Total
4747 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-49273 | 1 Metagauss | 1 Profilegrid | 2024-10-29 | 4.3 Medium |
| Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid.This issue affects ProfileGrid: from n/a through 5.9.3. | ||||
| CVE-2024-50476 | 1 Grun Software Group | 1 Spendino Spendenformular | 2024-10-29 | 9.8 Critical |
| Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through 1.0.1. | ||||
| CVE-2024-50475 | 1 Scott Gamon | 1 Signup Page | 2024-10-29 | 9.8 Critical |
| Missing Authorization vulnerability in Scott Gamon Signup Page allows Privilege Escalation.This issue affects Signup Page: from n/a through 1.0. | ||||
| CVE-2024-49321 | 1 Colorlib | 1 Simple Custom Post Order | 2024-10-29 | 4.3 Medium |
| Missing Authorization vulnerability in Colorlib Simple Custom Post Order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through 2.5.7. | ||||
| CVE-2024-50490 | 1 Szabolcs Szecsenyi | 1 Pegapoll | 2024-10-29 | 9.8 Critical |
| Missing Authorization vulnerability in Szabolcs Szecsenyi PegaPoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through 1.0.2. | ||||
| CVE-2024-49293 | 1 Rextheme | 1 Wp Vr | 2024-10-29 | 4.3 Medium |
| Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.4. | ||||
| CVE-2024-10437 | 2024-10-29 | 4.3 Medium | ||
| The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages. | ||||
| CVE-2024-9629 | 2024-10-29 | 5.4 Medium | ||
| The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions. | ||||
| CVE-2024-50052 | 2024-10-29 | 4.3 Medium | ||
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | ||||
| CVE-2024-9626 | 2024-10-28 | 4.3 Medium | ||
| The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image. | ||||
| CVE-2024-10092 | 2024-10-28 | 4.3 Medium | ||
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones. | ||||
| CVE-2024-10003 | 1 Roveridx | 1 Rover Idx | 2024-10-25 | 6.3 Medium |
| The Rover IDX plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 3.0.0.2903. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options. | ||||
| CVE-2024-9829 | 1 Metagauss | 1 Download Plugin | 2024-10-25 | 6.5 Medium |
| The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed. | ||||
| CVE-2024-9583 | 1 Rebelcode | 1 Rss Aggregator | 2024-10-25 | 4.3 Medium |
| The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked. | ||||
| CVE-2024-49657 | 2024-10-25 | 7.7 High | ||
| Missing Authorization vulnerability in ReneeCussack 3D Work In Progress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D Work In Progress: from n/a through 1.0.3. | ||||
| CVE-2024-48538 | 1 Netdvr | 1 Neye3c | 2024-10-25 | 9.8 Critical |
| Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | ||||
| CVE-2024-8667 | 2024-10-25 | 4.3 Medium | ||
| The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft. | ||||
| CVE-2024-49683 | 2024-10-25 | 5.3 Medium | ||
| Missing Authorization vulnerability in Schema & Structured Data for WP & AMP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.3.5. | ||||
| CVE-2024-48645 | 1 Arm32x | 1 Command Block Ide | 2024-10-23 | 7.5 High |
| In Minecraft mod "Command Block IDE" up to and including version 0.4.9, a missing authorization (CWE-862) allows any user to modify "function" files used by the game when installed on a dedicated server. | ||||
| CVE-2024-49325 | 1 Wpdiscover | 1 Photo Gallery Builder | 2024-10-22 | 4.3 Medium |
| Subscriber Broken Access Control in Photo Gallery Builder <= 3.0 versions. | ||||