Business and Enterprise Solutions

In Homey Login Register plugin for WordPress versions 2.4.0 and prior a critical severity vulnerability CVE-2024-11951 was detected. This vulnerability allows unauthenticated attackers to escalate privileges by registering an account with an administrator role due to improper role assignment controls. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11951.

In the Admin and Site Enhancements (ASE) plugin for WordPress versions before 7.6.10 a medium severity vulnerability CVE-2024-13685 was detected. This vulnerability allows attackers to manipulate client IP addresses via untrusted headers, potentially bypassing the login limit feature. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to version 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13685.

In WP Posts Carousel plugin for WordPress versions 1.3.7 and prior a medium severity vulnerability CVE-2025-1491 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses the injected page, due to insufficient input sanitization and output escaping in the ‘auto_play_timeout’ parameter. To address this issue, users should upgrade WP Posts Carousel plugin to versions 1.3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1491.

In GenerateBlocks plugin for WordPress versions 1.9.1 and prior a medium severity vulnerability CVE-2024-13546 was detected. This vulnerability allows attackers with Contributor-level access and above to extract sensitive information, including the content of private, draft, and scheduled posts and pages, via the ‘get_image_description’ function. To address this issue, users should upgrade GenerateBlocks plugin to versions 2.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13546.

In Academist Membership plugin for WordPress versions 1.1.6 and prior a critical severity vulnerability CVE-2025-1671 was detected. This vulnerability allows unauthenticated attackers to escalate their privileges and log in as any user, including site administrators, due to improper identity verification in the academist_membership_check_facebook_user() function. To address this issue, users should upgrade Academist Membership plugin to versions 1.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1671.

In Odoo Community version 15.0 and Odoo Enterprise version 15.0 a high severity vulnerability CVE-2024-12368 was detected. This vulnerability allows an internal user to export the OAuth tokens of other users. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12368.

In Odoo Community version 17.0 and Odoo Enterprise version 17.0 a high severity vulnerability CVE-2024-36259 was detected. This vulnerability allows remote authenticated attackers to extract sensitive information via an oracle-based (yes/no response) crafted attack. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-36259.

In Mautic versions before 5.2.3 two critical security vulnerabilities CVE-2024-47051 were detected. These vulnerabilities allow authenticated users to execute remote code via asset upload by bypassing file extension restrictions and to delete arbitrary files through a path traversal flaw. To address this issues, users should upgrade Mautic to versions 5.2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47051.

In WooCommerce Support Ticket System plugin for WordPress, versions 17.8 and prior a medium severity vulnerability CVE-2024-13775 was detected. This allows attackers with Subscriber-level access or higher to delete posts and access user data. To address this issue, users should upgrade WooCommerce Support Ticket System plugin to version 17.9 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-13775.