CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9416 – Modula Image Gallery <= 2.10.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox 5 JavaScript Library
https://notcve.org/view.php?id=CVE-2024-9416
02 Apr 2025 — The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/3160235/modula-best-grid-gallery • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6261 – Image Photo Gallery Final Tiles Grid <= 3.6.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-6261
26 Feb 2025 — The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/trunk/lightbox/lightbox2/js/script.js • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12853 – Modula Image Gallery <= 2.11.10 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-12853
07 Jan 2025 — The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3218127%40modula-best-grid-gallery&new=3218127%40modula-best-grid-gallery&sfp_email=&sfph_mail= • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12711 – RSVP and Event Management <= 2.7.13 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-12711
06 Jan 2025 — The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders. El complemento RSVP y Event Management para WordPress es vulnerable al acceso no autorizado debido a una verificac... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3216473%40rsvp&new=3216473%40rsvp&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11282 – Passster – Password Protect Pages and Content <= 4.2.10 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-11282
06 Jan 2025 — The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. El complemento Passster – Password Protect Pages y Content para WordPress es vulnerable a la exposición de información confidencial en todas las ver... • https://plugins.trac.wordpress.org/changeset/3211004/content-protector • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11106 – Simple Restrict <= 1.2.7 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-11106
09 Dec 2024 — The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.7 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. • https://plugins.trac.wordpress.org/changeset/3198971/simple-restrict • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10399 – Download Monitor <= 5.0.13 - Missing Authorization to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-10399
29 Oct 2024 — The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users. El complemento Download Monitor para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función aja... • https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.13/src/KeyGeneration/class-dlm-key-generation.php#L266 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10092 – Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation
https://notcve.org/view.php?id=CVE-2024-10092
25 Oct 2024 — The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones. • https://www.wordfence.com/threat-intel/vulnerabilities/id/f1e50d8c-e61c-4e94-b5e8-b24832dc24b6?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8552 – Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable
https://notcve.org/view.php?id=CVE-2024-8552
25 Sep 2024 — The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality. • https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.8/src/AjaxHandler.php#L317 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6571 – Optimize Images ALT Text (alt tag) & names for SEO using AI <= 3.1.1 - Unauthenticated Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-6571
23 Jul 2024 — The Optimize Images ALT Text (alt tag) & names for SEO using AI plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.1.1. This is due the plugin utilizing cocur and not preventing direct access to the generate-default.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be pr... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3122915%40imageseo&new=3122915%40imageseo&sfp_email=&sfph_mail= • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •