CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24934 – WordPress Elementor plugin <= 3.19.0 - Arbitrary File Deletion and Phar Deserialization vulnerability
https://notcve.org/view.php?id=CVE-2024-24934
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0. La limitación incorrecta de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en Elementor Elementor Website Builder permite manipular la entrada web en llamadas al sistema de archivos. Este problema afecta a Elementor Website Builder: desde n/a hasta 3.19.0. The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to arbitrary file deletions and PHAR deserialization in version up to, and including 3.19.0. This is due to the plugin not providing sufficient path validation on the 'tmp_name' parameter . • https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-19-0-arbitrary-file-deletion-and-phar-deserialization-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0835 – Royal Elementor Kit <= 1.0.116 - Missing Authorization to Arbitrary Transient Update
https://notcve.org/view.php?id=CVE-2024-0835
The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values. El tema Royal Elementor Kit para WordPress es vulnerable a actualizaciones transitorias arbitrarias no autorizadas debido a una falta de verificación de capacidad en la función dismissed_handler en todas las versiones hasta la 1.0.116 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, actualicen transitorios arbitrarios. • https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=216524%40royal-elementor-kit&new=216524%40royal-elementor-kit&sfp_email=&sfph_mail= https://wordpress.org/themes/royal-elementor-kit https://www.wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2c1-77b12a2b1a2c?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24833 – WordPress Happy Addons for Elementor plugin <= 3.10.1 - Broken Access Control on Post Clone vulnerability
https://notcve.org/view.php?id=CVE-2024-24833
Missing Authorization vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.10.1. Vulnerabilidad de autorización faltante en Leevio Happy Addons para Elementor. Este problema afecta a Happy Addons para Elementor: desde n/a hasta 3.10.1. The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the add_row_actions() function in versions up to, and including, 3.10.1. This makes it possible for authenticated attackers, with contributor-level access and above, to clone arbitrary posts, including password protected posts which may allow them to access the restricted posts content. • https://patchstack.com/database/vulnerability/happy-elementor-addons/wordpress-happy-addons-for-elementor-plugin-3-10-1-broken-access-control-on-post-clone-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23511 – The Plus Addons for Elementor <= 5.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-23511
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52214 – WordPress Void Contact Form 7 Widget For Elementor Page Builder plugin <= 2.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-52214
Missing Authorization vulnerability in voidCoders Void Contact Form 7 Widget For Elementor Page Builder.This issue affects Void Contact Form 7 Widget For Elementor Page Builder: from n/a through 2.3. Vulnerabilidad de autorización faltante en el widget Void Contact Form 7 de voidCoders para Elementor Page Builder. Este problema afecta el widget Void Contact Form 7 para Elementor Page Builder: desde n/a hasta 2.3. The Void Contact Form 7 Widget For Elementor Page Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions in the /helper/helper.php file in versions up to, and including, 2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices and retrieve contact form data. • https://patchstack.com/database/vulnerability/cf7-widget-elementor/wordpress-void-contact-form-7-widget-for-elementor-page-builder-plugin-2-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •