Search criteria
6 vulnerabilities found for ahathat by mitchelllevy
FKIE_CVE-2024-11269
Vulnerability from fkie_nvd - Published: 2025-05-15 20:15 - Updated: 2025-06-12 16:58
Severity ?
Summary
The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/ | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitchelllevy | ahathat | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mitchelllevy:ahathat:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9BC16ABB-53C5-4DEF-9F18-FEE4D1906E4B",
"versionEndIncluding": "1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks."
},
{
"lang": "es",
"value": "El complemento AHAthat de WordPress hasta la versi\u00f3n 1.6 no depura ni escapa un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL, lo que permite al administrador realizar ataques de inyecci\u00f3n SQL."
}
],
"id": "CVE-2024-11269",
"lastModified": "2025-06-12T16:58:51.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-05-15T20:15:34.797",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-12595
Vulnerability from fkie_nvd - Published: 2025-01-02 06:15 - Updated: 2025-06-12 17:04
Severity ?
Summary
The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/ | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mitchelllevy | ahathat | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mitchelllevy:ahathat:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9BC16ABB-53C5-4DEF-9F18-FEE4D1906E4B",
"versionEndIncluding": "1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER[\u0027REQUEST_URI\u0027] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers"
},
{
"lang": "es",
"value": "El complemento de WordPress AHAthat Plugin hasta la versi\u00f3n 1.6 no escapa del par\u00e1metro $_SERVER[\u0027REQUEST_URI\u0027] antes de devolverlo en un atributo, lo que podr\u00eda provocar Cross-Site Scripting reflejado en navegadores web antiguos."
}
],
"id": "CVE-2024-12595",
"lastModified": "2025-06-12T17:04:11.687",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-02T06:15:07.983",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-11269 (GCVE-0-2024-11269)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:06 – Updated: 2025-05-20 19:34
VLAI?
Title
AHAthat Plugin <= 1.6 - Admin+ SQL Injection
Summary
The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | AHAthat Plugin |
Affected:
0 , ≤ 1.6
(semver)
|
Credits
Régis SENET
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-11269",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T18:56:37.453460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T19:34:35.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AHAthat Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "R\u00e9gis SENET"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:49.100Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "AHAthat Plugin \u003c= 1.6 - Admin+ SQL Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-11269",
"datePublished": "2025-05-15T20:06:49.100Z",
"dateReserved": "2024-11-15T18:03:33.548Z",
"dateUpdated": "2025-05-20T19:34:35.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12595 (GCVE-0-2024-12595)
Vulnerability from cvelistv5 – Published: 2025-01-02 06:00 – Updated: 2025-01-06 20:26
VLAI?
Title
AHAthat Plugin <= 1.6 - Reflected XSS via REQUEST_URI
Summary
The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
Severity ?
4.7 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | AHAthat Plugin |
Affected:
0 , ≤ 1.6
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12595",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T20:25:53.804596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T20:26:50.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AHAthat Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER[\u0027REQUEST_URI\u0027] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T06:00:13.479Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "AHAthat Plugin \u003c= 1.6 - Reflected XSS via REQUEST_URI",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-12595",
"datePublished": "2025-01-02T06:00:13.479Z",
"dateReserved": "2024-12-12T22:04:10.012Z",
"dateUpdated": "2025-01-06T20:26:50.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11269 (GCVE-0-2024-11269)
Vulnerability from nvd – Published: 2025-05-15 20:06 – Updated: 2025-05-20 19:34
VLAI?
Title
AHAthat Plugin <= 1.6 - Admin+ SQL Injection
Summary
The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | AHAthat Plugin |
Affected:
0 , ≤ 1.6
(semver)
|
Credits
Régis SENET
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-11269",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T18:56:37.453460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T19:34:35.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AHAthat Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "R\u00e9gis SENET"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:49.100Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/3ad89687-adb0-4c45-938c-0c18fda7f36f/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "AHAthat Plugin \u003c= 1.6 - Admin+ SQL Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-11269",
"datePublished": "2025-05-15T20:06:49.100Z",
"dateReserved": "2024-11-15T18:03:33.548Z",
"dateUpdated": "2025-05-20T19:34:35.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12595 (GCVE-0-2024-12595)
Vulnerability from nvd – Published: 2025-01-02 06:00 – Updated: 2025-01-06 20:26
VLAI?
Title
AHAthat Plugin <= 1.6 - Reflected XSS via REQUEST_URI
Summary
The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
Severity ?
4.7 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | AHAthat Plugin |
Affected:
0 , ≤ 1.6
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12595",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T20:25:53.804596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T20:26:50.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "AHAthat Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER[\u0027REQUEST_URI\u0027] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T06:00:13.479Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/7a506438-3106-477f-816d-b9b116ec8555/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "AHAthat Plugin \u003c= 1.6 - Reflected XSS via REQUEST_URI",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-12595",
"datePublished": "2025-01-02T06:00:13.479Z",
"dateReserved": "2024-12-12T22:04:10.012Z",
"dateUpdated": "2025-01-06T20:26:50.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}