Latest CVEs
Updates on the latest vulnerabilities detected.
-
CVE-2025-0968 - Elementor ElementsKit Sensitive Information Exposure Vulnerability
CVE ID :CVE-2025-0968
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.0 due to a missing capability checks on the get_megamenu_content() function. This makes it possible for unauthenticated attackers to view any item created in Elementor, such as posts, pages and templates including drafts, trashed and private items.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-0916 - WordPress YaySMTP Stored Cross-Site Scripting Vulnerability
CVE ID :CVE-2025-0916
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13534 - WordPress Small Package Quotes - Worldwide Express Edition SQL Injection
CVE ID :CVE-2024-13534
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The Small Package Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 5.2.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13533 - USPS Small Package Quotes for WordPress SQL Injection
CVE ID :CVE-2024-13533
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The Small Package Quotes – USPS Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' parameter in all versions up to, and including, 1.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13491 - FedEx WordPress SQL Injection
CVE ID :CVE-2024-13491
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The Small Package Quotes – For Customers of FedEx plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 4.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13485 - ABF Freight Quotes – WordPress SQL Injection
CVE ID :CVE-2024-13485
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The LTL Freight Quotes – ABF Freight Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 3.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13483 - SAIA LTL Freight Quotes WordPress Plugin SQL Injection Vulnerability
CVE ID :CVE-2024-13483
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The LTL Freight Quotes – SAIA Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 2.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13481 - R+L Carriers WordPress Plugin SQL Injection Vulnerability
CVE ID :CVE-2024-13481
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 3.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13479 - LTL Freight Quotes - SEFL Edition WordPress SQL Injection
CVE ID :CVE-2024-13479
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The LTL Freight Quotes – SEFL Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13478 - TForce Edition WordPress LTL Freight Quotes Plugin SQL Injection Vulnerability
CVE ID :CVE-2024-13478
Published : Feb. 19, 2025, 12:15 p.m. | 2 hours, 1 minute ago
Description :The LTL Freight Quotes – TForce Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1075 - Checkmk GmbH Checkmk Apache Log Injection Vulnerability
CVE ID :CVE-2025-1075
Published : Feb. 19, 2025, 10:15 a.m. | 4 hours, 1 minute ago
Description :Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions 2.3.0p27, 2.2.0p40,and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apche error log file accessible to administrators.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13489 - Old Dominion WordPress LTL Freight Quotes Plugin SQL Injection Vulnerability
CVE ID :CVE-2024-13489
Published : Feb. 19, 2025, 10:15 a.m. | 4 hours, 1 minute ago
Description :The LTL Freight Quotes – Old Dominion Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 4.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1135 - ChurchCRM SQL Injection Vulnerability
CVE ID :CVE-2025-1135
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note the vulnerability requires Administrator privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1134 - ChurchCRM SQL Injection Vulnerability
CVE ID :CVE-2025-1134
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1133 - ChurchCRM SQL Injection Vulnerability
CVE ID :CVE-2025-1133
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1132 - ChurchCRM SQL Injection
CVE ID :CVE-2025-1132
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1024 - ChurchCRM Reflected Cross-Site Scripting Vulnerability
CVE ID :CVE-2025-1024
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-1007 - OpenVSX Unauthenticated Namespace Details and Logo Manipulation Vulnerability
CVE ID :CVE-2025-1007
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13364 - Raptive Ads Plugin WordPress Unauthorized Access Vulnerability
CVE ID :CVE-2024-13364
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :The Raptive Ads plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the site_ads_files_reset() and cls_file_reset() functions in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to reset the ad and cls files.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2024-13363 - WordPress Raptive Ads Reflected Cross-Site Scripting Vulnerability
CVE ID :CVE-2024-13363
Published : Feb. 19, 2025, 9:15 a.m. | 5 hours, 1 minute ago
Description :The Raptive Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'poc' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...