CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10578 – Pubnews <= 1.0.7 - Unauthenticated Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2024-10578
05 Dec 2024 — The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities. • https://themes.trac.wordpress.org/browser/pubnews/1.0.7/inc/admin/admin.php#L1017 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9541 – News Kit Elementor Addons <= 1.2.1 - Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template
https://notcve.org/view.php?id=CVE-2024-9541
21 Oct 2024 — The News Kit Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the render function in includes/widgets/canvas-menu/canvas-menu.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. • https://plugins.trac.wordpress.org/changeset/3169975/news-kit-elementor-addons • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37198 – WordPress Digital Newspaper theme <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37198
20 Jun 2024 — Cross-Site Request Forgery (CSRF) vulnerability in blazethemes Digital Newspaper.This issue affects Digital Newspaper: from n/a through 1.1.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en blazethemes Digital Newspaper. Este problema afecta a Digital Newspaper: desde n/a hasta 1.1.5. The Digital Newspaper theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on a function. • https://patchstack.com/database/vulnerability/digital-newspaper/wordpress-digital-newspaper-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1587 – Newsmatic <= 1.3.4 - Unauthenticated Information Exposure via newsmatic_filter_posts_load_tab_content
https://notcve.org/view.php?id=CVE-2024-1587
25 Mar 2024 — The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmatic_filter_posts_load_tab_content'. This makes it possible for unauthenticated attackers to view draft posts and post content. El tema Newsmatic para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 1.3.0 incluida a través de 'newsmatic_filter_posts_load_tab_content'. Esto hace posible que atacantes no autenticados vea... • https://themes.trac.wordpress.org/browser/newsmatic/1.3.0/inc/template-functions.php#L634 • CWE-862: Missing Authorization •