CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10910 – Grid Plus – Unlimited grid layout <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via grid_plus_load_by_category
https://notcve.org/view.php?id=CVE-2024-10910
The The Grid Plus – Unlimited grid layout plugin for WordPress is vulnerable to arbitrary shortcode execution via grid_plus_load_by_category AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/grid-plus/tags/1.3.5/core/ajax_fe.php#L19 https://wordpress.org/plugins/grid-plus/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/266032a8-a139-4a14-8eda-8be7a66357df?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12329 – Essential Real Estate <= 5.1.6 - Missing Authorization to Authenticated (Contributor+) Information Exposure
https://notcve.org/view.php?id=CVE-2024-12329
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204549%40essential-real-estate&new=3204549%40essential-real-estate&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/fa5b1bf3-344e-4ae6-87b9-2dcaafd417a5?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10329 – Ultimate Bootstrap Elements for Elementor <= 1.4.6 - Authenticated (Contributor+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-10329
The Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6 via the 'ube_get_page_templates' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the contents of templates that are private. • https://plugins.trac.wordpress.org/browser/ultimate-bootstrap-elements-for-elementor/trunk/inc/functions/core.php#L239 https://plugins.trac.wordpress.org/changeset/3176562 https://www.wordfence.com/threat-intel/vulnerabilities/id/3af83ec2-9ebb-4cca-8523-8fe9b1517825?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4274 – Essential Real Estate <= 4.4.2 - Insecure Direct Object Reference to Arbitrary Attachment Deletion
https://notcve.org/view.php?id=CVE-2024-4274
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments. El complemento Essential Real Estate para WordPress es vulnerable a la pérdida no autorizada de datos debido a una validación insuficiente de la función remove_property_attachment_ajax() en todas las versiones hasta la 4.4.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen archivos adjuntos arbitrarios. • https://plugins.trac.wordpress.org/browser/essential-real-estate/trunk/public/partials/property/class-ere-property.php#L28 https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc41eb7-5c9a-4a67-902d-9a855840668b?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4273 – Essential Real Estate <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-4273
The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Essential Real Estate para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto 'ere_property_map' del complemento en todas las versiones hasta la 4.4.2 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://wordpress.org/plugins/essential-real-estate https://www.wordfence.com/threat-intel/vulnerabilities/id/c62ec31a-55e9-4404-b860-fa9a51ba3d3f?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •