CVE Catalog

Browse the latest Common Vulnerabilities and Exposures (CVEs) with CVSS scores, affected products, and next-gen risk scores.

Jan 2, 2025

Acronis Cyber Protect 16 DLL Hijacking Vulnerability Leading to Local Privilege Escalation

A local privilege escalation vulnerability has been identified in Acronis Cyber Protect 16 for Windows, prior to build 39169. This issue arises from a DLL hijacking vulnerability, which can be exploited to gain elevated privileges on the system.

2.4
Jan 2, 2025

Acronis Cyber Protect and Cyber Protect Cloud Agent Tray Monitor Service Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the Tray Monitor service of Acronis Cyber Protect 16 and Acronis Cyber Protect Cloud Agent. This issue arises from excessive permissions assigned to the service, allowing unauthorized users to gain elevated privileges. The vulnerability affects Acronis Cyber Protect 16 (Linux, macOS, Windows) prior to build 39169, and Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) prior to build 35895.

2.9
Jan 2, 2025

Acronis Cyber Protect 16 Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Acronis Cyber Protect 16 for both Linux and Windows platforms, prior to build 39169. This vulnerability arises from inadequate origin validation in the postMessage function, allowing for the injection of malicious scripts that are stored and executed in the context of the user.

2.9
Jan 2, 2025

Acronis Cyber Protect 16 DLL Hijacking Vulnerability Leading to Local Privilege Escalation

A local privilege escalation vulnerability has been identified in Acronis Cyber Protect 16 for Windows, prior to build 39169. This issue arises from a DLL hijacking vulnerability, which can be exploited to gain elevated privileges on the system.

2.1
Jan 2, 2025

Kentico CMS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Kentico CMS version 7. This issue arises from the improper neutralization of input in the '/CMSMessages/AccessDenied.aspx' endpoint, allowing attackers to manipulate specific GET request parameters. Support for Kentico CMS version 7 ended in 2016, and version 8 does not exhibit this vulnerability.

4.1
Jan 2, 2025

Liquid Web GiveWP Plugin Missing Authorization Vulnerability Allowing Arbitrary Content Deletion

A missing authorization vulnerability has been identified in the Liquid Web / StellarWP GiveWP plugin, specifically in versions through 2.25.1. This vulnerability allows for arbitrary content deletion, meaning that a malicious actor could potentially delete various types of content from a website, such as images, posts, or pages.

4.2
Jan 2, 2025

JoomUnited WP Table Manager Missing Authorization Vulnerability Allowing Access Control Exploitation

A missing authorization vulnerability has been identified in the JoomUnited WP Table Manager plugin for WordPress, affecting versions through 3.5.2. This vulnerability arises from broken access control, which allows users with lower privileges to perform actions reserved for higher-privileged users.

1.8
Jan 2, 2025

WeyHan Post Teaser Missing Authorization Vulnerability

A broken access control vulnerability has been identified in the WeyHan Post Teaser plugin for WordPress, affecting versions through 4.1.5. This vulnerability allows an unprivileged user to perform actions that require higher privileges, due to a lack of proper authorization checks.

1.8
Jan 2, 2025

Code-Projects Chat System SQL Injection Vulnerability in Delete User Admin Function

A critical SQL injection vulnerability has been identified in Code-Projects Chat System version 1.0. The issue arises in the admin/deleteuser.php file, where the 'id' argument can be manipulated to execute unauthorized SQL commands. This vulnerability can be exploited remotely, potentially leading to unauthorized data access or modification.

3.5
Jan 2, 2025

MaxKB Remote Command Execution Vulnerability in Function Library Module

A remote command execution vulnerability has been identified in MaxKB, an open-source knowledge base question-answering system that utilizes a large language model and retrieval-augmented generation. This vulnerability, present in versions prior to 1.9.0, allows privileged users to execute operating system commands within custom scripts. The issue has been addressed in version 1.9.0.

3.1
Jan 2, 2025

Acronis True Image Sensitive Information Disclosure Vulnerability

A vulnerability allowing sensitive information disclosure has been identified in Acronis True Image for both macOS (versions prior to build 41725) and Windows (versions prior to build 41736). This issue arises from missing authentication, which could potentially be exploited to access confidential information.

3.6
Jan 2, 2025

Acronis True Image Sensitive Information Disclosure Vulnerability Due to Insecure Folder Permissions

A vulnerability allowing sensitive information disclosure exists in Acronis True Image for Windows, prior to build 41736, due to insecure folder permissions.

3.2
Jan 2, 2025

Crocoblock JetEngine Missing Authorization Vulnerability Allowing Access Control Bypass

A missing authorization vulnerability has been identified in the Crocoblock JetEngine plugin, specifically in versions through 3.2.4. This vulnerability allows users to exploit improperly configured access control levels, potentially leading to unauthorized actions or access.

1.8
Jan 2, 2025

Porto Theme Functionality Plugin Broken Access Control Vulnerability

A missing authorization vulnerability has been identified in the Porto Theme Functionality plugin for WordPress, affecting versions prior to 2.12.1. This vulnerability arises from incorrectly configured access control security levels, which can be exploited to perform actions that require higher privileges.

4.7
Jan 2, 2025

10Web 10WebAnalytics Missing Authorization Vulnerability Allowing Broken Access Control

A broken access control vulnerability has been identified in the 10WebAnalytics WordPress plugin, affecting versions through 1.2.12. This vulnerability arises from missing authorization checks, which could allow an unprivileged user to perform actions reserved for higher privileges.

2.7
Jan 2, 2025

LuckyWP Scripts Control Plugin Broken Access Control Vulnerability

A missing authorization vulnerability has been identified in the LuckyWP Scripts Control WordPress plugin, affecting versions through 1.2.1. This vulnerability arises from incorrectly configured access control security levels, allowing unprivileged users to perform actions reserved for higher privileges.

1.8
Jan 2, 2025

WordPress IMPress Listings Plugin Broken Access Control Vulnerability

A missing authorization vulnerability has been identified in the WordPress IMPress Listings plugin, specifically in versions through 2.6.2. This vulnerability allows exploitation of improperly configured access control security levels, potentially leading to unauthorized actions by users with lower privileges.

2.6
Jan 2, 2025

10Web Map Builder for Google Maps Missing Authorization Vulnerability Allowing Broken Access Control

A missing authorization vulnerability has been identified in the 10Web Map Builder for Google Maps plugin, affecting versions through 1.0.73. This vulnerability allows exploitation of incorrectly configured access control security levels, potentially leading to broken access control issues.

3.8
Jan 2, 2025

Putler WooCommerce Connector Missing Authorization Vulnerability

A broken access control vulnerability has been identified in the Putler Connector for WooCommerce, affecting versions through 2.12.0. This vulnerability allows unauthenticated users to perform actions that require higher privileges, due to a lack of proper authorization checks.

2.6
Jan 2, 2025

Repute InfoSystems ARMember Premium Broken Access Control Vulnerability

A missing authorization vulnerability has been identified in the Repute InfoSystems ARMember Premium WordPress membership plugin, affecting versions through 5.9.2. This vulnerability allows unprivileged users to exploit incorrectly configured access control security levels, potentially leading to unauthorized actions that require higher privileges.

3.1
Jan 2, 2025

Xtemos WoodMart Theme Broken Access Control Vulnerability

A missing authorization vulnerability has been identified in the Xtemos WoodMart WordPress theme, specifically in versions through 7.2.1. This vulnerability allows exploitation of improperly configured access control, potentially enabling users to perform actions reserved for higher privileges.

3.8
Jan 2, 2025

Linux Kernel CEC Message Length Limitation Vulnerability

A vulnerability in the Linux kernel's media subsystem, specifically within the S5P CEC (Consumer Electronics Control) component, allows for improper handling of message lengths. The issue arises because the message length is not correctly restricted to the maximum allowed size, potentially leading to buffer overflows or other unintended behavior. This vulnerability has been addressed by implementing a check to ensure that message lengths do not exceed the maximum permissible limit.

5.7
Jan 2, 2025

WordPress Analytify Plugin Privilege Escalation Vulnerability

A missing authorization vulnerability allowing privilege escalation has been identified in the WordPress Analytify Google Analytics Dashboard plugin, affecting versions through 4.2.3. This vulnerability could enable a low-privileged user to gain higher privileges, potentially leading to full control of the website.

4.7
Jan 2, 2025

WordPress Subscribe to Category Plugin Broken Access Control Vulnerability

A missing authorization vulnerability has been identified in the WordPress Subscribe to Category plugin, specifically in versions through 2.7.4. This vulnerability allows unprivileged users to exploit incorrectly configured access control security levels, potentially leading to unauthorized actions.

3.1
Jan 2, 2025

Gallery Images Ape WordPress Plugin Broken Access Control Vulnerability

A broken access control vulnerability has been identified in the Gallery Images Ape WordPress plugin, specifically in versions through 2.2.8. This vulnerability arises from missing authorization checks, allowing users with lower privileges to perform actions reserved for higher privileged users.

1.8
Jan 2, 2025

VolThemes Patricia Blog Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the VolThemes Patricia Blog WordPress theme, specifically in versions through 1.2. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.0
Jan 2, 2025

Marsian i-amaze WordPress Theme Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Marsian i-amaze WordPress theme, affecting versions through 1.3.7. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.1
Jan 2, 2025

Creativthemes Point WordPress Theme Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Creativthemes Point WordPress theme, specifically in versions through 1.1. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.0
Jan 2, 2025

BuddyBoss Theme Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the BuddyBoss Theme by BuddyBoss LLC, affecting versions through 2.4.61. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.1
Jan 2, 2025

MyThemeShop Schema Lite Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the MyThemeShop Schema Lite WordPress theme, specifically in versions through 1.2.2. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.0
Jan 2, 2025

Uncanny Owl Uncanny Toolkit Pro for LearnDash Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Uncanny Owl Uncanny Toolkit Pro for LearnDash plugin, affecting versions prior to 4.1.4.1. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.4
Jan 2, 2025

Automattic WP Job Manager - Resume Manager Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Automattic WP Job Manager - Resume Manager plugin, affecting versions through 2.1.0. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.1
Jan 2, 2025

FS Code FS Poster Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the FS Poster WordPress plugin, affecting versions through 6.5.8. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.0
Jan 2, 2025

Beijing Yunfan Internet Technology Yunfan Learning Examination System Improper Authentication Vulnerability via JWT Token

A critical vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue resides in the JWT Token Handler component, specifically within the SysUserControl file. The vulnerability allows for improper authentication, as the system's JWT tokens can be exploited universally across any server using this application. The flaw arises because the application does not properly validate JWT tokens during the login process. As a result, an attacker can replace the existing JWT with a crafted token that bypasses authentication and grants administrative privileges.

4.8
Jan 2, 2025

Beijing Yunfan Internet Technology Yunfan Learning Examination System Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue arises in the Exam Answer Handler component, specifically within the PaperController.java file. The vulnerability allows remote attackers to view answers during the exam process by manipulating input IDs, thereby facilitating cheating.

3.4
Jan 2, 2025

WP Hait Post Grid Elementor Addon Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP Hait Post Grid Elementor Addon, affecting versions through 2.0.18. This vulnerability arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed when users visit the affected site.

1.7
Jan 2, 2025

CoolPlugins Coins MarketCap DOM-Based Cross-Site Scripting Vulnerability

A DOM-based cross-site scripting vulnerability has been identified in the CoolPlugins Coins MarketCap WordPress plugin, affecting versions through 5.5.8. This vulnerability arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.

1.6
Jan 2, 2025

Markyis Cool Olivia WordPress Theme Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Markyis Cool Olivia WordPress theme, specifically in versions through 0.9.5. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

2.0
Jan 2, 2025

CridioStudio ListingPro Cross-Site Request Forgery Vulnerability Allowing Authentication Bypass

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the CridioStudio ListingPro WordPress theme, specifically in versions through 2.9.4. This vulnerability allows for authentication bypass, enabling attackers to manipulate actions on behalf of users with higher privileges.

3.5
Jan 2, 2025

Epsiloncool WP Fast Total Search Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Epsiloncool WP Fast Total Search plugin for WordPress, affecting versions through 1.69.234. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.0
Jan 2, 2025

WordPress i-Transform Theme Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress i-Transform theme, affecting versions through 3.0.9. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

2.0
Jan 2, 2025

Beijing Yunfan Internet Technology Yunfan Learning Examination System Improper Authorization Vulnerability

A critical vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue arises from the file 'doc.html', which lacks proper access permissions, allowing unauthorized users to view all interfaces. This vulnerability can be exploited remotely.

4.7
Jan 2, 2025

D-Link DIR-816 A2 Critical Vulnerability in form2NetSniper.cgi Allowing Improper Access Control

A critical vulnerability has been identified in the D-Link DIR-816 A2 router, specifically in version 1.10CNB05_R1B011D88210. The issue arises in the file form2NetSniper.cgi, where improper access controls allow for unauthorized actions to be performed. This vulnerability can be exploited remotely, potentially leading to unauthorized access or manipulation of the device.

6.7
Jan 2, 2025

ConvertCalculator for WordPress Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the ConvertCalculator plugin for WordPress, affecting versions through 1.1.1. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

1.7
Jan 2, 2025

Fla-shop.com Interactive UK Map Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Fla-shop.com Interactive UK Map plugin, affecting versions through 3.4.8. This issue arises from improper input neutralization during web page generation, allowing malicious users to inject harmful scripts that are executed when the affected page is viewed.

2.0
Jan 2, 2025

Sonaar Music MP3 Audio Player Broken Access Control Vulnerability

A broken access control vulnerability has been identified in the Sonaar Music MP3 Audio Player for Music, Radio & Podcast plugin, affecting versions through 5.8. This vulnerability allows users to access functionalities that are not properly restricted by access control lists (ACLs).

2.1
Jan 2, 2025

Beee ACF City Selector Unrestricted File Upload Vulnerability Allowing Web Shell Upload

A vulnerability allowing unrestricted file upload of dangerous types has been identified in the Beee ACF City Selector WordPress plugin, affecting versions through 1.14.0. This vulnerability could be exploited to upload a web shell to the server, potentially leading to unauthorized access or control over the website.

1.7
Jan 2, 2025

GS Plugins GS Shots for Dribbble DOM-Based Cross-Site Scripting Vulnerability

A DOM-based cross-site scripting vulnerability has been identified in the GS Shots for Dribbble WordPress plugin, affecting versions through 1.2.0. This issue arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.

1.6
Jan 2, 2025

GS Plugins GS Coaches Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the GS Coaches WordPress plugin, affecting versions through 1.1.0. This issue allows for the injection of malicious scripts that could be executed when users visit the affected site.

1.6
Jan 2, 2025

GS Plugins Project Showcase Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the GS Plugins Project Showcase WordPress plugin, affecting versions through 1.1.1. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.

1.6