diff --git a/2024/11xxx/CVE-2024-11297.json b/2024/11xxx/CVE-2024-11297.json index 786d4877d40..9b071cdcc0d 100644 --- a/2024/11xxx/CVE-2024-11297.json +++ b/2024/11xxx/CVE-2024-11297.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11297", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", + "cweId": "CWE-200" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "cyberlord92", + "product": { + "product_data": [ + { + "product_name": "Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.3.6" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d12ab8c-d5d0-4e02-986e-e894fae073e5?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d12ab8c-d5d0-4e02-986e-e894fae073e5?source=cve" + }, + { + "url": "https://wordpress.org/plugins/page-and-post-restriction/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/page-and-post-restriction/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Francesco Carlucci" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "baseScore": 5.3, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11331.json b/2024/11xxx/CVE-2024-11331.json index 21deb665b27..badc6c6033d 100644 --- a/2024/11xxx/CVE-2024-11331.json +++ b/2024/11xxx/CVE-2024-11331.json @@ -1,17 +1,95 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11331", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u062d\u0635\u0648\u0644\u0627\u062a \u0648\u0648\u06a9\u0627\u0645\u0631\u0633 \u0628\u0631\u0627\u06cc \u0622\u06cc\u0633\u06cc plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "sisoog", + "product": { + "product_data": [ + { + "product_name": "\u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u062d\u0635\u0648\u0644\u0627\u062a \u0648\u0648\u06a9\u0627\u0645\u0631\u0633 \u0628\u0631\u0627\u06cc \u0622\u06cc\u0633\u06cc", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.1.3" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af0cc02a-b6dd-4058-b686-9c9a3a4a5962?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af0cc02a-b6dd-4058-b686-9c9a3a4a5962?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/isee-products-extractor/tags/2.1.2/admin/pages/products_list.php#L92", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/isee-products-extractor/tags/2.1.2/admin/pages/products_list.php#L92" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/isee-products-extractor/tags/2.1.2/admin/pages/products_list.php#L99", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/isee-products-extractor/tags/2.1.2/admin/pages/products_list.php#L99" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/isee-products-extractor/tags/2.1.2/admin/pages/products_list.php#L105", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/isee-products-extractor/tags/2.1.2/admin/pages/products_list.php#L105" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Dale Mavers" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11411.json b/2024/11xxx/CVE-2024-11411.json index 24e69ce11de..7f812f65510 100644 --- a/2024/11xxx/CVE-2024-11411.json +++ b/2024/11xxx/CVE-2024-11411.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11411", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Spotlightr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotlightr-v' shortcode in all versions up to, and including, 0.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "socratous139", + "product": { + "product_data": [ + { + "product_name": "Spotlightr", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "0.1.9" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/475f2758-27a5-4a36-8085-576ee341938b?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/475f2758-27a5-4a36-8085-576ee341938b?source=cve" + }, + { + "url": "https://wordpress.org/plugins/spotlightr/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/spotlightr/" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/spotlightr/trunk/spotlightr.php", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/spotlightr/trunk/spotlightr.php" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SOPROBRO" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11774.json b/2024/11xxx/CVE-2024-11774.json index 9e83b89cca0..31d68e0c399 100644 --- a/2024/11xxx/CVE-2024-11774.json +++ b/2024/11xxx/CVE-2024-11774.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11774", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Outdooractive Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list2go' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "outdooractive", + "product": { + "product_data": [ + { + "product_name": "Outdooractive Embed", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.5" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d152271f-af5c-4faf-9945-483b69b716f2?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d152271f-af5c-4faf-9945-483b69b716f2?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/outdooractive-embed/trunk/shortcodes.php#L49", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/outdooractive-embed/trunk/shortcodes.php#L49" + }, + { + "url": "https://wordpress.org/plugins/outdooractive-embed/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/outdooractive-embed/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Djaidja Moundjid" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11775.json b/2024/11xxx/CVE-2024-11775.json index cd11d3a7240..400f769fbfe 100644 --- a/2024/11xxx/CVE-2024-11775.json +++ b/2024/11xxx/CVE-2024-11775.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11775", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Particle Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'particleground' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "aasthasolutions", + "product": { + "product_data": [ + { + "product_name": "Particle Background", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42cf84d1-37f5-41c1-838d-67244f17c55d?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42cf84d1-37f5-41c1-838d-67244f17c55d?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/particle-background/trunk/particleground.php#L59", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/particle-background/trunk/particleground.php#L59" + }, + { + "url": "https://wordpress.org/plugins/particle-background/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/particle-background/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Djaidja Moundjid" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11783.json b/2024/11xxx/CVE-2024-11783.json index a41ee9a9ce0..ab2feacfc5d 100644 --- a/2024/11xxx/CVE-2024-11783.json +++ b/2024/11xxx/CVE-2024-11783.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11783", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Financial Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'finance_calculator' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "financecalculatorwp", + "product": { + "product_data": [ + { + "product_name": "Financial Calculator", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.2.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9314970-1030-4488-8147-05ba1453182c?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9314970-1030-4488-8147-05ba1453182c?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/finance-calculator-with-application-form/tags/2.2.1/finance-calculator-with-aplication-form.php#L604", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/finance-calculator-with-application-form/tags/2.2.1/finance-calculator-with-aplication-form.php#L604" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Peter Thaleikis" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11784.json b/2024/11xxx/CVE-2024-11784.json index 40ac8872a3d..df46ac01988 100644 --- a/2024/11xxx/CVE-2024-11784.json +++ b/2024/11xxx/CVE-2024-11784.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11784", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Sell Tickets Online \u2013 TicketSource Ticket Shop for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticketshop' shortcode in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "ticketsource", + "product": { + "product_data": [ + { + "product_name": "Sell Tickets Online \u2013 TicketSource Ticket Shop", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "3.0.2" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/970826cf-316d-4fce-ac90-bf338c5ef3e4?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/970826cf-316d-4fce-ac90-bf338c5ef3e4?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/ticketsource-events/trunk/includes/ticketsource-events-build.php#L37", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/ticketsource-events/trunk/includes/ticketsource-events-build.php#L37" + }, + { + "url": "https://wordpress.org/plugins/ticketsource-events/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/ticketsource-events/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Youcef Hamdani" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11806.json b/2024/11xxx/CVE-2024-11806.json index 307575df94c..8c58b6c3946 100644 --- a/2024/11xxx/CVE-2024-11806.json +++ b/2024/11xxx/CVE-2024-11806.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11806", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The PKT1 Centro de envios plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'success' and 'error' parameters in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "carlosfrancopkt1", + "product": { + "product_data": [ + { + "product_name": "PKT1 Centro de envios", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.2.1" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c924b317-97ec-43b8-9bf3-ed7618743de7?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c924b317-97ec-43b8-9bf3-ed7618743de7?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/pkt1-centro-de-envios/trunk/views/admin/settings_page.php#L8", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/pkt1-centro-de-envios/trunk/views/admin/settings_page.php#L8" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Dale Mavers" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11812.json b/2024/11xxx/CVE-2024-11812.json index 4ff028eaf9a..fdd80ac5939 100644 --- a/2024/11xxx/CVE-2024-11812.json +++ b/2024/11xxx/CVE-2024-11812.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11812", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Wtyczka SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.091. This is due to missing or incorrect nonce validation on the SeoPilot_Admin_Options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-352 Cross-Site Request Forgery (CSRF)", + "cweId": "CWE-352" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "seopilot", + "product": { + "product_data": [ + { + "product_name": "Wtyczka SeoPilot dla WP", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "3.3.091" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5efb2fbe-d839-4fb1-80bb-91adf0d39a2b?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5efb2fbe-d839-4fb1-80bb-91adf0d39a2b?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/wtyczka-seopilot-dla-wp/trunk/seopilot.php#L88", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/wtyczka-seopilot-dla-wp/trunk/seopilot.php#L88" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SOPROBRO" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "baseScore": 6.1, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11878.json b/2024/11xxx/CVE-2024-11878.json index 4bc5e8e9cf3..4c8d40a1441 100644 --- a/2024/11xxx/CVE-2024-11878.json +++ b/2024/11xxx/CVE-2024-11878.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11878", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Category Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'category-post-slider' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "gbsdeveloper", + "product": { + "product_data": [ + { + "product_name": "Category Post Slider", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "1.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e312e3eb-0da9-4ecf-aec6-86bfe08417f5?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e312e3eb-0da9-4ecf-aec6-86bfe08417f5?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/category-post-slider/tags/1.4/category-post-slider.php#L189", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/category-post-slider/tags/1.4/category-post-slider.php#L189" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Peter Thaleikis" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/11xxx/CVE-2024-11893.json b/2024/11xxx/CVE-2024-11893.json index 4c2536545e5..60b8b00192d 100644 --- a/2024/11xxx/CVE-2024-11893.json +++ b/2024/11xxx/CVE-2024-11893.json @@ -1,17 +1,90 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-11893", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Spoki \u2013 Chat Buttons and WooCommerce Notifications plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spoki_button' shortcode in all versions up to, and including, 2.15.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "spoki", + "product": { + "product_data": [ + { + "product_name": "Spoki \u2013 Chat Buttons and WooCommerce Notifications", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "2.15.14" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba965a6a-68ed-4383-93a7-593418df34a5?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ba965a6a-68ed-4383-93a7-593418df34a5?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/spoki/trunk/spoki.php#L1256", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/spoki/trunk/spoki.php#L1256" + }, + { + "url": "https://wordpress.org/plugins/spoki/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/spoki/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Youcef Hamdani" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12506.json b/2024/12xxx/CVE-2024-12506.json index 890c725bafb..cb74aac7cb7 100644 --- a/2024/12xxx/CVE-2024-12506.json +++ b/2024/12xxx/CVE-2024-12506.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12506", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The NACC WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nacc' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "magblogapi", + "product": { + "product_data": [ + { + "product_name": "NACC WordPress Plugin", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "4.1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d992b9dd-dfd1-497c-b09f-cca02dc87e34?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d992b9dd-dfd1-497c-b09f-cca02dc87e34?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L68", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L68" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L85", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L85" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L98", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L98" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L135", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/nacc-wordpress-plugin/tags/4.1.0/nacc-wordpress-plugin.php#L135" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "muhammad yudha" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12509.json b/2024/12xxx/CVE-2024-12509.json index d5cf9a833a5..d65226d946c 100644 --- a/2024/12xxx/CVE-2024-12509.json +++ b/2024/12xxx/CVE-2024-12509.json @@ -1,17 +1,85 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12509", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Embed Twine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embed_twine' shortcode in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "cweId": "CWE-79" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "rluks", + "product": { + "product_data": [ + { + "product_name": "Embed Twine", + "version": { + "version_data": [ + { + "version_affected": "<=", + "version_name": "*", + "version_value": "0.1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/647f0b46-ac12-445b-9d41-66eba3eb2b1a?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/647f0b46-ac12-445b-9d41-66eba3eb2b1a?source=cve" + }, + { + "url": "https://wordpress.org/plugins/embed-twine/", + "refsource": "MISC", + "name": "https://wordpress.org/plugins/embed-twine/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "SOPROBRO" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", + "baseScore": 6.4, + "baseSeverity": "MEDIUM" } ] } diff --git a/2024/12xxx/CVE-2024-12571.json b/2024/12xxx/CVE-2024-12571.json index 30abd4511c4..666e88eb0cb 100644 --- a/2024/12xxx/CVE-2024-12571.json +++ b/2024/12xxx/CVE-2024-12571.json @@ -1,17 +1,84 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2024-12571", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@wordfence.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "The Store Locator for WordPress with Google Maps \u2013 LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", + "cweId": "CWE-98" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "moaluko", + "product": { + "product_data": [ + { + "product_name": "Store Locator for WordPress with Google Maps \u2013 LotsOfLocales", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "3.98.9" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea89a6e-e089-4e8d-afd8-2a217f6910a6?source=cve", + "refsource": "MISC", + "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea89a6e-e089-4e8d-afd8-2a217f6910a6?source=cve" + }, + { + "url": "https://plugins.trac.wordpress.org/browser/store-locator/trunk/sl-functions.php#L1919", + "refsource": "MISC", + "name": "https://plugins.trac.wordpress.org/browser/store-locator/trunk/sl-functions.php#L1919" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "Jay Nguyen" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 9.8, + "baseSeverity": "CRITICAL" } ] }