CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6720 – Light Poll <= 1.0.0 - Poll Answers Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-6720
15 Jul 2024 — The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks The Light Poll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. • https://wpscan.com/vulnerability/d1449be1-ae85-46f4-b5ba-390d25b87723 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6457 – HUSKY - Products Filter Professional for WooCommerce <= 1.3.6 - Unauthenticated Time-Based SQL Injection
https://notcve.org/view.php?id=CVE-2024-6457
15 Jul 2024 — The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://www.wordfence.com/threat-intel/vulnerabilities/id/ecfdf7b1-9bb8-4c1d-a00a-ca1e44440cab?source=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1845 – VikRentCar Car Rental Management System < 1.3.2 - Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-1845
11 Jul 2024 — The VikRentCar Car Rental Management System WordPress plugin before 1.3.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento VikRentCar Car Rental Management System de WordPress anterior a 1.3.2 no tiene controles CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios registrados realicen acciones no deseadas a través de ataques CSRF. The VikRentCar Car Rental Man... • https://wpscan.com/vulnerability/a8d7b564-36e0-4f05-9b49-1b441f453d0a • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38759 – WordPress Search & Replace plugin <= 3.2.2 - Deserialization of untrusted data vulnerability
https://notcve.org/view.php?id=CVE-2024-38759
11 Jul 2024 — The Search & Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.2 via deserialization of untrusted input. • https://patchstack.com/database/vulnerability/search-and-replace/wordpress-search-replace-plugin-3-2-2-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6328 – MStore API – Create Native Android & iOS Apps On The Cloud <= 4.14.7 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-6328
11 Jul 2024 — The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. ... El complemento MStore API – Create Native Android & iOS Apps On The Cloud para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 4.14.7 incluida. • https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L699 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6397 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.44 - Authentication Bypass to Admin
https://notcve.org/view.php?id=CVE-2024-6397
10 Jul 2024 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. ... El complemento InstaWP Connect – 1-click WP Staging & Migration para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 0.1.0.44 incluida. • https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6624 – JSON API User <= 3.9.3 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-6624
10 Jul 2024 — The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. ... El complemento JSON API User para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 3.9.3 incluida. • https://github.com/RandomRobbieBF/CVE-2024-6624 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37555 – WordPress Generate PDF using Contact Form 7 plugin <= 4.0.6 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37555
09 Jul 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7.This issue affects Generate PDF using Contact Form 7: from n/a through 4.0.6. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en ZealousWeb Generate PDF usando el Contact Form 7. Este problema afecta a Generate PDF usando Contact Form 7: desde n/a hasta 4.0.6. • https://patchstack.com/database/vulnerability/generate-pdf-using-contact-form-7/wordpress-generate-pdf-using-contact-form-7-plugin-4-0-6-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37933 – WordPress Woocommerce OpenPos plugin <= 6.4.4 - Unauthenticated SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37933
09 Jul 2024 — The Woocommerce OpenPos plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/woocommerce-openpos/wordpress-woocommerce-openpos-plugin-6-4-4-unauthenticated-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5765 – WpStickyBar <= 2.1.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2024-5765
09 Jul 2024 — The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection The WpStickyBar – Sticky Bar, Sticky Header plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter of the 'stickybar_display' AJAX action in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of suf... • https://wpscan.com/vulnerability/0b73f84c-611e-4681-b362-35e721478ba4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •