Search criteria
8 vulnerabilities found for Visual Website Collaboration, Feedback & Project Management – Atarim by wpfeedback
CVE-2024-12104 (GCVE-0-2024-12104)
Vulnerability from cvelistv5 – Published: 2025-01-21 09:21 – Updated: 2025-01-21 15:19
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.9 - Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 4.0.9
(semver)
|
Credits
Tieu Pham Trong Nhan
BrokenAC ignore
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T15:19:29.570056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T15:19:39.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
},
{
"lang": "en",
"type": "finder",
"value": "BrokenAC ignore"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T09:21:10.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d40c658-a156-470e-bf93-a1f2ccec9c61?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3225314%40atarim-visual-collaboration\u0026new=3225314%40atarim-visual-collaboration\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-20T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 4.0.9 - Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12104",
"datePublished": "2025-01-21T09:21:10.182Z",
"dateReserved": "2024-12-03T15:45:59.027Z",
"dateUpdated": "2025-01-21T15:19:39.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7621 (GCVE-0-2024-7621)
Vulnerability from cvelistv5 – Published: 2024-08-10 02:01 – Updated: 2024-08-12 16:40
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin's settings.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 4.0.2
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfeedback:visual_website_collaboration:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "visual_website_collaboration",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T16:38:21.568028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T16:40:37.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-10T02:01:21.796Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f17e055-ad49-4115-89c5-dd76b6c531f7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_function.php?rev=3116009#L235"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3133163/atarim-visual-collaboration/trunk/inc/wpf_function.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-09T13:41:33.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7621",
"datePublished": "2024-08-10T02:01:21.796Z",
"dateReserved": "2024-08-08T17:27:46.997Z",
"dateUpdated": "2024-08-12T16:40:37.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2793 (GCVE-0-2024-2793)
Vulnerability from cvelistv5 – Published: 2024-05-31 04:31 – Updated: 2024-08-01 19:25
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.30 - Unauthenticated Stored Cross-Site Scripting
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 3.30
(semver)
|
Credits
Robert DeVore
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atarim:visual_collaboration:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "visual_collaboration",
"vendor": "atarim",
"versions": [
{
"lessThanOrEqual": "3.30",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-31T16:16:18.574464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:33.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd63003-d1d6-480a-8df7-878bcc89f1ee?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L505"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L666"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L1923"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3094999/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3094260/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "3.30",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert DeVore"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-31T04:31:43.112Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd63003-d1d6-480a-8df7-878bcc89f1ee?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L505"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L666"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L1923"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3094999/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3094260/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 3.30 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2793",
"datePublished": "2024-05-31T04:31:43.112Z",
"dateReserved": "2024-03-21T17:43:34.529Z",
"dateUpdated": "2024-08-01T19:25:41.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2038 (GCVE-0-2024-2038)
Vulnerability from cvelistv5 – Published: 2024-05-23 06:46 – Updated: 2024-08-01 18:56
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.22.6 - Hardcoded Credentials
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 3.22.6
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atarim:visual_collaboration:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "visual_collaboration",
"vendor": "atarim",
"versions": [
{
"lessThanOrEqual": "3.22.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T15:48:03.433005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:19.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29532f4d-e830-4c99-ad77-076eebbbe98d?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/tags/3.18/inc/wpf_api.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old=3076514\u0026old_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php\u0026new=3090249\u0026new_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "3.22.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T06:46:02.833Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29532f4d-e830-4c99-ad77-076eebbbe98d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/tags/3.18/inc/wpf_api.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3076514\u0026old_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php\u0026new=3090249\u0026new_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 3.22.6 - Hardcoded Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2038",
"datePublished": "2024-05-23T06:46:02.833Z",
"dateReserved": "2024-02-29T20:32:44.783Z",
"dateUpdated": "2024-08-01T18:56:22.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12104 (GCVE-0-2024-12104)
Vulnerability from nvd – Published: 2025-01-21 09:21 – Updated: 2025-01-21 15:19
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.9 - Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 4.0.9
(semver)
|
Credits
Tieu Pham Trong Nhan
BrokenAC ignore
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T15:19:29.570056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T15:19:39.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
},
{
"lang": "en",
"type": "finder",
"value": "BrokenAC ignore"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T09:21:10.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d40c658-a156-470e-bf93-a1f2ccec9c61?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3225314%40atarim-visual-collaboration\u0026new=3225314%40atarim-visual-collaboration\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-20T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 4.0.9 - Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12104",
"datePublished": "2025-01-21T09:21:10.182Z",
"dateReserved": "2024-12-03T15:45:59.027Z",
"dateUpdated": "2025-01-21T15:19:39.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7621 (GCVE-0-2024-7621)
Vulnerability from nvd – Published: 2024-08-10 02:01 – Updated: 2024-08-12 16:40
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin's settings.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 4.0.2
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpfeedback:visual_website_collaboration:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "visual_website_collaboration",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T16:38:21.568028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T16:40:37.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "4.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-10T02:01:21.796Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f17e055-ad49-4115-89c5-dd76b6c531f7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_function.php?rev=3116009#L235"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3133163/atarim-visual-collaboration/trunk/inc/wpf_function.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-09T13:41:33.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7621",
"datePublished": "2024-08-10T02:01:21.796Z",
"dateReserved": "2024-08-08T17:27:46.997Z",
"dateUpdated": "2024-08-12T16:40:37.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2793 (GCVE-0-2024-2793)
Vulnerability from nvd – Published: 2024-05-31 04:31 – Updated: 2024-08-01 19:25
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.30 - Unauthenticated Stored Cross-Site Scripting
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 3.30
(semver)
|
Credits
Robert DeVore
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atarim:visual_collaboration:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "visual_collaboration",
"vendor": "atarim",
"versions": [
{
"lessThanOrEqual": "3.30",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-31T16:16:18.574464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:33.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd63003-d1d6-480a-8df7-878bcc89f1ee?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L505"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L666"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L1923"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3094999/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3094260/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "3.30",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert DeVore"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-31T04:31:43.112Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bd63003-d1d6-480a-8df7-878bcc89f1ee?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L505"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L666"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_ajax_functions.php#L1923"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3094999/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3094260/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 3.30 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2793",
"datePublished": "2024-05-31T04:31:43.112Z",
"dateReserved": "2024-03-21T17:43:34.529Z",
"dateUpdated": "2024-08-01T19:25:41.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2038 (GCVE-0-2024-2038)
Vulnerability from nvd – Published: 2024-05-23 06:46 – Updated: 2024-08-01 18:56
VLAI?
Title
Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.22.6 - Hardcoded Credentials
Summary
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpfeedback | Visual Website Collaboration, Feedback & Project Management – Atarim |
Affected:
* , ≤ 3.22.6
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atarim:visual_collaboration:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "visual_collaboration",
"vendor": "atarim",
"versions": [
{
"lessThanOrEqual": "3.22.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T15:48:03.433005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:19.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29532f4d-e830-4c99-ad77-076eebbbe98d?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/tags/3.18/inc/wpf_api.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old=3076514\u0026old_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php\u0026new=3090249\u0026new_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim",
"vendor": "wpfeedback",
"versions": [
{
"lessThanOrEqual": "3.22.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-259 Use of Hard-coded Password",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T06:46:02.833Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29532f4d-e830-4c99-ad77-076eebbbe98d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/tags/3.18/inc/wpf_api.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3076514\u0026old_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php\u0026new=3090249\u0026new_path=atarim-visual-collaboration%2Ftrunk%2Fatarim-visual-collaboration.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Visual Website Collaboration, Feedback \u0026 Project Management \u2013 Atarim \u003c= 3.22.6 - Hardcoded Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2038",
"datePublished": "2024-05-23T06:46:02.833Z",
"dateReserved": "2024-02-29T20:32:44.783Z",
"dateUpdated": "2024-08-01T18:56:22.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}