Skip to main content
CVE-2024-2439 MEDIUM POC This Month

The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Salon Booking System
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-2159 MEDIUM POC This Month

The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sassy Social Share
NVD WPScan
CVSS 3.1
4.7
EPSS
0.5%
CVE-2024-33666 HIGH This Week

An issue was discovered in Zammad before 6.3.0. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Zammad
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2024-3060 MEDIUM POC This Month

The ENL Newsletter WordPress plugin through 1.0.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Enl Newsletter
NVD WPScan
CVSS 3.1
4.5
EPSS
0.5%
CVE-2024-28327 HIGH This Week

Asus RT-N12+ B1 router stores user passwords in plaintext, which could allow local attackers to obtain unauthorized access and modify router settings. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2024-2908 MEDIUM POC This Month

The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Call Now Button
NVD WPScan
CVSS 3.1
4.3
EPSS
0.7%
CVE-2024-2429 MEDIUM POC This Month

The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Salon Booking System
NVD WPScan
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-21905 HIGH This Week

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Qnap Qts Quts Hero +1
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2024-31502 HIGH This Week

An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-32868 HIGH PATCH This Week

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zitadel
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-4163 HIGH This Week

The Skylab IGX IIoT Gateway allowed users to connect to it via a limited shell terminal (IGX). Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
8.0
EPSS
0.4%
CVE-2024-3076 LOW POC Monitor

The MM-email2image WordPress plugin through 0.2.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Mm Email2Image
NVD WPScan
CVSS 3.1
3.8
EPSS
0.2%
CVE-2024-33673 HIGH This Week

An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Backup Exec
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-32883 HIGH This Week

MCUboot is a secure bootloader for 32-bits microcontrollers. Rated high severity (CVSS 7.7). No vendor patch available.

Code Injection
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2024-3052 HIGH This Week

Malformed S2 Nonce Get command classes can be sent to crash the gateway. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-3051 HIGH This Week

Malformed Device Reset Locally command classes can be sent to temporarily deny service to an end device. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-31551 HIGH This Week

Directory Traversal vulnerability in lib/admin/image.admin.php in cmseasy v7.7.7.9 20240105 allows attackers to delete arbitrary files via crafted GET request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Cmseasy
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-27124 HIGH This Week

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Command Injection Qnap Qts Quts Hero Qutscloud
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2024-4056 HIGH This Week

Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service M Files Server
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-1789 HIGH This Week

The WP SMTP plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in versions 1.2 to 1.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2024-33672 HIGH This Week

An issue was discovered in Veritas NetBackup before 10.4. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Netbackup
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-33671 HIGH This Week

An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Backup Exec
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-28326 MEDIUM This Month

Incorrect Access Control in ASUS RT-N12+ B1 and RT-N12 D1 routers allows local attackers to obtain root terminal access via the the UART interface. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.3%
CVE-2024-4183 MEDIUM PATCH This Month

Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mattermost Denial Of Service Mattermost Server
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-22091 MEDIUM PATCH This Month

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mattermost Denial Of Service Mattermost Server
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-33667 MEDIUM This Month

An issue was discovered in Zammad before 6.3.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Denial Of Service Zammad
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-3890 MEDIUM PATCH This Month

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Calendly widget in all versions up to, and including, 3.10.5 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Happy Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-32884 MEDIUM PATCH This Month

gitoxide is a pure Rust implementation of Git. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. No vendor patch available.

RCE Command Injection
NVD GitHub
CVSS 3.1
6.4
EPSS
0.5%
CVE-2024-28325 MEDIUM This Month

Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-33665 MEDIUM This Month

angular-translate through 2.19.1 allows XSS via a crafted key that is used by the translate directive. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD HeroDevs GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-32404 MEDIUM This Month

Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1, allows remote attackers to execute arbitrary code via a crafted payload to the Markup Sandbox feature. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Relate
NVD
CVSS 3.1
6.0
EPSS
0.8%
CVE-2024-33642 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EkoJR Advanced Post List allows Stored XSS.5.6.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33598 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Twinpictures Annual Archive allows Stored XSS.6.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33639 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AccessAlly PopupAlly allows Stored XSS.1.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Popupally
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33697 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rimes Gold CF7 File Download - File Download for CF7 allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33696 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet XPRESS WordPress Ad Widget allows Stored XSS.20.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33695 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode Fan Page Widget by ThemeNcode allows Stored XSS.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33693 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meks Meks Smart Social Widget allows Stored XSS.6.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33692 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Satrya Smart Recent Posts Widget allows Stored XSS.0.3. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-4234 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sayful Islam Filterable Portfolio allows Stored XSS.6.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-33694 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meks Meks ThemeForest Smart Widget allows Stored XSS.5. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2024-33682 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Cookie Information A/S WP GDPR Compliance.0.23. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2024-32887 MEDIUM PATCH This Month

Sidekiq is simple, efficient background processing for Ruby. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.6%
CVE-2024-28328 MEDIUM This Month

CSV Injection vulnerability in the Asus RT-N12+ router allows administrator users to inject arbitrary commands or formulas in the client name parameter which can be triggered and executed in a. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-33651 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Matthew Fries MF Gig Calendar.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mf Gig Calendar
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-33680 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in MainWP MainWP Child Reports.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Mainwp Child Reports
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-33638 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Brijesh Kothari Smart Maintenance Mode.4.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2022-40975 MEDIUM This Month

Missing Authorization vulnerability in Aazztech Post Slider.6.7. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-3678 MEDIUM PATCH This Month

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Information Disclosure Blog2Social
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-3682 MEDIUM This Month

The WP STAGING and WP STAGING Pro plugins for WordPress are vulnerable to Sensitive Information Exposure in versions up to, and including, 3.4.3, and versions up to, and including, 5.4.3,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress
NVD
CVSS 3.1
5.3
EPSS
0.4%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy