Business and Enterprise Solutions

In WP Datepicker plugin versions 2.1.4 and prior a medium severity vulnerability CVE-2024-12468 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘wpdp_get_selected_datepicker’ parameter, which execute if they successfully trick a user into performing an action such as clicking on a link. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12468.

In Elementor Header & Footer Builder plugin versions 1.6.46 and prior a medium severity vulnerability CVE-2024-11230 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the ‘size’ parameter, which will execute whenever a user accesses an injected page. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11230.

In the LaTeX2HTML plugin for WordPress all versions up to 2.5.5 a medium severity vulnerability CVE-2024-11688 was detected. This vulnerability allows attackers to execute arbitrary scripts in the context of the user’s browser, potentially leading to session hijacking, defacement, or other malicious activities. This vulnerability remains unresolved at this time. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-11688.

In the real.Kit plugin for WordPress all versions up to 5.1.1 a medium severity vulnerability CVE-2024-12697 was detected. This vulnerability allows attackers with certain access to add harmful scripts to a website. This vulnerability remains unresolved at this time. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-12697.

In Download Manager WordPress plugin versions before 3.3.03 a medium severity vulnerability CVE-2024-10706 was detected. This vulnerability allows attackers to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed (for example in multisite setups). To address this issue, users should upgrade Download Manager plugin to version 3.3.03 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10706.

In Ebook Store plugin versions 5.8001 and prior a medium severity vulnerability CVE-2024-12262 was detected. This vulnerability allows attackers to inject arbitrary web scripts via the ‘step’ parameter due to insufficient input sanitization and output escaping. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12262.

In WP SHAPES plugin for WordPress versions up to and including 1.0.0 a medium severity vulnerability CVE-2024-9619 was detected. This vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts through SVG file uploads, which execute when users access the SVG file. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9619.

In Liferay Portal versions 7.1.0 through 7.4.3.38 and Liferay DXP versions 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20, 7.1 GA through fix pack 28 a medium severity vulnerability CVE-2024-11993 was detected. This vulnerability allows attackers to inject malicious code into a web page, which can then steal sensitive information or trick users into performing unwanted actions. To fix this issue, users should upgrade Liferay Portal to versions 7.4.3.39 and later and Liferay DXP to versions, 7.4 update 39 and later, 7.3 update 37 and later, 7.2 fix pack 21 and later, 7.1 fix pack 29 and later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-11993.

In Opt-In Downloads plugin for WordPress versions up to 4.07 a high severity vulnerability CVE-2024-10590 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to upload arbitrary files, potentially leading to remote code execution (RCE) on NGINX servers. To address this issue, users must upgrade to a version later than 4.07. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10590.