Our news and updates

In AHAthat WordPress plugin version 1.6 and prior a medium severity vulnerability CVE-2024-12595 was detected. This vulnerability allows attackers to perform Reflected Cross-Site Scripting (XSS) attacks by exploiting the unsanitized `$_SERVER[‘REQUEST_URI’]` parameter, which is outputted in an attribute. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12595.

In WebToffee WordPress Backup & Migration plugin versions up to 1.4.1 a medium severity vulnerability CVE-2023-45636 was detected. This vulnerability allows attackers to exploit improperly configured access control security levels due to missing authorization. To address this issue, users should upgrade to version 1.4.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-45636.

In Hunk Companion WordPress plugin before version 1.9.0 a critical severity vulnerability CVE-2024-11972 was detected. This vulnerability allows unauthenticated attackers to install and activate arbitrary plugins, including vulnerable versions of the Hunk Companion plugin, from the WordPress.org repository via improperly authorized REST API endpoints. To address this issue, users should upgrade to version 1.9.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11972.

In The Ninja Forms – The Contact Form Builder That Grows With You WordPress plugin versions up to and including 3.8.22 a medium severity vulnerability CVE-2024-12238 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes due to improper validation of values before running the `do_shortcode` function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12238.

In DN Shipping by Weight for WooCommerce WordPress plugin before version 1.2 a medium severity vulnerability CVE-2024-11842 was detected. This vulnerability allows attackers to change plugin settings via a Cross-Site Request Forgery (CSRF) attack, exploiting the lack of a CSRF check. To address this issue, users should upgrade to version 1.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11842.

In Jetpack WordPress plugin versions 13.x before 14.1 a medium severity vulnerability CVE-2024-10858 was detected. This vulnerability allows attackers to exploit improper origin checks in the `postMessage` function, leading to DOM-based Cross-Site Scripting (XSS) attacks. To address this issue, users should upgrade to version 14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10858.

In OpenShift versions 4 and JBoss Fuse version 7 a high severity vulnerability CVE-2024-45497 was detected. This vulnerability allows attackers to overwrite a configuration file containing sensitive credentials. By modifying this file, attackers can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-45497.

In Spring Framework versions 5.3.0 to 5.3.40, 6.0.0 to 6.0.24, and 6.1.0 to 6.1.13 a high severity vulnerability CVE-2024-38816 was detected. This vulnerability allows attackers to perform path traversal attacks, enabling them to access any file on the system that the Spring application has access to. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38816.

In wp-publications WordPress plugin versions 1.2 and prior a low severity vulnerability CVE-2024-11605 was detected. This vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unescaped filenames, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11605.