In the Planaday API plugin for WordPress versions up to and including 11.4 a medium severity vulnerability CVE-2024-11804 was detected. This vulnerability allows attackers to inject harmful web scripts into pages by exploiting the ‘tab’ parameter. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11804.
Read more CMS
In the kvCORE IDX plugin for WordPress version 2.3.35 a medium severity vulnerability CVE-2024-11723 was detected. This vulnerability allows attackers to trick users into clicking malicious links, which can steal personal data or perform harmful actions on their behalf. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-11723.
Read more CMS
In the Essential Real Estate plugin for WordPress version 5.1.6 a medium severity vulnerability CVE-2024-12329 was detected. This vulnerability allows authenticated users with Contributor-level access and above to view sensitive data, such as invoices and transaction logs, without proper authorization. To fix this issue, users should upgrade the Essential Real Estate plugin for WordPress to version 5.1.7. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-12329.
Read more CMS
In the Country Blocker plugin for WordPress versions up to and including 3.2 a medium severity vulnerability CVE-2024-11459 was detected. This vulnerability allows attackers to inject harmful web scripts into pages via the ‘ip’ parameter. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11459.
Read more CMS
In miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Plugin versions 7.5.14 and prior a medium severity vulnerability CVE-2023-24375 was detected. This vulnerability allows attackers to exploit incorrectly configured access control security levels. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-24375.
Read more CMS
In ONLYOFFICE Docs Plugin for WordPress versions up to and including 2.0.0 a medium severity vulnerability CVE-2024-11450 was detected. This vulnerability allows attackers with contributor-level access or higher to inject arbitrary web scripts into pages via the ‘onlyoffice’ shortcode. These scripts execute whenever a user accesses an injected page. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11450.
Read more Productivity
In Directus versions prior to 11.2.9 and 11.0.0 a high severity vulnerability CVE-2024-54151 was detected. This vulnerability allows unauthenticated users to perform any operations (CRUD, subscriptions) with full admin privileges if `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` is set to `public`. To address this issue, users should upgrade Directus to version 11.3.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54151.
Read more CMS
In Drupal Core versions from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9 a medium severity vulnerability CVE-2024-55638 was detected. This vulnerability allows attackers to exploit deserialization of untrusted data, leading to object injection. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55638.
Read more CMS
In Drupal Core versions from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8 a medium severity vulnerability CVE-2024-12393 was detected. This vulnerability allows attackers to exploit improper neutralization of input during web page generation, leading to Cross-Site Scripting (XSS). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12393.
Read more CMS