Total
3170 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-50052 | 2024-10-29 | N/A | 4.3 MEDIUM | ||
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | |||||
| CVE-2024-50476 | 2024-10-29 | N/A | 9.8 CRITICAL | ||
| Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through 1.0.1. | |||||
| CVE-2024-10437 | 2024-10-29 | N/A | 4.3 MEDIUM | ||
| The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages. | |||||
| CVE-2024-50490 | 2024-10-29 | N/A | 9.8 CRITICAL | ||
| Missing Authorization vulnerability in Szabolcs Szecsenyi PegaPoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through 1.0.2. | |||||
| CVE-2024-10092 | 2024-10-28 | N/A | 4.3 MEDIUM | ||
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones. | |||||
| CVE-2024-10402 | 2024-10-28 | N/A | 7.5 HIGH | ||
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms. | |||||
| CVE-2024-9626 | 2024-10-28 | N/A | 4.3 MEDIUM | ||
| The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image. | |||||
| CVE-2024-10003 | 1 Roveridx | 1 Rover Idx | 2024-10-25 | N/A | 6.3 MEDIUM |
| The Rover IDX plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 3.0.0.2903. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options. | |||||
| CVE-2024-9829 | 1 Metagauss | 1 Download Plugin | 2024-10-25 | N/A | 6.5 MEDIUM |
| The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed. | |||||
| CVE-2024-9583 | 1 Rebelcode | 1 Rss Aggregator | 2024-10-25 | N/A | 5.4 MEDIUM |
| The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked. | |||||
| CVE-2024-9628 | 2024-10-25 | N/A | 6.3 MEDIUM | ||
| The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it. | |||||
| CVE-2024-49657 | 2024-10-25 | N/A | 7.7 HIGH | ||
| Missing Authorization vulnerability in ReneeCussack 3D Work In Progress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D Work In Progress: from n/a through 1.0.3. | |||||
| CVE-2024-48538 | 2024-10-25 | N/A | 9.8 CRITICAL | ||
| Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
| CVE-2024-9630 | 2024-10-25 | N/A | 5.4 MEDIUM | ||
| The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.5.4. This makes it possible for unauthenticated attackers to view the messages that are sent through the Telegram Bot API. | |||||
| CVE-2024-8667 | 2024-10-25 | N/A | 4.3 MEDIUM | ||
| The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft. | |||||
| CVE-2024-49683 | 2024-10-25 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Schema & Structured Data for WP & AMP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.3.5. | |||||
| CVE-2024-48645 | 2024-10-23 | N/A | 7.5 HIGH | ||
| In Minecraft mod "Command Block IDE" up to and including version 0.4.9, a missing authorization (CWE-862) allows any user to modify "function" files used by the game when installed on a dedicated server. | |||||
| CVE-2024-49325 | 1 Wpdiscover | 1 Photo Gallery Builder | 2024-10-22 | N/A | 8.8 HIGH |
| Subscriber Broken Access Control in Photo Gallery Builder <= 3.0 versions. | |||||
| CVE-2024-10078 | 1 Newsignature | 1 Wp Easy Post Types | 2024-10-22 | N/A | 5.4 MEDIUM |
| The WP Easy Post Types plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 1.4.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options and posts. | |||||
| CVE-2024-9364 | 1 Smackcoders | 1 Sendgrid | 2024-10-22 | N/A | 4.3 MEDIUM |
| The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files. | |||||