CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2024-11396 – Event monster <= 1.4.3 - Information Exposure Via Visitors List Export
https://notcve.org/view.php?id=CVE-2024-11396
13 Jan 2025 — The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.3 via the Visitors List Export file. During the export, a CSV file is created in the wp-content folder with a hardcoded filename that is publicly accessible. This makes it possible for unauthenticated attackers to extract data about event visitors, that includes first and last names, email, and phone number. WordPress Event Monster plugin ... • https://packetstorm.news/files/id/188663 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6262 – Portfolio Gallery – Image Gallery Plugin <= 1.6.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-6262
26 Jun 2024 — The Portfolio Gallery – Image Gallery Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PFG' shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Portfolio Gallery – Image ... • https://plugins.trac.wordpress.org/browser/portfolio-filter-gallery/trunk/lightbox/ld-lightbox/js/lightbox.js • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5613 – Formula <= 0.5.1 - Reflected Cross-Site Scripting via quality_customizer_notify_dismiss_action
https://notcve.org/view.php?id=CVE-2024-5613
07 Jun 2024 — The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'quality_customizer_notify_dismiss_action' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El tema Formula para WordPress es vulnerable... • https://themes.trac.wordpress.org/browser/formula/0.5.1/inc/customizer/customizer-notice/formula-customizer-notify.php?rev=229770#L143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5638 – Formula <= 0.5.1 - Reflected Cross-Site Scripting via ti_customizer_notify_dismiss_recommended_plugins
https://notcve.org/view.php?id=CVE-2024-5638
07 Jun 2024 — The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'ti_customizer_notify_dismiss_recommended_plugins' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El tema Formula para WordPress es vu... • https://themes.trac.wordpress.org/browser/formula/0.5.1/inc/customizer/customizer-notice/formula-customizer-notify.php?rev=229770#L184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1896 – Photo Gallery <= 1.4.2 - Authenticated(Contributor+) PHP Object Injection via Shortcode
https://notcve.org/view.php?id=CVE-2024-1896
29 Apr 2024 — The Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.1 via deserialization via shortcode of untrusted input from the 'awl_lg_settings_' attribute. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional pl... • https://plugins.trac.wordpress.org/browser/new-photo-gallery/tags/1.4.0/shortcode.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1895 – Event Monster <= 1.3.9 - Authenticated(Contributor+) PHP Object Injection via Custom Meta
https://notcve.org/view.php?id=CVE-2024-1895
29 Apr 2024 — The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it coul... • https://plugins.trac.wordpress.org/browser/event-monster/tags/1.3.3/shortcode.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1897 – Grid Gallery – Photo Image Grid Gallery <= 1.4.3 - Authenticated (Contributor+) PHP Object Injection via shortcode
https://notcve.org/view.php?id=CVE-2024-1897
29 Apr 2024 — The Grid Gallery – Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input from the awl_gg_settings_ meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the at... • https://plugins.trac.wordpress.org/browser/new-grid-gallery/tags/1.4.0/grid-gallery-shortcode.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2008 – Modal Popup Box – Popup Builder, Show Offers And News in Popup <= 1.5.2 - Authenticated (Contributor+) PHP Object Injection in awl_modal_popup_box_shortcode
https://notcve.org/view.php?id=CVE-2024-2008
03 Apr 2024 — The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary... • https://github.com/bigb0x/CVE-2024-6387 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1859 – Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.3.8 - Authenticated (Contributor+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-1859
29 Feb 2024 — The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the targe... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3041884%40slider-responsive-slideshow&new=3041884%40slider-responsive-slideshow&sfp_email=&sfph_mail= • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1475 – Coming Soon Maintenance Mode <= 1.0.5 - Information Exposure
https://notcve.org/view.php?id=CVE-2024-1475
19 Feb 2024 — The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection provided by the plugin. El complemento Coming Soon Maintenance Mode para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 1.0.5 incluida, a través de la API REST. Esto hace posible q... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3037910%40coming-soon-maintenance-mode%2Ftrunk&old=3031487%40coming-soon-maintenance-mode%2Ftrunk&sfp_email=&sfph_mail= • CWE-284: Improper Access Control •