-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Auto-Update: 2024-12-13T11:00:38.571853+00:00
- Loading branch information
1 parent
399db80
commit deab373
Showing
18 changed files
with
1,070 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| { | ||
| "id": "CVE-2024-10783", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2024-12-13T10:15:06.400", | ||
| "lastModified": "2024-12-13T10:15:06.400", | ||
| "vulnStatus": "Received", | ||
| "cveTags": [], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The MainWP Child \u2013 Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the register_site function in all versions up to, and including, 5.2 when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. IMPORTANT: this only affects sites who have MainWP Child installed and have not yet connected to the MainWP Dashboard, and do not have the unique security ID feature enabled. Sites already connected to the MainWP Dashboard plugin and do not have the unique security ID feature enabled, are NOT affected and not required to upgrade. Please note 5.2.1 contains a partial patch, though we consider 5.3 to be the complete patch." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", | ||
| "baseScore": 8.1, | ||
| "baseSeverity": "HIGH", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "HIGH", | ||
| "privilegesRequired": "NONE", | ||
| "userInteraction": "NONE", | ||
| "scope": "UNCHANGED", | ||
| "confidentialityImpact": "HIGH", | ||
| "integrityImpact": "HIGH", | ||
| "availabilityImpact": "HIGH" | ||
| }, | ||
| "exploitabilityScore": 2.2, | ||
| "impactScore": 5.9 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-862" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/browser/mainwp-child/tags/5.2/class/class-mainwp-child.php#L76", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/browser/mainwp-child/tags/5.2/class/class-mainwp-connect.php#L69", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/browser/mainwp-child/tags/5.2/class/class-mainwp-connect.php#L788", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197586%40mainwp-child&new=3197586%40mainwp-child&sfp_email=&sfph_mail=", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://wordpress.org/plugins/mainwp-child/", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9156e536-a58e-4d78-b136-af8a9613ee23?source=cve", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| { | ||
| "id": "CVE-2024-11012", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2024-12-13T10:15:07.127", | ||
| "lastModified": "2024-12-13T10:15:07.127", | ||
| "vulnStatus": "Received", | ||
| "cveTags": [], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The The Notibar \u2013 Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", | ||
| "baseScore": 6.3, | ||
| "baseSeverity": "MEDIUM", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "LOW", | ||
| "userInteraction": "NONE", | ||
| "scope": "UNCHANGED", | ||
| "confidentialityImpact": "LOW", | ||
| "integrityImpact": "LOW", | ||
| "availabilityImpact": "LOW" | ||
| }, | ||
| "exploitabilityScore": 2.8, | ||
| "impactScore": 3.4 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-94" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/browser/notibar/trunk/includes/NotificationBar/WpCustomNotification.php#L90", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/changeset/3205224/", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://wordpress.org/plugins/notibar/#developers", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1766727d-ba54-4b46-b362-415c14be027d?source=cve", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| { | ||
| "id": "CVE-2024-11275", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2024-12-13T09:15:04.887", | ||
| "lastModified": "2024-12-13T09:15:04.887", | ||
| "vulnStatus": "Received", | ||
| "cveTags": [], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", | ||
| "baseScore": 4.3, | ||
| "baseSeverity": "MEDIUM", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "LOW", | ||
| "userInteraction": "NONE", | ||
| "scope": "UNCHANGED", | ||
| "confidentialityImpact": "NONE", | ||
| "integrityImpact": "LOW", | ||
| "availabilityImpact": "NONE" | ||
| }, | ||
| "exploitabilityScore": 2.8, | ||
| "impactScore": 1.4 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-639" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/browser/timetics/trunk/core/customers/api-customer.php#L308", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3206505%40timetics&new=3206505%40timetics&sfp_email=&sfph_mail=#file199", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d68e250e-d850-4100-81db-3e3c48a3a4a1?source=cve", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| { | ||
| "id": "CVE-2024-11754", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2024-12-13T09:15:05.630", | ||
| "lastModified": "2024-12-13T09:15:05.630", | ||
| "vulnStatus": "Received", | ||
| "cveTags": [], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The Booking System Trafft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trafftbooking' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", | ||
| "baseScore": 6.4, | ||
| "baseSeverity": "MEDIUM", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "LOW", | ||
| "userInteraction": "NONE", | ||
| "scope": "CHANGED", | ||
| "confidentialityImpact": "LOW", | ||
| "integrityImpact": "LOW", | ||
| "availabilityImpact": "NONE" | ||
| }, | ||
| "exploitabilityScore": 3.1, | ||
| "impactScore": 2.7 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-79" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3207016%40booking-system-trafft&new=3207016%40booking-system-trafft&sfp_email=&sfph_mail=", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84adbde0-9a9b-4a76-9333-56880fcc139d?source=cve", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| { | ||
| "id": "CVE-2024-11832", | ||
| "sourceIdentifier": "[email protected]", | ||
| "published": "2024-12-13T09:15:06.113", | ||
| "lastModified": "2024-12-13T09:15:06.113", | ||
| "vulnStatus": "Received", | ||
| "cveTags": [], | ||
| "descriptions": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "The Beaver Builder \u2013 WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JavaScript row settings in all versions up to, and including, 2.8.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." | ||
| } | ||
| ], | ||
| "metrics": { | ||
| "cvssMetricV31": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "cvssData": { | ||
| "version": "3.1", | ||
| "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", | ||
| "baseScore": 6.4, | ||
| "baseSeverity": "MEDIUM", | ||
| "attackVector": "NETWORK", | ||
| "attackComplexity": "LOW", | ||
| "privilegesRequired": "LOW", | ||
| "userInteraction": "NONE", | ||
| "scope": "CHANGED", | ||
| "confidentialityImpact": "LOW", | ||
| "integrityImpact": "LOW", | ||
| "availabilityImpact": "NONE" | ||
| }, | ||
| "exploitabilityScore": 3.1, | ||
| "impactScore": 2.7 | ||
| } | ||
| ] | ||
| }, | ||
| "weaknesses": [ | ||
| { | ||
| "source": "[email protected]", | ||
| "type": "Primary", | ||
| "description": [ | ||
| { | ||
| "lang": "en", | ||
| "value": "CWE-79" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3206556%40beaver-builder-lite-version&new=3206556%40beaver-builder-lite-version&sfp_email=&sfph_mail=", | ||
| "source": "[email protected]" | ||
| }, | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1988ff5e-2d3f-4901-8bcc-eb0a7da7566c?source=cve", | ||
| "source": "[email protected]" | ||
| } | ||
| ] | ||
| } |
Oops, something went wrong.