Auto-Update: 2025-01-22T13:00:43.090446+00:00

CVE-2024/CVE-2024-134xx/CVE-2024-13447.json

@@ -0,0 +1,68 @@
+{
+  "id": "CVE-2024-13447",
+  "sourceIdentifier": "security@wordfence.com",
+  "published": "2025-01-22T11:15:07.777",
+  "lastModified": "2025-01-22T11:15:07.777",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security@wordfence.com",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
+          "baseScore": 4.3,
+          "baseSeverity": "MEDIUM",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "LOW",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "NONE"
+        },
+        "exploitabilityScore": 2.8,
+        "impactScore": 1.4
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security@wordfence.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-862"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/assets/js/admin/admin.hotel-booking.js#L621",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/changeset/3225879/",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://wordpress.org/plugins/wp-hotel-booking/#developers",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc883e7e-af82-47e1-a0c0-122e6abd6b52?source=cve",
+      "source": "security@wordfence.com"
+    }
+  ]
+}

CVE-2024/CVE-2024-134xx/CVE-2024-13495.json

@@ -0,0 +1,68 @@
+{
+  "id": "CVE-2024-13495",
+  "sourceIdentifier": "security@wordfence.com",
+  "published": "2025-01-22T11:15:08.193",
+  "lastModified": "2025-01-22T11:15:08.193",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "The The GamiPress \u2013 Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the gamipress_ajax_get_logs() function in all versions up to, and including, 7.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security@wordfence.com",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+          "baseScore": 7.3,
+          "baseSeverity": "HIGH",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "LOW"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 3.4
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security@wordfence.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-94"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/gamipress/trunk/includes/ajax-functions.php#L39",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/changeset/3226227/",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://wordpress.org/plugins/gamipress/#developers",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55fa8423-9a41-4afe-9401-03d232caa656?source=cve",
+      "source": "security@wordfence.com"
+    }
+  ]
+}

CVE-2024/CVE-2024-134xx/CVE-2024-13496.json

@@ -0,0 +1,72 @@
+{
+  "id": "CVE-2024-13496",
+  "sourceIdentifier": "security@wordfence.com",
+  "published": "2025-01-22T11:15:08.373",
+  "lastModified": "2025-01-22T11:15:08.373",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "The GamiPress \u2013 Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018orderby\u2019 parameter in all versions up to, and including, 7.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security@wordfence.com",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+          "baseScore": 7.5,
+          "baseSeverity": "HIGH",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "HIGH",
+          "integrityImpact": "NONE",
+          "availabilityImpact": "NONE"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 3.6
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security@wordfence.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-89"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/gamipress/trunk/includes/ajax-functions.php#L39",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/gamipress/trunk/libraries/ct/includes/class-ct-query.php#L160",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/changeset/3226227/",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://wordpress.org/plugins/gamipress/#developers",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea54436c-b623-4049-af19-9995c312476e?source=cve",
+      "source": "security@wordfence.com"
+    }
+  ]
+}

CVE-2024/CVE-2024-134xx/CVE-2024-13499.json

@@ -0,0 +1,72 @@
+{
+  "id": "CVE-2024-13499",
+  "sourceIdentifier": "security@wordfence.com",
+  "published": "2025-01-22T11:15:08.533",
+  "lastModified": "2025-01-22T11:15:08.533",
+  "vulnStatus": "Received",
+  "cveTags": [],
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "The The GamiPress \u2013 Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode() function in all versions up to, and including, 7.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security@wordfence.com",
+        "type": "Primary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+          "baseScore": 7.3,
+          "baseSeverity": "HIGH",
+          "attackVector": "NETWORK",
+          "attackComplexity": "LOW",
+          "privilegesRequired": "NONE",
+          "userInteraction": "NONE",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "LOW",
+          "integrityImpact": "LOW",
+          "availabilityImpact": "LOW"
+        },
+        "exploitabilityScore": 3.9,
+        "impactScore": 3.4
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security@wordfence.com",
+      "type": "Primary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-94"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/gamipress/trunk/includes/functions.php",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/browser/gamipress/trunk/includes/functions.php#L645",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://plugins.trac.wordpress.org/changeset/3226227/",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://wordpress.org/plugins/gamipress/#developers",
+      "source": "security@wordfence.com"
+    },
+    {
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b30ab159-ff3c-4d46-b182-f8938097b837?source=cve",
+      "source": "security@wordfence.com"
+    }
+  ]
+}

README.md

@@ -13,13 +13,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update
 
 ```plain
-2025-01-22T11:00:28.055375+00:00
+2025-01-22T13:00:43.090446+00:00
 ```
 
 ### Most recent CVE Modification Timestamp synchronized with NVD
 
 ```plain
-2025-01-22T10:15:07.737000+00:00
+2025-01-22T11:15:08.533000+00:00
 ```
 
 ### Last Data Feed Release
@@ -33,14 +33,17 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs
 
 ```plain
-278466
+278470
 ```
 
 ### CVEs added in the last Commit
 
-Recently added CVEs: `1`
+Recently added CVEs: `4`
 
-- [CVE-2022-23439](CVE-2022/CVE-2022-234xx/CVE-2022-23439.json) (`2025-01-22T10:15:07.737`)
+- [CVE-2024-13447](CVE-2024/CVE-2024-134xx/CVE-2024-13447.json) (`2025-01-22T11:15:07.777`)
+- [CVE-2024-13495](CVE-2024/CVE-2024-134xx/CVE-2024-13495.json) (`2025-01-22T11:15:08.193`)
+- [CVE-2024-13496](CVE-2024/CVE-2024-134xx/CVE-2024-13496.json) (`2025-01-22T11:15:08.373`)
+- [CVE-2024-13499](CVE-2024/CVE-2024-134xx/CVE-2024-13499.json) (`2025-01-22T11:15:08.533`)
 
 
 ### CVEs modified in the last Commit

_state.csv

@@ -192977,7 +192977,7 @@ CVE-2022-23434,0,0,3dc3dcfab060966d4ee5730ecc3968c62af77fd3914b7b88f24d05aeb1c52
 CVE-2022-23435,0,0,bbc2fa491afdf27dcea833104c1712ef1a9af57671ef24fe139f90482bfe982f,2024-11-21T06:48:33.113000
 CVE-2022-23437,0,0,46a7eb8a60ec3c48463c4980ec56bd032a751d98dc658c7d9a2007c5b118554e,2024-11-21T06:48:33.283000
 CVE-2022-23438,0,0,27feabfcd8a11bb61133f497f37b040b226fa91f757689bbcefe4c666d27dfd0,2024-11-21T06:48:33.510000
-CVE-2022-23439,1,1,043e5b50152a9f70ba3a6338c0f154ccf015389be185bf33b8674d711c5220be,2025-01-22T10:15:07.737000
+CVE-2022-23439,0,0,043e5b50152a9f70ba3a6338c0f154ccf015389be185bf33b8674d711c5220be,2025-01-22T10:15:07.737000
 CVE-2022-2344,0,0,6c243d20bbc7d779a6affd8aab92c8686492301e0bdb51c94b7832d826811099,2024-11-21T07:00:48.653000
 CVE-2022-23440,0,0,c3f782ea02c313f0bbf86b9e35066960c1ca64ab9241240514e4d62cafdaa1c6,2024-11-21T06:48:33.670000
 CVE-2022-23441,0,0,80ac54c9035b8a7c3e8a34006708493401d3cfc3100af1e79056564ef5f7095d,2024-11-21T06:48:33.810000
@@ -246067,12 +246067,16 @@ CVE-2024-13433,0,0,b744d44080e2e33c41984f231e71d8cc1252181c511f568444c5c86671c3e
 CVE-2024-13434,0,0,292fbae0324c9bc0e0a4304860c64d8e4dabea0f0444b12419bd12eebd083320,2025-01-17T05:15:09.290000
 CVE-2024-1344,0,0,3c7e3680ada5d2af6c947ff7713f6316fa39154980892782020553f5d0042cd7,2024-11-21T08:50:22.543000
 CVE-2024-13444,0,0,2a82e7dc36beac803abf8c10509e1ae610559c76a3585d9c1850f27a1808797c,2025-01-21T11:15:09.450000
+CVE-2024-13447,1,1,a103ae61959293a726fdc47498052185ef8168ea4410b87b04821193eaac3ef9,2025-01-22T11:15:07.777000
 CVE-2024-1345,0,0,7c212e7b361746cfecf33f6e4ed924489ff6a3a938083dd73fe4da2b7b4649da,2024-11-21T08:50:22.667000
 CVE-2024-13454,0,0,64bcb798150e96f58a909578ab30d46cff0e023968dc2b1dcc5267d8fae6c946,2025-01-21T20:15:30.793000
 CVE-2024-1346,0,0,67674c75c08ebc67974102102d05a3921f8c61d1fe386fe7de33f2c37b3bc24d,2024-11-21T08:50:22.793000
 CVE-2024-1347,0,0,b12a4cbf8e4f285872bf9a248874204d9208208e515ae74de2299237bb6626ad,2024-12-11T19:24:26.643000
 CVE-2024-1348,0,0,1859f4ea1d00e7386fbff1ae86e38e3076d8135556fc20b2256d2f026d728722,2024-11-21T08:50:23.040000
 CVE-2024-1349,0,0,8b85fafe827f099aa626e71779ca220a8bf1ec034e9ea4e44b28a687cd219e20,2024-12-31T17:15:36.763000
+CVE-2024-13495,1,1,7ba82927e3930c2cb6a7d1f568fd7c246464ed5b3f7c9c4431055a5bec2ad448,2025-01-22T11:15:08.193000
+CVE-2024-13496,1,1,936618627f845ba9cc9798cf205c2bbd4e19d9aa7fe11bf69036c2a8cbae283c,2025-01-22T11:15:08.373000
+CVE-2024-13499,1,1,fdec2fa425d6a94422e0b6dd68749531fdda49fd494a43529909b244ec9a2cf7,2025-01-22T11:15:08.533000
 CVE-2024-1350,0,0,ce11ba75737d3c0dc14aea45038ee6ef39f1db647d13879ee3f248d09a81697f,2024-11-21T08:50:23.313000
 CVE-2024-13502,0,0,ac2a41b6cd26a4157041ef83a41fb1ca5fe4741530d1e5a7cb1a80b922fa6ce0,2025-01-17T14:15:31.147000
 CVE-2024-13503,0,0,9a18f887782bddd42cf8f60b9b9da1ba6181ce424bb49fdf69f585a65e64cdd7,2025-01-17T14:15:31.317000