U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
Icon for New NVD Communications and Status Updates Page
New Communications Page
The NVD now supports CVSS version 4.0!
CVSS v4.0 Support
The letters N V D typed out in binary
2.0 APIs

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

  • CVE-2024-9305 - The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not... read CVE-2024-9305
    Published: October 15, 2024; 10:15:07 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-57776 - A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
    Published: January 16, 2025; 1:15:27 PM -0500

  • CVE-2024-57774 - A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
    Published: January 16, 2025; 1:15:27 PM -0500

  • CVE-2024-57773 - A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
    Published: January 16, 2025; 1:15:27 PM -0500

  • CVE-2024-57771 - A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
    Published: January 16, 2025; 1:15:26 PM -0500

  • CVE-2024-57772 - A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
    Published: January 16, 2025; 1:15:26 PM -0500

  • CVE-2024-12587 - The Contact Form Master WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
    Published: January 11, 2025; 1:15:25 AM -0500

  • CVE-2024-12715 - The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
    Published: January 09, 2025; 1:15:14 AM -0500

  • CVE-2024-12714 - The Backlink Monitoring Manager WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
    Published: January 09, 2025; 1:15:14 AM -0500

  • CVE-2024-10568 - The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is... read CVE-2024-10568
    Published: December 12, 2024; 1:15:20 AM -0500

  • CVE-2024-10518 - The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users s... read CVE-2024-10518
    Published: December 12, 2024; 1:15:20 AM -0500

  • CVE-2024-10517 - The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users... read CVE-2024-10517
    Published: December 12, 2024; 1:15:20 AM -0500

  • CVE-2024-10499 - The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks
    Published: December 12, 2024; 1:15:20 AM -0500

  • CVE-2024-11972 - The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, in... read CVE-2024-11972
    Published: December 31, 2024; 1:15:23 AM -0500

  • CVE-2024-11842 - The DN Shipping by Weight for WooCommerce WordPress plugin before 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
    Published: December 27, 2024; 1:15:23 AM -0500

  • CVE-2024-11841 - The Tithe.ly Giving Button WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and ab... read CVE-2024-11841
    Published: December 16, 2024; 1:15:05 AM -0500

  • CVE-2024-48074 - An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the cgi-bin/mainfunction.cgi route, and finally the command i... read CVE-2024-48074
    Published: October 28, 2024; 8:15:15 AM -0400

  • CVE-2024-8983 - Custom Twitter Feeds WordPress plugin before 2.2.3 is not filtering some of its settings allowing high privilege users to inject scripts.
    Published: October 08, 2024; 2:15:02 AM -0400

  • CVE-2024-7313 - The Shield Security WordPress plugin before 20.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
    Published: August 26, 2024; 2:15:04 AM -0400

  • CVE-2024-6879 - The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored ... read CVE-2024-6879
    Published: August 26, 2024; 2:15:04 AM -0400

Created September 20, 2022 , Updated August 27, 2024