-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Weston Steimel <[email protected]>
- Loading branch information
1 parent
ee67a9e
commit ec8c6a8
Showing
27 changed files
with
1,077 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10365", | ||
| "description": "The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.3 via the render function in modules/widgets/tp_carousel_anything.php, modules/widgets/tp_page_scroll.php, and other widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/changeset/3186482/the-plus-addons-for-elementor-page-builder", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7ce1d19-25fa-434d-943b-d10c5cb2ec51?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:free:wordpress:*:*" | ||
| ], | ||
| "packageName": "the-plus-addons-for-elementor-page-builder", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce", | ||
| "repo": "https://plugins.svn.wordpress.org/the-plus-addons-for-elementor-page-builder", | ||
| "vendor": "posimyththemes", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "6.0.4", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wpscan", | ||
| "cveId": "CVE-2024-10515", | ||
| "description": "In the process of testing the SEO Plugin by Squirrly SEO WordPress plugin before 12.3.21, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://wpscan.com/vulnerability/367aad17-fbb5-48eb-8829-5d3513098d02/" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:squirrly:seo_plugin_by_squirrly_seo:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "squirrly-seo", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "SEO Plugin by Squirrly SEO", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "12.3.21", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| }, | ||
| "references": [ | ||
| { | ||
| "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f15ad88b-7dcb-4a36-877a-e7017d98d498?source=cve" | ||
| } | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10520", | ||
| "description": "The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/changeset/3191204/wedevs-project-manager", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/497760a8-7d4a-45a0-91e4-a8ee27bcdb02?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:wedevs:wp_project_manager:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "wedevs-project-manager", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts", | ||
| "vendor": "wedevs", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "2.6.15", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10855", | ||
| "description": "The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the filename parameter of the sirv_upload_file_by_chunks() function and lack of in all versions up to, and including, 7.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/browser/sirv/tags/7.2.8/sirv.php#L4691", | ||
| "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3186406%40sirv&new=3186406%40sirv&sfp_email=&sfph_mail=", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ec09e5-4994-4d23-bf8e-26b64d5303fa?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:sirv:sirv:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "sirv", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "Image Optimizer, Resizer and CDN – Sirv", | ||
| "vendor": "sirv", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "7.3.1", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10872", | ||
| "description": "The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template-post-custom-field` block in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/browser/getwid/trunk/includes/templates/template-parts/post-custom-field.php#L9", | ||
| "https://plugins.trac.wordpress.org/changeset/3188812#file1", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ae0030f-af21-43fb-959a-8da04cab05bb?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:motopress:getwid_-_gutenberg_blocks:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "getwid", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "Getwid – Gutenberg Blocks", | ||
| "repo": "https://plugins.svn.wordpress.org/getwid", | ||
| "vendor": "jetmonsters", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "2.0.13", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10891", | ||
| "description": "The Save as PDF Plugin by Pdfcrowd plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'save_as_pdf_pdfcrowd' shortcode in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/browser/save-as-pdf-by-pdfcrowd/trunk/public/class-save-as-pdf-pdfcrowd-public.php#L586", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/3763d893-83a0-4b6a-9c21-34a69313d555?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:pdfcrowd:save_as_pdf:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "save-as-pdf-by-pdfcrowd", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "Save as PDF Plugin by Pdfcrowd", | ||
| "vendor": "pdfcrowd", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "4.2.2", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10899", | ||
| "description": "The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'id' parameter is vulnerable to Reflected Cross-Site Scripting as well.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/tags/3.8.6/main.php#L1778", | ||
| "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3190789%40wc-product-table-lite&new=3190789%40wc-product-table-lite&sfp_email=&sfph_mail=", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9b010ff-8a4a-4553-bb2b-d58a254d7ee4?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:wcproducttable:woocommerce_product_table_lite:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "wc-product-table-lite", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "WooCommerce Product Table Lite", | ||
| "vendor": "wcproducttable", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "3.8.7", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10900", | ||
| "description": "The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_remove_file_attachment() function in all versions up to, and including, 5.9.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary user meta which can do things like deny an administrator's access to their site. .", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L1902", | ||
| "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3190069%40profilegrid-user-profiles-groups-and-communities&new=3190069%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0e5fcfa-ebc9-45f6-9cbc-c9e3540baa6f?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "profilegrid-user-profiles-groups-and-communities", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "ProfileGrid – User Profiles, Groups and Communities", | ||
| "repo": "https://plugins.svn.wordpress.org/profilegrid-user-profiles-groups-and-communities", | ||
| "vendor": "metagauss", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "5.9.3.7", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| { | ||
| "additionalMetadata": { | ||
| "cna": "wordfence", | ||
| "cveId": "CVE-2024-10913", | ||
| "description": "The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.", | ||
| "reason": "Added CPE configurations because not yet analyzed by NVD.", | ||
| "references": [ | ||
| "https://plugins.trac.wordpress.org/browser/wp-clone-by-wp-academy//tags/2.4.6/lib/icit_srdb_replacer.php#L24", | ||
| "https://plugins.trac.wordpress.org/browser/wp-clone-by-wp-academy/tags/2.4.7/lib/icit_srdb_replacer.php#L24", | ||
| "https://www.wordfence.com/threat-intel/vulnerabilities/id/16569267-ab52-4b96-86f0-d37c470a3938?source=cve" | ||
| ] | ||
| }, | ||
| "adp": { | ||
| "affected": [ | ||
| { | ||
| "collectionURL": "https://wordpress.org/plugins", | ||
| "cpes": [ | ||
| "cpe:2.3:a:backupbliss:clone:*:*:*:*:*:wordpress:*:*" | ||
| ], | ||
| "packageName": "wp-clone-by-wp-academy", | ||
| "packageType": "wordpress-plugin", | ||
| "product": "Clone", | ||
| "repo": "https://plugins.svn.wordpress.org/wp-clone-by-wp-academy", | ||
| "vendor": "migrate", | ||
| "versions": [ | ||
| { | ||
| "lessThan": "2.4.7", | ||
| "status": "affected", | ||
| "version": "0", | ||
| "versionType": "semver" | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "providerMetadata": { | ||
| "orgId": "00000000-0000-4000-8000-000000000000", | ||
| "shortName": "anchoreadp" | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.