CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52395 – WordPress Floating Buttons for WooCommerce plugin <= 2.8.8 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-52395
11 Nov 2024 — Missing Authorization vulnerability in QunatumCloud Floating Buttons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Floating Buttons for WooCommerce: from n/a through 2.8.8. The Floating Buttons for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.8.8. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/vulnerability/shop-assistant-for-woocommerce-jarvis/wordpress-floating-buttons-for-woocommerce-plugin-2-8-8-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51661 – WordPress Media Library Assistant plugin <= 3.19 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-51661
01 Nov 2024 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in David Lingren Media Library Assistant allows Command Injection.This issue affects Media Library Assistant: from n/a through 3.19. The Media Library Assistant plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.19. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/media-library-assistant/wordpress-media-library-assistant-plugin-3-19-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-35359
https://notcve.org/view.php?id=CVE-2024-35359
30 May 2024 — A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /classes/Master.php?f=view_item. Manipulating the argument id can result in SQL injection. Se ha descubierto una vulnerabilidad en la versión 2.3 de Diño Physics School Assistant. • https://vuln.pentester.stream/pentester-vulnerability-research/post/2298737/vuln15-blind-sql-injection-time-based • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-35349
https://notcve.org/view.php?id=CVE-2024-35349
30 May 2024 — A vulnerability has been discovered in Diño Physics School Assistant version 2.3. The vulnerability impacts an unidentified code within the file /admin/category/view_category.php. Manipulating the argument id can result in SQL injection. Se ha descubierto una vulnerabilidad en la versión 2.3 de Diño Physics School Assistant. La vulnerabilidad afecta a un código no identificado dentro del archivo /admin/category/view_category.php. • https://vuln.pentester.stream/pentester-vulnerability-research/post/2298565/vuln4-blind-sql-injection-time-based • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33538 – WordPress Assistant – Every Day Productivity Apps plugin <= 1.4.9.1 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-33538
25 Apr 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Fastline Media LLC Assistant – Every Day Productivity Apps.This issue affects Assistant – Every Day Productivity Apps: from n/a through 1.4.9.1. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Fastline Media LLC Assistant – Every Day Productivity Apps. Este problema afecta al Asistente: aplicaciones de productividad para todos los días: desde n/a hasta 1.4.9.1. The Assistant – Every Day Producti... • https://patchstack.com/database/vulnerability/assistant/wordpress-assistant-every-day-productivity-apps-plugin-1-4-9-1-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31370 – WordPress CodeisAwesome AIKit plugin <= 4.14.1 - Auth. SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-31370
09 Apr 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeIsAwesome AIKit.This issue affects AIKit: from n/a through 4.14.1. The AIKit plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.14.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional ... • https://patchstack.com/database/vulnerability/aikit-wordpress-ai-writing-assistant-using-gpt3/wordpress-codeisawesome-aikit-plugin-4-14-1-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50715 – User accounts disclosed to unauthenticated actors on the LAN
https://notcve.org/view.php?id=CVE-2023-50715
15 Dec 2023 — Home Assistant is open source home automation software. Prior to version 2023.12.3, the login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Version 2023.12.3 contains a patch for this issue. When starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network. Tests showed that this occurs when the request is not authenticated and the request origin... • https://github.com/home-assistant/core/commit/dbfc5ea8f96bde6cd165892f5a6a6f9a65731c76 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41893 – Account takeover via auth_callback login in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41893
19 Oct 2023 — Home assistant is an open source home automation. The audit team’s analyses confirmed that the `redirect_uri` and `client_id` are alterable when logging in. Consequently, the code parameter utilized to fetch the `access_token` post-authentication will be sent to the URL specified in the aforementioned parameters. Since an arbitrary URL is permitted and `homeassistant.local` represents the preferred, default domain likely used and trusted by many users, an attacker could leverage this weakness to manipulate ... • https://github.com/home-assistant/core/security/advisories/GHSA-qhhj-7hrc-gqj5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41894 – Local-only webhooks externally accessible via SniTun in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41894
19 Oct 2023 — Home assistant is an open source home automation. The assessment verified that webhooks available in the webhook component are triggerable via the `*.ui.nabu.casa` URL without authentication, even when the webhook is marked as Only accessible from the local network. This issue is facilitated by the SniTun proxy, which sets the source address to 127.0.0.1 on all requests sent to the public URL and forwarded to the local Home Assistant. This issue has been addressed in version 2023.9.0 and all users are advis... • https://github.com/home-assistant/core/security/advisories/GHSA-wx3j-3v2j-rf45 • CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41895 – Cross-site Scripting via auth_callback login in Home Assistant Core
https://notcve.org/view.php?id=CVE-2023-41895
19 Oct 2023 — Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the `redirect_uri` and `client_id` parameters. Although the `redirect_uri` validation typically ensures that it matches the `client_id` and the scheme represents either `http` or `https`, Home Assistant will fetch the `client_id` and check for `` HTML tags on the page. These URLs are not sub... • https://github.com/home-assistant/core/security/advisories/GHSA-jvxq-x42r-f7mv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •