Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5654 | 1 Gsheetconnector | 1 Cf7 Google Sheets Connector | 2024-11-21 | N/A | 6.5 MEDIUM |
| The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES. | |||||
| CVE-2024-5607 | 1 Ninjateam | 1 Gdpr Ccpa Compliance \& Cookie Consent Banner | 2024-11-21 | N/A | 5.4 MEDIUM |
| The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings, update page content, send arbitrary emails and inject malicious web scripts. | |||||
| CVE-2024-5545 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages. | |||||
| CVE-2024-5489 | 1 Wbcomdesigns | 1 Custom Font Uploader | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete any custom font. | |||||
| CVE-2024-5459 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages. | |||||
| CVE-2024-5453 | 1 Metagauss | 1 Profilegrid | 2024-11-21 | N/A | 4.3 MEDIUM |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_dismissible_notice and pm_wizard_update_group_icon functions in all versions up to, and including, 5.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options to the value '1' or change group icons. | |||||
| CVE-2024-5382 | 1 Master-addons | 1 Master Addons | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ma-template' REST API route in all versions up to, and including, 2.0.6.1. This makes it possible for unauthenticated attackers to create or modify existing Master Addons templates or make settings modifications related to these templates. | |||||
| CVE-2024-5248 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 6.5 MEDIUM |
| In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls. | |||||
| CVE-2024-5129 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 8.2 HIGH |
| A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file. | |||||
| CVE-2024-5127 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 5.4 MEDIUM |
| In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. The vulnerability specifically affects the Team feature, where the backend fails to validate whether a user has paid for a plan before allowing them to send invite links with any role assigned. This could lead to unauthorized access and manipulation of project settings or data. | |||||
| CVE-2024-5087 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2024-11-21 | N/A | 6.3 MEDIUM |
| The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin. | |||||
| CVE-2024-4898 | 1 Instawp | 1 Instawp Connect | 2024-11-21 | N/A | 9.8 CRITICAL |
| The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts. | |||||
| CVE-2024-4888 | 1 Litellm | 1 Litellm | 2024-11-21 | N/A | 8.1 HIGH |
| BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where `os.remove(file.filename)` is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files. | |||||
| CVE-2024-4788 | 1 Woostify | 1 Boostify Header Footer Builder For Elementor | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content. | |||||
| CVE-2024-4746 | 1 Netgsm | 1 Netgsm | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.16. | |||||
| CVE-2024-4745 | 1 Seedprod | 1 Rafflepress | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in RafflePress Giveaways and Contests by RafflePress.This issue affects Giveaways and Contests by RafflePress: from n/a through 1.12.4. | |||||
| CVE-2024-4744 | 1 Ipages Flipbook Project | 1 Ipages Flipbook | 2024-11-21 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Avirtum iPages Flipbook.This issue affects iPages Flipbook: from n/a through 1.5.1. | |||||
| CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | |||||
| CVE-2024-4660 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. | |||||
| CVE-2024-4468 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users. | |||||