CVE-2024-9106 – Wechat Social login <= 1.3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-9106
30 Sep 2024 — The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. ... El complemento Wechat Social login para WordPress es vulnerable a la omisión de autenticación en versiones hasta la 1.3.0 incluida. • https://github.com/RandomRobbieBF/CVE-2024-9106 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVE-2024-9108 – Wechat Social login <= 1.3.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9108
30 Sep 2024 — The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. ... El complemento Wechat Social login para WordPress es vulnerable a la carga de archivos arbitrarios debido a una validación insuficiente del tipo de archivo en la función 'convert_remoteimage_to_local' en versiones hasta la 1.3.0 incluida. • https://plugins.trac.wordpress.org/browser/wechat-social-login/trunk/includes/social/class-xh-social-wp-api.php?rev=2111074#L39 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-9265 – Echo RSS Feed Post Generator <= 5.4.6 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-9265
30 Sep 2024 — The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. ... El complemento Echo RSS Feed Post Generator para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 5.4.6 incluida. • https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974 • CWE-269: Improper Privilege Management •
CVE-2024-9289 – WordPress & WooCommerce Affiliate Program <= 8.4.1 - Authentication Bypass to Account Takeover and Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-9289
30 Sep 2024 — The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. ... El complemento WordPress & WooCommerce Affiliate Program para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 8.4.1 incluida. • https://codecanyon.net/item/wordpress-woocommerce-affiliate-program/23580333 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVE-2024-8353 – GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-8353
27 Sep 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. ... Proof of concept exploit for WordPress GiveWP plugin versions up to and including 3.16.1. • https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932 • CWE-502: Deserialization of Untrusted Data •
CVE-2024-7781 – Jupiter X Core <= 4.7.5 - Limited Unauthenticated Authentication Bypass to Account Takeover
https://notcve.org/view.php?id=CVE-2024-7781
25 Sep 2024 — The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. • https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/social-login-handler/facebook.php • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVE-2024-47305 – WordPress Use Any Font plugin <= 6.3.08 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-47305
25 Sep 2024 — The Use Any Font plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.08. • https://patchstack.com/database/vulnerability/use-any-font/wordpress-use-any-font-plugin-6-3-08-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-47315 – WordPress GiveWP – Donation Plugin and Fundraising Platform plugin <= 3.15.1 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-47315
25 Sep 2024 — The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.15.1. • https://patchstack.com/database/vulnerability/give/wordpress-givewp-donation-plugin-and-fundraising-platform-plugin-3-15-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-8485 – REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2024-8485
24 Sep 2024 — The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. • https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2024-44014 – WordPress Vmax Project Manager plugin <= 1.0 - Local File Inclusion to RCE vulnerability
https://notcve.org/view.php?id=CVE-2024-44014
24 Sep 2024 — The Vmax Project Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. • https://patchstack.com/database/vulnerability/vmax-project-manager/wordpress-vmax-project-manager-plugin-1-0-local-file-inclusion-to-rce-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •