In the Calculated Fields Form plugin for WordPress versions 5.2.63 and prior a medium severity vulnerability CVE-2024-12601 was detected. This vulnerability allows attackers to overload server resources by sending multiple requests with excessively large CAPTCHA image dimensions, leading to potential denial of service. To fix this issue, users should upgrade Calculated Fields Form plugin for WordPress to version 5.2.64 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-12601.
Read more CMS
In Liferay Portal versions starting from 7.0.0 through 7.4.3.87 and Liferay DXP versions starting from 7.4 GA through update 87, 7.3 GA through update 29 a medium severity vulnerability CVE-2024-37940 was detected. This vulnerability allows attackers to inject arbitrary web scripts or HTML into the Service Class text field in Liferay Portal and Liferay DXP, potentially leading to cross-site scripting attacks. To fix this issue, users should upgrade Liferay Portal to version 7.4.3.88 and Liferay DXP to versions 2023.Q3.1, 7.4 update 88, 7.3 update 30. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-37940.
Read more CMS
In Download Manager plugin for WordPress versions 3.3.03 and prior a medium severity vulnerability CVE-2024-11768 was detected. This vulnerability allows attackers to download password-protected files due to improper password validation. To address this issue, users should upgrade to version 3.3.04 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11768.
Read more CMS
In WPForms WordPress plugin versions prior to 1.9.2.3 a medium severity vulnerability CVE-2024-11223 was detected. This vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disabled (e.g., in multisite setups). To address this issue, users should upgrade to version 1.9.2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11223.
Read more CMS
In Broken Link Checker WordPress plugin versions prior to 2.4.2 a high severity vulnerability CVE-2024-10903 was detected. This vulnerability allows admin users to perform Server-Side Request Forgery (SSRF) attacks by exploiting unvalidated link URLs, potentially compromising multisite installations. To address this issue, users should upgrade to version 2.4.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10903.
Read more CMS
In the Avada (Fusion) Builder plugin for WordPress versions up to 3.11.12 a medium severity vulnerability CVE-2024-12335 was detected. This vulnerability allows attackers with contributor-level access or higher to access sensitive information from protected, private, or draft posts in WordPress. To fix this issue, users should upgrade Avada (Fusion) Builder plugin for WordPress to version 3.11.13. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-12335.
Read more CMS
In WooCommerce Point of Sale plugin for WordPress versions up to 6.1.0 a critical severity vulnerability CVE-2024-11281 was detected. This vulnerability allows attackers to change the email and reset the password of any user, including administrators, due to insufficient validation of the ‘logged_in_user_id’ value. To address this issue, users should upgrade to version 6.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11281.
Read more E-commerce
In WordPress Simple Shopping Cart plugin versions 5.0.7 and prior a medium severity vulnerability CVE-2024-12622 was detected. This vulnerability lets users with contributor-level access or higher add harmful scripts through the ‘wp_cart_button’ and ‘wp_cart_display_product’ shortcodes. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12622.
Read more CMS
In Tracking Code Manager plugin versions 2.3.0 and prior a medium severity vulnerability CVE-2024-8721 was detected. This vulnerability allows users with Contributor-level access or higher add harmful scripts through the tracking code field, which will execute whenever a user accesses an injected page. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8721.
Read more CMS