NVD

NOTICE UPDATED - May, 29th 2024

The NVD has a new announcement page with status updates, news, and how to stay connected!

Icon for CISA Known Exploited Vulnerabilities Catalog Announcement

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2023-6966 - The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and in... read CVE-2023-6966
Published: June 05, 2024; 10:15:52 PM -0400

V3.1: 8.1 HIGH
CVE-2024-38433 - Nuvoton - CWE-305: Authentication Bypass by Primary Weakness An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock reference code can modify the u-boot image header on flash parsed by the Boot... read CVE-2024-38433
Published: July 11, 2024; 4:15:10 AM -0400

V3.1: 6.7 MEDIUM
CVE-2024-30299 - Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or ... read CVE-2024-30299
Published: June 13, 2024; 8:15:09 AM -0400

V3.1: 9.8 CRITICAL
CVE-2024-30300 - Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Information Exposure vulnerability (CWE-200) that could lead to privilege escalation. An attacker could exploit this vulnerability to gain access to sensitiv... read CVE-2024-30300
Published: June 13, 2024; 8:15:10 AM -0400

V3.1: 9.8 CRITICAL
CVE-2024-3073 - The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password fiel... read CVE-2024-3073
Published: June 13, 2024; 5:15:13 AM -0400

V3.1: 2.7 LOW
CVE-2024-3605 - The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user suppli... read CVE-2024-3605
Published: June 19, 2024; 10:15:10 PM -0400

V3.1: 9.8 CRITICAL
CVE-2024-3627 - The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up... read CVE-2024-3627
Published: June 19, 2024; 10:15:11 PM -0400

V3.1: 5.4 MEDIUM
CVE-2024-4626 - The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_type’ and 'id' parameters in all versions up to, and including, 1.0.17 due to insufficient input sanitization and output escaping. This ... read CVE-2024-4626
Published: June 19, 2024; 10:15:11 PM -0400

V3.1: 5.4 MEDIUM
CVE-2024-4742 - The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the order_by shortcode attribute in all versions up to, and including, 1.2.5 due to insuffic... read CVE-2024-4742
Published: June 19, 2024; 10:15:11 PM -0400

V3.1: 8.8 HIGH
CVE-2024-5432 - The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during the checkout through the plugin. This makes it po... read CVE-2024-5432
Published: June 19, 2024; 10:15:11 PM -0400

V3.1: 9.8 CRITICAL
CVE-2024-3597 - The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.2.2. This is due to insufficient validation on the redirect url supplied via the rc_exported_zip_file parameter. This... read CVE-2024-3597
Published: June 19, 2024; 10:15:10 PM -0400

V3.1: 6.1 MEDIUM
CVE-2024-3602 - The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function... read CVE-2024-3602
Published: June 19, 2024; 10:15:10 PM -0400

V3.1: 4.3 MEDIUM
CVE-2024-3562 - The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. This is due to insufficient sanitization of input prior to being used in a call to the eval() fu... read CVE-2024-3562
Published: June 19, 2024; 10:15:10 PM -0400

V3.1: 8.8 HIGH
CVE-2024-37803 - Multiple stored cross-site scripting (XSS) vulnerabilities in CodeProjects Health Care hospital Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname and lname parameters und... read CVE-2024-37803
Published: June 18, 2024; 1:15:52 PM -0400

V3.1: 5.4 MEDIUM
CVE-2023-3204 - The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This m... read CVE-2023-3204
Published: June 19, 2024; 10:15:09 PM -0400

V3.1: 6.5 MEDIUM
CVE-2024-3561 - The Custom Field Suite plugin for WordPress is vulnerable to SQL Injection via the the 'Term' custom field in all versions up to, and including, 2.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o... read CVE-2024-3561
Published: June 19, 2024; 10:15:09 PM -0400

V3.1: 8.8 HIGH
CVE-2024-4176 - An Cross site scripting vulnerability in the EDR XConsole before this release allowed an attacker to potentially leverage an XSS/HTML-Injection using command line variables. A malicious threat actor could execute commands on the victim's browser f... read CVE-2024-4176
Published: June 13, 2024; 5:15:14 AM -0400

V3.1: 5.4 MEDIUM
CVE-2024-4371 - The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from ... read CVE-2024-4371
Published: June 13, 2024; 5:15:14 AM -0400

V3.1: 9.8 CRITICAL
CVE-2024-30278 - Media Encoder versions 23.6.5, 24.3 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploi... read CVE-2024-30278
Published: June 13, 2024; 6:15:09 AM -0400

V3.1: 5.5 MEDIUM
CVE-2024-5444 - The Bible Text WordPress plugin through 0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perfo... read CVE-2024-5444
Published: July 11, 2024; 2:15:02 AM -0400

V3.1: 5.4 MEDIUM

Created September 20, 2022 , Updated June 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: