post

Researcher

SOPROBRO

More Details >

MDC Comment Toolbar <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54404

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
MDC Comment Toolbar

Researcher

SOPROBRO

More Details >

Media Downloader <= 0.4.7.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54322

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Media Downloader

Researcher

Mika

More Details >

Multiple Admin Emails <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54388

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Multiple Admin Emails

Researcher

ardias

More Details >

MyParcel <= 4.24.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-9608

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
MyParcel

Researcher

vgo0

More Details >

Newsletter Subscriptions <= 2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11683

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Newsletter Subscriptions

Researcher

vgo0

More Details >

Onlywire Multi Autosubmitter <= 1.2.4 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54435

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Onlywire Multi Autosubmitter

Researcher

SOPROBRO

More Details >

Password for WP <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11419

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Password for WP

Researcher

SOPROBRO

More Details >

Persian Woocommerce SMS <= 7.0.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54312

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
افزونه پیامک ووکامرس Persian WooCommerce SMS

Researcher

minhtuanact

More Details >

phZoom <= 1.2.92 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54434

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
phZoom Plugin for WordPress

Researcher

SOPROBRO

More Details >

Planaday API <= 11.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11804

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Planaday API

Researcher

vgo0

More Details >

Posts Date Ranges <= 2.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54387

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Posts Date Ranges

Researcher

ardias

More Details >

Primer MyData for Woocommerce <= 4.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11809

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Primer MyData for Woocommerce

Researcher

vgo0

More Details >

Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart <= 3.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54386

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart

Researcher

ardias

More Details >

Quran multilanguage Text & Audio <= 2.3.21 - Reflected Cross-Site Scripting via sourate and lang Parameters

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11973

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
Quran multilanguage Text & Audio

Researcher

vgo0

More Details >

Revi.io <= 5.7.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54299

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Revi.io – Customer & Products Reviews

Researcher

SOPROBRO

More Details >

Role Includer <= 1.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54290

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Role Includer

Researcher

thiennv

More Details >

Schema App Structured Data <= 2.2.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11279

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Schema App Structured Data

Researcher

Peter Thaleikis

More Details >

Seraphinite Bulk Discounts for WooCommerce <= 2.4.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12160

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Seraphinite Bulk Discounts for WooCommerce

Researcher

Colin Xu

More Details >

Simple Booking Widget <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54433

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Simple Booking – Widget

Researcher

SOPROBRO

More Details >

Simple Payment <= 2.3.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54303

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Simple Payment

Researcher

SOPROBRO

More Details >

Simple Presenter <= 1.5.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54340

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Simple Presenter

Researcher

João Pedro Soares de Alcântara

More Details >

SIP Calculator <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12555

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
SIP Calculator

Researcher

SOPROBRO

More Details >

SMSify <= 6.0.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54324

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
SMSify

Researcher

Mika

More Details >

Social Media Sharing <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54423

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Social Media Sharing

Researcher

SOPROBRO

More Details >

SOPA Blackout <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54410

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
SOPA Blackout

Researcher

SOPROBRO

More Details >

Staggs Product Configurator for WooCommerce <= 2.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54342

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Staggs – Product Configurator Toolkit

Researcher

João Pedro Soares de Alcântara

More Details >

TagGator <= 1.54 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54390

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
TagGator

Researcher

ardias

More Details >

Travel Tour < 5.2.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11846

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
TravelTour

Researcher

Amine SAJID

More Details >

turboSMTP <= 4.6 - Reflected Cross-Site Scripting via 'page'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12323

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
turboSMTP

Researcher

vgo0

More Details >

Ui Slider Filter By Price <= 1.1 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54419

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Ui Slider Filter By Price

Researcher

thiennv

More Details >

Ultimate Endpoints With Rest Api <= 2.2.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12260

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Ultimate Endpoints With Rest Api

Researcher

Colin Xu

More Details >

UNIVERSAM < 8.59 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54327

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
UNIVERSAM

Researcher

Zlrqh

More Details >

VForm <= 3.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54302

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Lifetime free Drag & Drop Contact Form Builder for WordPress VForm

Researcher

ardias

More Details >

Video & Photo Gallery for Ultimate Member <= 1.1.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12162

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Video & Photo Gallery for Ultimate Member

Researcher

Colin Xu

More Details >

Visual Recent Posts <= 1.2.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54403

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Visual Recent Posts

Researcher

SOPROBRO

More Details >

Waymark <= 1.4.1 - Reflected Cross-Site Scripting via 'content'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12325

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
Waymark

Researcher

vgo0

More Details >

Website Toolbox Community <= 2.0.1 - Reflected Cross-Site Scripting via websitetoolbox_username

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12338

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Website Toolbox Community

Researcher

vgo0

More Details >

WordPress Filter <= 1.4.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54391

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WordPress Filter

Researcher

ardias

More Details >

WordPress HelpDesk & Support Ticket System Plugin – Octrace Support <= 1.2.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54274

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WordPress HelpDesk & Support Ticket System Plugin – Octrace Support

Researcher

hunter85

More Details >

WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More <= 2.5.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12411

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More

Researcher

vgo0

More Details >

WP Controller <= 3.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54411

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WP Controller

Researcher

SOPROBRO

More Details >

WP Currency Exchange Rates <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54332

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WP Currency Exchange Rates

Researcher

SOPROBRO

More Details >

WP Fiddle <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54393

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WP Fiddle

Researcher

SOPROBRO

More Details >

WP Flipkart Importer <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54432

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WP Flipkart Importer

Researcher

SOPROBRO

More Details >

WP Log Action <= 0.51 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
Unknown

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
WP Log Action

Researcher(s): Unknown

More Details >

Wp Login with Ajax <= 0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54416

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Wp Login with Ajax

Researcher

SOPROBRO

More Details >

WP Pipes <= 1.4.1 - Reflected Cross-Site Scripting via x1 Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12283

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
WP Pipes

Researcher

vgo0

More Details >

WP Quick Shop <= 1.3.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54344

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WP Quick Shop

Researcher

thiennv

More Details >

WP Service Payment Form With Authorize.net <= 2.6.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12258

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WP Service Payment Form With Authorize.net

Researcher

Colin Xu

More Details >

WP-Ban-User <= 1.0 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54440

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WP-Ban-User

Researcher

SOPROBRO

More Details >

WP-HideThat <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54415

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WP-HideThat

Researcher

SOPROBRO

More Details >

WPC Order Notes for WooCommerce <= 1.5.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12004

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
WPC Order Notes for WooCommerce

Researcher

vgo0

More Details >

WP微信机器人 <= 5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54392

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
WP微信机器人

Researcher

SOPROBRO

More Details >

XPD Reduce Image Filesize <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-54409

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
XPD Reduce Image Filesize

Researcher

SOPROBRO

More Details >

Car Dealer <= 4.46 - Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-54298

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Car Dealer (Dealership) and Vehicle sales

Researcher

Jingle Bells

More Details >

GEO my WordPress <= 4.5.0.4 - Missing Authorization via get_field_options_ajax

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-54326

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
GEO my WP

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Metrika <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-54420

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Metrika

Researcher

SOPROBRO

More Details >

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting)

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12042

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
MStore API – Create Native Android & iOS Apps On The Cloud

Researcher

shaman0x01

More Details >

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder <= 1.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-10583

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Researcher

zer0gh0st

More Details >

SVG Shortcode <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12574

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
SVG Shortcode

Researcher

Pierre Rudloff

More Details >

Accept Stripe Payments Using Contact Form 7 <= 2.5 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12255

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Accept Stripe Payments Using Contact Form 7

Researcher

Joshua Chan

More Details >

Banner System <= 1.0.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-54359

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Banner System

Researcher

ghsinfosec

More Details >

Dreamfox Media Payment gateway per Product for Woocommerce <= 3.5.6 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-55996

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Payment Gateway Per Product for WooCommerce

Researcher

Mika

More Details >

Gou Manage My Account Menu <= 1.0.1.8 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-54310

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Gou Manage My Account Menu – User Roles

Researcher

Mika

More Details >

Job Board Manager <= 2.1.60 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-55993

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Job Board Manager

Researcher

Mika

More Details >

Ksher <= 1.1.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56001

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
Ksher

Researcher

Mika

More Details >

Last Viewed Posts by WPBeginner <= 1.0.1 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12294

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
Last Viewed Posts by WPBeginner

Researcher

Francesco Carlucci

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.7.3 - Course Material Sensitive Information Exposure via REST API

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11868

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

abrahack

More Details >

Members <= 3.2.10 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11008

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
Members – Membership & User Role Editor Plugin

Researcher

Francesco Carlucci

More Details >

Minify HTML <= 2.1.10 - - Regular Expressions Denial of Service

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12579

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Minify HTML

Researcher

Pierre Rudloff

More Details >

Order Delivery & Pickup Location Date Time ( Free Version ) <= 1.1.0 - Missing Authorization to Unauthenticated Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-55997

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Order Delivery & Pickup Location Date Time ( Free Version )

Researcher

Mika

More Details >

PixProof <= 2.0.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-54417

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
PixProof – Easy Photo Proofing for Photographers

Researcher

Marek Mikita

More Details >

Rate My Post – Star Rating Plugin by FeedbackWP <= 4.2.4 - Unauthenticated Voting On Scheduled Posts

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12309

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Rate My Post – Star Rating Plugin by FeedbackWP

Researcher

HayMiz

More Details >

Restrict – membership, site, content and user access restrictions for WordPress <= 2.2.8 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11351

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
Restrict – membership, site, content and user access restrictions for WordPress

Researcher

Francesco Carlucci

More Details >

Simple Restrict <= 1.2.7 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11106

Patch Status
Patched

Published
Dec 9, 2024

Affected Software
Simple Restrict

Researcher

Francesco Carlucci

More Details >

Tickera – WordPress Event Ticketing <= 3.5.4.8 - Unauthenticated Customer Data Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12578

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Tickera – WordPress Event Ticketing

Researcher

Aaron Schlitt

More Details >

Vimeography <= 2.4.4 - Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-54366

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Vimeography: Vimeo Video Gallery WordPress Plugin

Researcher(s): Unknown

More Details >

Web3 Cryptocurrency Payments by DePay for WooCommerce <= 2.12.17 - Missing Authorization to Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12265

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Web3 Crypto Payments by DePay for WooCommerce

Researcher

Tieu Pham Trong Nhan

More Details >

WP Job Portal <= 2.2.2 - Missing Authorization to Unauthenticated Arbitrary Resume Download

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11712

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

thevietronin

More Details >

WP-NERD Toolkit <= 1.1 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-54279

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WP-NERD Toolkit

Researcher

Joshua Chan

More Details >

XML Multilanguage Sitemap Generator <= 2.0.6 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-55999

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
XML Multilanguage Sitemap Generator

Researcher

Mika

More Details >

SeedProd Pro <= 6.18.10 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-54284

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
SeedProd Pro

Researcher

Jingle Bells

More Details >

SeedProd Pro <= 6.18.10 - Authenticated (Editor+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-54283

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
SeedProd Pro

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-11710

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

thevietronin

More Details >

WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox()

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-11714

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

thevietronin

More Details >

WP Job Portal <= 2.2.2 - Authenticated (Admin+) SQL Injection via wpjobportal_deactivate()

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-11713

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researchers

Nhien Pham (nhienit)

thevietronin

More Details >

WP Job Portal <= 2.2.2 - Missing Authorization to Limited Privilege Escalation

4.8

CVSS Rating
Medium (4.8)

CVE-ID
CVE-2024-11715

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

thevietronin

More Details >

360 Javascript Viewer <= 1.7.29 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-12271

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
360 Javascript Viewer

Researcher

Yamil

More Details >

Better WP Login Page <= 1.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-54442

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Better WP Login Page

Researcher

I8BL

More Details >

bodi0’s Easy Cache <= 0.8 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-12628

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
bodi0`s Easy cache

Researcher

Lokesh Dachepalli

More Details >

Cryptocurrency Price Widget <= 1.2.3 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-54308

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Cryptocurrency Price Widget

Researcher

Jingle Bells

More Details >

NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar <= 2.9.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-11727

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar

Researcher

Nguyen Khanh Hao

More Details >

Add image to Post <= 0.6 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54428

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Add image to Post

Researcher

SOPROBRO

More Details >

Advance Menu Manager <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Change

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54381

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Advance Menu Manager

Researcher

stealthcopter

More Details >

AI Post Generator | AutoWriter <= 3.5 - Missing Authorization to Authenticated (Contributor+) Post/Page Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11709

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
AI Post Generator | AutoWriter

Researcher

Brian Sans-Souci (liardom)

More Details >

AIcomments <= 1.4.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54307

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
AIcomments – комментарии и отзывы ChatGPT

Researcher

Dhabaleshwar Das

More Details >

AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot <= 1.6.2 - Cross-Site Request Forgery via update_integration_option

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54306

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot

Researcher

Dhabaleshwar Das

More Details >

Arabic Webfonts <= 1.4.6 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54402

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Arabic Webfonts

Researcher

Marek Mikita

More Details >

Arena.IM – Live Blogging for real-time events <= 0.3.0 - Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12526

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Arena.IM – Live Blogging for real-time events

Researcher

Peter Thaleikis

More Details >

AutoWP <= 2.0.8 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54300

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
AutoWP – AI Content Writer & Rewriter

Researcher

Dhabaleshwar Das

More Details >

Avada <= 7.11.10 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54357

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Avada | Website Builder For WordPress & WooCommerce

Researcher

Ananda Dhakal

More Details >

Awesome Support <= 6.3.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54289

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Awesome Support – WordPress HelpDesk & Support Plugin

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Bet sport Free <= 1.0.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54396

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Bet sport Free

Researcher

thiennv

More Details >

Caldera SMTP Mailer <= 1.0.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56003

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Caldera SMTP Mailer

Researcher

Mika

More Details >

Child Theme Creator by Orbisius <= 1.5.5 - Missing Authorization to Authenticated (Subscriber+) Cloud Snippet Update/Delete

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12263

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Child Theme Creator by Orbisius

Researcher

Tieu Pham Trong Nhan

More Details >

CM Answers <= 3.2.6 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54267

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
CM Answers – Powerful WordPress Forum Plugin

Researcher

Muhammad Zidan Ali Mansur

More Details >

Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Whitelist Script

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11724

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Researcher

Tieu Pham Trong Nhan

More Details >

Custom Skins Contact Form 7 <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update and Skin Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12341

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
Custom Skins Contact Form 7

Researcher

Lucio Sá

More Details >

Easy Site Importer <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Settings Change

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56004

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Easy Site Importer

Researcher

Mika

More Details >

ElementInvader Addons for Elementor <= 1.3.1 - Missing Authorization to Arbitrary Options Read

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12059

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
ElementInvader Addons for Elementor

Researcher

Francesco Carlucci

More Details >

Essential Real Estate <= 5.1.6 - Missing Authorization to Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12329

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Essential Real Estate

Researcher

Noah Stead (TurtleBurg)

More Details >

Falcon – WordPress Optimizations & Tweaks <= 2.8.3 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54384

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Falcon – WordPress Optimizations & Tweaks

Researcher

Abdi Pranata

More Details >

Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12447

Patch Status
Unpatched

Published
Dec 13, 2024

Affected Software
Get Post Content Shortcode

Researcher

Francesco Carlucci

More Details >

Greenshift – animation and page builder blocks <= 9.9.9.3 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11181

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Greenshift – animation and page builder blocks

Researcher

Brian Sans-Souci (liardom)

More Details >

Hash Form <= 1.2.1 - Missing Authorization to Authenticated (Contributor+) Form Style Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12201

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Hash Form – Drag & Drop Form Builder

Researcher

Noah Stead (TurtleBurg)

More Details >

Hive Support – WordPress Help Desk <= 1.1.2 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54321

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Researcher

hunter85

More Details >

Leader <= 2.6.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56007

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
Leader

Researcher

Mika

More Details >

Mark New Posts <= 7.5.1 - Missing Authorization via save_options

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54311

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Mark New Posts

Researcher

Jingle Bells

More Details >

New User Approve <= 2.6.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54323

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
New User Approve

Researcher

SavPhill (Savphill)

More Details >

News Ticker for Elementor <= 2.1.3 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54278

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
News Ticker for Elementor

Researcher

Marek Mikita

More Details >

Notibar <= 2.1.4 - Missing Authorization via ajax_install_plugin

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54269

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Notibar – Notification Bar for WordPress

Researcher

Jingle Bells

More Details >

Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54356

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Online Booking & Scheduling Calendar for WordPress by vcita

Researcher

Marek Mikita

More Details >

PostBox <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Log Export

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54309

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WP Email Log – PostBox

Researcher

Mika

More Details >

Posti Shipping <= 3.10.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56005

Patch Status
Patched

Published
Dec 14, 2024

Affected Software
Posti Shipping

Researcher

thiennv

More Details >

Shortcodes for Elementor <= 1.0.4 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10690

Patch Status
Patched

Published
Dec 13, 2024

Affected Software
Shortcodes for Elementor

Researcher

Francesco Carlucci

More Details >

SiteOrigin Widgets Bundle <= 1.64.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54268

Patch Status
Patched

Published
Dec 10, 2024

Affected Software
SiteOrigin Widgets Bundle

Researcher

Rafie Muhammad

More Details >

Snippet Shortcodes <= 4.1.6 - Authenticated (Subscriber+) Shortcode Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12018

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Snippet Shortcodes

Researcher

theviper17y

More Details >

Termin-Kalender <= 0.99.47 - Missing Authorization to Authenticated (Subscriber+)

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54354

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Termin-Kalender

Researcher

SOPROBRO

More Details >

Themify Store Locator <= 1.1.9 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12414

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
Themify Store Locator

Researcher

Peter Thaleikis

More Details >

WooCommerce Basic Ordernumbers <= 1.4.4 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-55992

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
WooCommerce Basic Ordernumbers

Researcher

Mika

More Details >

WP Crowdfunding <= 2.1.12 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11911

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
WP Crowdfunding

Researcher

Tieu Pham Trong Nhan

More Details >

WP Mailster <= 1.8.17.0 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54355

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
WP Mailster

Researcher

Dhabaleshwar Das

More Details >

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11275

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin

Researcher

Thanh Nam Tran

More Details >

WPCargo Track & Trace <= 7.0.6 - Missing authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54271

Patch Status
Unpatched

Published
Dec 11, 2024

Affected Software
WPCargo Track & Trace

Researcher

Mika

More Details >

Youtube Video Grid <= 1.9 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54408

Patch Status
Unpatched

Published
Dec 12, 2024

Affected Software
Youtube Video Grid | Youmax

Researcher

thiennv

More Details >

畅言评论系统 <= 2.0.5 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-55994

Patch Status
Unpatched

Published
Dec 14, 2024

Affected Software
畅言评论系统

Researcher

Mika

More Details >

AR for WordPress <= 7.3 - Missing Authorization to Unauthenticated Limited File Upload

3.7

CVSS Rating
Low (3.7)

CVE-ID
CVE-2024-12300

Patch Status
Patched

Published
Dec 12, 2024

Affected Software
AR for WordPress

Researcher

cc

More Details >

Bold Page Builder <= 5.1.5 - Authenticated (Editor+) Path Traversal

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2024-54382

Patch Status
Patched

Published
Dec 11, 2024

Affected Software
Bold Page Builder

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >