Search criteria
108 vulnerabilities by automattic
CVE-2023-7320 (GCVE-0-2023-7320)
Vulnerability from cvelistv5 – Published: 2025-10-29 06:45 – Updated: 2025-10-29 14:19
VLAI?
Summary
The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| automattic | WooCommerce |
Affected:
* , ≤ 7.8.2
(semver)
|
Credits
osama-hamad
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T13:57:52.747432Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T14:19:46.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "osama-hamad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API\u0027s REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T06:45:48.702Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2d1879-c337-41c9-9f47-f9c2fe8e5928?source=cve"
},
{
"url": "https://wpscan.com/vulnerability/d1cec296-b5df-4cea-8c0d-d03a975cb6af"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2939652@woocommerce/trunk\u0026old=2933569@woocommerce/trunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-11T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WooCommerce \u003c= 7.8.2 - Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-7320",
"datePublished": "2025-10-29T06:45:48.702Z",
"dateReserved": "2025-10-28T18:04:16.931Z",
"dateUpdated": "2025-10-29T14:19:46.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49042 (GCVE-0-2025-49042)
Vulnerability from cvelistv5 – Published: 2025-10-29 04:50 – Updated: 2025-10-29 13:31
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Affected:
n/a , ≤ 10.0.2
(custom)
|
Credits
savphill | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T13:31:11.476667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:31:19.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "10.0.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "10.0.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automattic:woocommerce:*:*:*:*:*:*:*:*",
"versionEndIncluding": "10.0.2",
"versionStartIncluding": "n/a",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.\u003cp\u003eThis issue affects WooCommerce: from n/a through 10.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T04:50:12.507Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/wordpress/plugin/woocommerce/security-policy/vdp/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress WooCommerce plugin to the latest available version (at least 10.0.3)."
}
],
"value": "Update the WordPress WooCommerce plugin to the latest available version (at least 10.0.3)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress WooCommerce plugin \u003c= 10.0.2 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49042",
"datePublished": "2025-10-29T04:50:12.507Z",
"dateReserved": "2025-05-30T14:04:26.750Z",
"dateUpdated": "2025-10-29T13:31:19.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58674 (GCVE-0-2025-58674)
Vulnerability from cvelistv5 – Published: 2025-09-23 18:47 – Updated: 2025-10-01 08:35
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
savphill (Patchstack Bug Bounty Program)
John Blackbourn (WordPress core security team lead)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:15:09.886956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:35.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "savphill (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.\u003c/span\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:35:39.048Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58674",
"datePublished": "2025-09-23T18:47:02.628Z",
"dateReserved": "2025-09-03T09:03:46.831Z",
"dateUpdated": "2025-10-01T08:35:39.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58246 (GCVE-0-2025-58246)
Vulnerability from cvelistv5 – Published: 2025-09-23 17:17 – Updated: 2025-10-01 08:37
VLAI?
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.
This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Severity ?
4.3 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WordPress | WordPress |
Affected:
6.8 , ≤ 6.8.2
(custom)
Affected: 6.7 , ≤ 6.7.3 (custom) Affected: 6.6 , ≤ 6.6.3 (custom) Affected: 6.5 , ≤ 6.5.6 (custom) Affected: 6.4 , ≤ 6.4.6 (custom) Affected: 6.3 , ≤ 6.3.6 (custom) Affected: 6.2 , ≤ 6.2.7 (custom) Affected: 6.1 , ≤ 6.1.8 (custom) Affected: 6.0 , ≤ 6.0.10 (custom) Affected: 5.9 , ≤ 5.9.11 (custom) Affected: 5.8 , ≤ 5.8.11 (custom) Affected: 5.7 , ≤ 5.7.13 (custom) Affected: 5.6 , ≤ 5.6.15 (custom) Affected: 5.5 , ≤ 5.5.16 (custom) Affected: 5.4 , ≤ 5.4.17 (custom) Affected: 5.3 , ≤ 5.3.19 (custom) Affected: 5.2 , ≤ 5.2.22 (custom) Affected: 5.1 , ≤ 5.1.20 (custom) Affected: 5.0 , ≤ 5.0.23 (custom) Affected: 4.9 , ≤ 4.9.27 (custom) Affected: 4.8 , ≤ 4.8.26 (custom) Affected: 4.7 , ≤ 4.7.30 (custom) |
Credits
Abu Hurayra (Patchstack Bug Bounty Program)
John Blackbourn (WordPress core security team lead)
Timothy Jacobs
Peter Wilson
Mike Nelson
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T18:30:39.501670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:37:38.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress",
"repo": "https://github.com/WordPress/WordPress",
"vendor": "WordPress",
"versions": [
{
"changes": [
{
"at": "6.8.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.8.2",
"status": "affected",
"version": "6.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.7.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.7.3",
"status": "affected",
"version": "6.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.6.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.6.3",
"status": "affected",
"version": "6.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.5.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.6",
"status": "affected",
"version": "6.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.4.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.3.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.3.6",
"status": "affected",
"version": "6.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.1.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.8",
"status": "affected",
"version": "6.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.0.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.10",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.9.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.11",
"status": "affected",
"version": "5.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.8.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.8.11",
"status": "affected",
"version": "5.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.7.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.13",
"status": "affected",
"version": "5.7",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.6.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.6.15",
"status": "affected",
"version": "5.6",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.5.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.16",
"status": "affected",
"version": "5.5",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.4.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.4.17",
"status": "affected",
"version": "5.4",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.3.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.19",
"status": "affected",
"version": "5.3",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.2.23",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.2.22",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.20",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"changes": [
{
"at": "5.0.24",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.23",
"status": "affected",
"version": "5.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.9.28",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.27",
"status": "affected",
"version": "4.9",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.8.27",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.8.26",
"status": "affected",
"version": "4.8",
"versionType": "custom"
},
{
"changes": [
{
"at": "4.7.31",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.7.30",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Bug Bounty Program)"
},
{
"lang": "en",
"type": "coordinator",
"value": "John Blackbourn (WordPress core security team lead)"
},
{
"lang": "en",
"type": "reporter",
"value": "Timothy Jacobs"
},
{
"lang": "en",
"type": "reporter",
"value": "Peter Wilson"
},
{
"lang": "en",
"type": "reporter",
"value": "Mike Nelson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.\nThis issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:37:01.207Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"
},
{
"tags": [
"release-notes"
],
"url": "https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"value": "Update WordPress to one of the following patched or higher versions: 6.8.3, 6.7.4, 6.6.4, 6.5.7, 6.4.7, 6.3.7, 6.2.8, 6.1.9, 6.0.11, 5.9.12, 5.8.12, 5.7.14, 5.6.16, 5.5.17, 5.4.18, 5.3.20, 5.2.23, 5.1.21, 5.0.24, 4.9.28, 4.8.27, or 4.7.31."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress \u003c= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58246",
"datePublished": "2025-09-23T17:17:12.399Z",
"dateReserved": "2025-08-27T16:19:44.959Z",
"dateUpdated": "2025-10-01T08:37:01.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57924 (GCVE-0-2025-57924)
Vulnerability from cvelistv5 – Published: 2025-09-22 18:25 – Updated: 2025-09-24 13:08
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery. This issue affects Developer: from n/a through 1.2.6.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Developer |
Affected:
n/a , ≤ 1.2.6
(custom)
|
Credits
Nabil Irawan (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T13:08:05.749878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T13:08:14.957Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "developer",
"product": "Developer",
"vendor": "Automattic",
"versions": [
{
"lessThanOrEqual": "1.2.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nabil Irawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery.\u003c/p\u003e\u003cp\u003eThis issue affects Developer: from n/a through 1.2.6.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery. This issue affects Developer: from n/a through 1.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T18:25:10.085Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/developer/vulnerability/wordpress-developer-plugin-1-2-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Developer Plugin \u003c= 1.2.6 - Cross Site Request Forgery (CSRF) Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-57924",
"datePublished": "2025-09-22T18:25:10.085Z",
"dateReserved": "2025-08-22T11:36:24.369Z",
"dateUpdated": "2025-09-24T13:08:14.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49325 (GCVE-0-2025-49325)
Vulnerability from cvelistv5 – Published: 2025-06-06 12:53 – Updated: 2025-06-06 19:22
VLAI?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Automattic Newspack Newsletters allows Phishing. This issue affects Newspack Newsletters: from n/a through 3.13.0.
Severity ?
4.7 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack Newsletters |
Affected:
n/a , ≤ 3.13.0
(custom)
|
Credits
Hiro (Code016Hiro) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T18:58:44.624168Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T19:22:20.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "newspack-newsletters",
"product": "Newspack Newsletters",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "3.14.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.13.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hiro (Code016Hiro) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eURL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Automattic Newspack Newsletters allows Phishing.\u003c/p\u003e\u003cp\u003eThis issue affects Newspack Newsletters: from n/a through 3.13.0.\u003c/p\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Automattic Newspack Newsletters allows Phishing. This issue affects Newspack Newsletters: from n/a through 3.13.0."
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T12:53:55.675Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/newspack-newsletters/vulnerability/wordpress-newspack-newsletters-3-13-0-open-redirection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Newspack Newsletters plugin to the latest available version (at least 3.14.0)."
}
],
"value": "Update the WordPress Newspack Newsletters plugin to the latest available version (at least 3.14.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack Newsletters \u003c= 3.13.0 - Open Redirection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49325",
"datePublished": "2025-06-06T12:53:55.675Z",
"dateReserved": "2025-06-04T09:42:17.746Z",
"dateUpdated": "2025-06-06T19:22:20.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5062 (GCVE-0-2025-5062)
Vulnerability from cvelistv5 – Published: 2025-05-22 03:42 – Updated: 2025-05-22 13:31
VLAI?
Summary
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| automattic | WooCommerce |
Affected:
* , ≤ 9.3.2
(semver)
Affected: 9.4 , ≤ 9.4.2 (semver) |
Credits
Antonio Rocco Spataro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:31:32.634850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:31:43.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Rocco Spataro"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the \u0027customize-store\u0027 page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T03:42:08.044Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2ee5bb-eeb8-4134-8f3f-b411e56457f0?source=cve"
},
{
"url": "https://github.com/woocommerce/woocommerce/blob/08dbc3b7dea140dd5dc19ee9c9ecd47dac0605b6/plugins/woocommerce/client/admin/client/customize-store/utils.js#L39C1-L56C2"
},
{
"url": "https://developer.woocommerce.com/2024/12/03/woocommerce-9-4-3-and-woocommerce-9-3-4-available-now/"
},
{
"url": "https://github.com/woocommerce/woocommerce/pull/53405/files"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-21T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WooCommerce \u003c= 9.4.2 - PostMessage-Based Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5062",
"datePublished": "2025-05-22T03:42:08.044Z",
"dateReserved": "2025-05-21T15:37:31.623Z",
"dateUpdated": "2025-05-22T13:31:43.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8009 (GCVE-0-2024-8009)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:09 – Updated: 2025-11-13 20:58
VLAI?
Summary
The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
Severity ?
4.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Sensei LMS |
Affected:
0 , < 4.20.0
(semver)
|
Credits
Li Xuhang
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-8009",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T15:16:44.567248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T20:58:53.467Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sensei LMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.20.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Li Xuhang"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:09:47.142Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/737bb010-b2fa-4bf4-b124-5fbba67cf935/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Sensei LMS \u003c 4.20.0 - Teacher+ Users Email Address Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-8009",
"datePublished": "2025-05-15T20:09:47.142Z",
"dateReserved": "2024-08-20T12:29:53.471Z",
"dateUpdated": "2025-11-13T20:58:53.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6584 (GCVE-0-2024-6584)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:07 – Updated: 2025-05-17 03:44
VLAI?
Summary
The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Jetpack Boost |
Affected:
0 , < 3.4.7
(semver)
|
Credits
Miguel Xavier Penha Neto
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-6584",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T03:44:25.083808Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T03:44:48.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetpack Boost",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.4.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miguel Xavier Penha Neto"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The \u0027wp_ajax_boost_proxy_ig\u0027 action allows administrators to make GET requests to arbitrary URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:07:07.826Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/eaa57c8c-1cac-4903-9763-79f7f84469fa/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Jetpack Boost \u003c 3.4.7 - Admin+ SSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-6584",
"datePublished": "2025-05-15T20:07:07.826Z",
"dateReserved": "2024-07-08T21:14:53.732Z",
"dateUpdated": "2025-05-17T03:44:48.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12743 (GCVE-0-2024-12743)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:06 – Updated: 2025-05-20 19:30
VLAI?
Summary
The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Dmitrii Ingatyev
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T18:52:33.758361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T19:30:43.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/7945f52d-364d-438c-84f2-cf19b4250056/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MailPoet",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ingatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:55.990Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/7945f52d-364d-438c-84f2-cf19b4250056/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MailPoet \u003c 5.5.2 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-12743",
"datePublished": "2025-05-15T20:06:55.990Z",
"dateReserved": "2024-12-17T21:04:13.572Z",
"dateUpdated": "2025-05-20T19:30:43.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10076 (GCVE-0-2024-10076)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:06 – Updated: 2025-05-20 16:03
VLAI?
Summary
The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks
Severity ?
5.9 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Unknown | Jetpack |
Affected:
0 , < 13.8
(semver)
|
|||||||
|
|||||||||
Credits
Marc Montpas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10076",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T15:47:11.845919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T16:03:22.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/15f278f6-0418-4c83-b925-b1a2d8c53e2f/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack Boost",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.4.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marc Montpas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn\u2019t, ultimately making it possible for contributor and above users to perform Stored XSS attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:40.424Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/15f278f6-0418-4c83-b925-b1a2d8c53e2f/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Jetpack \u003c 13.8, Boost \u003c 3.4.8 - Contributor+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-10076",
"datePublished": "2025-05-15T20:06:40.424Z",
"dateReserved": "2024-10-17T09:02:05.021Z",
"dateUpdated": "2025-05-20T16:03:22.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10075 (GCVE-0-2024-10075)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:06 – Updated: 2025-05-20 16:10
VLAI?
Summary
The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.
Severity ?
5.6 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Marc Montpas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10075",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T16:08:22.976995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T16:10:57.508Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/a984976c-291a-4f68-90d4-e452605ea7d1/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marc Montpas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:40.225Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/a984976c-291a-4f68-90d4-e452605ea7d1/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Jetpack \u003c 13.8 - Unauthenticated Arbitrary Block \u0026 Shortcode Execution",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-10075",
"datePublished": "2025-05-15T20:06:40.225Z",
"dateReserved": "2024-10-17T08:50:53.381Z",
"dateUpdated": "2025-05-20T16:10:57.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51666 (GCVE-0-2024-51666)
Vulnerability from cvelistv5 – Published: 2025-05-15 18:27 – Updated: 2025-05-15 19:02
VLAI?
Summary
Missing Authorization vulnerability in Automattic Tours.This issue affects Tours: from n/a through 1.0.0.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Tours |
Affected:
n/a , ≤ 1.0.0
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T19:02:02.225961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:02:09.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tours",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "1.0.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic Tours.\u003cp\u003eThis issue affects Tours: from n/a through 1.0.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic Tours.This issue affects Tours: from n/a through 1.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T18:27:23.440Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/tours/vulnerability/wordpress-tours-plugin-1-0-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Tours plugin to the latest available version (at least 1.0.1)."
}
],
"value": "Update the WordPress Tours plugin to the latest available version (at least 1.0.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Tours plugin \u003c= 1.0.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-51666",
"datePublished": "2025-05-15T18:27:23.440Z",
"dateReserved": "2024-10-30T15:05:26.590Z",
"dateUpdated": "2025-05-15T19:02:09.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56006 (GCVE-0-2024-56006)
Vulnerability from cvelistv5 – Published: 2025-05-15 18:24 – Updated: 2025-05-15 19:04
VLAI?
Summary
Missing Authorization vulnerability in Automattic Jetpack Debug Tools.This issue affects Jetpack Debug Tools: from n/a before 2.0.1.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Jetpack Debug Tools |
Affected:
n/a , < 2.0.1
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56006",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-15T19:04:28.528111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:04:34.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetpack Debug Tools",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "2.0.1",
"status": "unaffected"
}
],
"lessThan": "2.0.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic Jetpack Debug Tools.\u003cp\u003eThis issue affects Jetpack Debug Tools: from n/a before 2.0.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic Jetpack Debug Tools.This issue affects Jetpack Debug Tools: from n/a before 2.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T18:24:37.638Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/jetpack-debug-helper/vulnerability/wordpress-jetpack-debug-tools-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Jetpack Debug Tools plugin to the latest available version (at least 2.0.1)."
}
],
"value": "Update the WordPress Jetpack Debug Tools plugin to the latest available version (at least 2.0.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Jetpack Debug Tools plugin \u003c 2.0.1 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56006",
"datePublished": "2025-05-15T18:24:37.638Z",
"dateReserved": "2024-12-14T19:42:27.168Z",
"dateUpdated": "2025-05-15T19:04:34.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22740 (GCVE-0-2025-22740)
Vulnerability from cvelistv5 – Published: 2025-03-27 21:20 – Updated: 2025-03-28 16:11
VLAI?
Summary
Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Sensei LMS |
Affected:
n/a , ≤ 4.24.4
(custom)
|
Credits
David Ojeda Guijarro (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:59:34.989702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:11:37.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "sensei-lms",
"product": "Sensei LMS",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "4.24.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.24.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "David Ojeda Guijarro (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Sensei LMS: from n/a through 4.24.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T21:20:58.897Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/sensei-lms/vulnerability/wordpress-sensei-lms-plugin-4-24-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Sensei LMS plugin to the latest available version (at least 4.24.5)."
}
],
"value": "Update the WordPress Sensei LMS plugin to the latest available version (at least 4.24.5)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Sensei LMS plugin \u003c= 4.24.4 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22740",
"datePublished": "2025-03-27T21:20:58.897Z",
"dateReserved": "2025-01-07T21:04:23.273Z",
"dateUpdated": "2025-03-28T16:11:37.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26762 (GCVE-0-2025-26762)
Vulnerability from cvelistv5 – Published: 2025-03-27 15:52 – Updated: 2025-03-27 16:17
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 9.7.0.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Affected:
n/a , ≤ 9.7.0
(custom)
|
Credits
Savphill (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:16:44.444642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:17:11.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "9.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "9.7.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Savphill (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce allows Stored XSS.\u003cp\u003eThis issue affects WooCommerce: from n/a through 9.7.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 9.7.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T15:52:22.683Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/woocommerce/vulnerability/wordpress-woocommerce-plugin-9-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress WooCommerce plugin to the latest available version (at least 9.7.1)."
}
],
"value": "Update the WordPress WooCommerce plugin to the latest available version (at least 9.7.1)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress WooCommerce plugin \u003c= 9.7.0 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26762",
"datePublished": "2025-03-27T15:52:22.683Z",
"dateReserved": "2025-02-14T06:53:32.111Z",
"dateUpdated": "2025-03-27T16:17:11.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0466 (GCVE-0-2025-0466)
Vulnerability from cvelistv5 – Published: 2025-02-04 06:00 – Updated: 2025-08-27 12:00
VLAI?
Summary
The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Sensei LMS |
Affected:
0 , < 4.24.4
(semver)
|
Credits
Li Xuhang
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T18:18:36.946930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T18:20:35.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sensei LMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.24.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Li Xuhang"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:00:27.039Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/53ab86dc-1195-4ba0-8eda-6a0d7b45c45f/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Sensei LMS \u003c 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2025-0466",
"datePublished": "2025-02-04T06:00:11.861Z",
"dateReserved": "2025-01-14T08:58:47.855Z",
"dateUpdated": "2025-08-27T12:00:27.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37241 (GCVE-0-2024-37241)
Vulnerability from cvelistv5 – Published: 2025-01-02 13:33 – Updated: 2025-01-02 14:18
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WP Job Manager - Resume Manager |
Affected:
n/a , ≤ 2.1.0
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:18:34.829782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T14:18:46.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Job Manager - Resume Manager",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "2.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.\u003cp\u003eThis issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager - Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T13:33:46.801Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/wp-job-manager-resumes/vulnerability/wordpress-wp-job-manager-resume-manager-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress WP Job Manager - Resume Manager plugin to the latest available version (at least 2.2.0)."
}
],
"value": "Update the WordPress WP Job Manager - Resume Manager plugin to the latest available version (at least 2.2.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Job Manager Resume Manager plugin \u003c= 2.1.0 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37241",
"datePublished": "2025-01-02T13:33:46.801Z",
"dateReserved": "2024-06-04T16:46:33.482Z",
"dateUpdated": "2025-01-02T14:18:46.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37242 (GCVE-0-2024-37242)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2025-01-02 14:52
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.This issue affects Newspack Newsletters: from n/a through 2.13.2.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack Newsletters |
Affected:
n/a , ≤ 2.13.2
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:46:29.304085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T14:52:06.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "newspack-newsletters",
"product": "Newspack Newsletters",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "2.13.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.13.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.\u003c/p\u003e\u003cp\u003eThis issue affects Newspack Newsletters: from n/a through 2.13.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.This issue affects Newspack Newsletters: from n/a through 2.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T12:00:44.450Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/newspack-newsletters/vulnerability/wordpress-newspack-newsletters-plugin-2-13-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Newspack Newsletters plugin to the latest available version (at least 2.13.3)."
}
],
"value": "Update the WordPress Newspack Newsletters plugin to the latest available version (at least 2.13.3)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack Newsletters plugin \u003c= 2.13.2 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37242",
"datePublished": "2025-01-02T12:00:44.450Z",
"dateReserved": "2024-06-04T16:46:33.482Z",
"dateUpdated": "2025-01-02T14:52:06.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10858 (GCVE-0-2024-10858)
Vulnerability from cvelistv5 – Published: 2024-12-25 06:00 – Updated: 2024-12-26 19:53
VLAI?
Summary
The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.
Severity ?
6.1 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Eldar (hakupiku)
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10858",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-26T19:52:57.866186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-26T19:53:41.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "14.1",
"status": "affected",
"version": "13.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eldar (hakupiku)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-25T06:00:02.663Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/7fecba37-d718-4dd4-89f3-285fb36a4165/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Jetpack 13.0-14.0 - Unauthenticated DOM-XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-10858",
"datePublished": "2024-12-25T06:00:02.663Z",
"dateReserved": "2024-11-05T13:26:58.545Z",
"dateUpdated": "2024-12-26T19:53:41.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10103 (GCVE-0-2024-10103)
Vulnerability from cvelistv5 – Published: 2024-11-19 06:00 – Updated: 2024-11-19 14:19
VLAI?
Summary
In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
Severity ?
6.1 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Dmitrii Ignatyev
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mailpoet:mailpoet:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "mailpoet",
"vendor": "mailpoet",
"versions": [
{
"lessThan": "5.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10103",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T14:16:35.078556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T14:19:15.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MailPoet",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T06:00:02.348Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/89660883-5f34-426a-ad06-741c0c213ecc/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MailPoet \u003c 5.3.2 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-10103",
"datePublished": "2024-11-19T06:00:02.348Z",
"dateReserved": "2024-10-17T18:11:32.210Z",
"dateUpdated": "2024-11-19T14:19:15.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10486 (GCVE-0-2024-10486)
Vulnerability from cvelistv5 – Published: 2024-11-18 21:31 – Updated: 2024-11-19 15:22
VLAI?
Summary
The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| automattic | Google for WooCommerce |
Affected:
* , ≤ 2.8.6
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:automattic:woocommerce:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "woocommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "2.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:21:10.404350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:22:14.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Google for WooCommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "2.8.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T21:31:09.032Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/64bc7d47-6b63-4fd9-85d4-82126f86308a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-listings-and-ads/tags/2.8.6/vendor/googleads/google-ads-php/scripts/print_php_information.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-11-18T09:24:48.000+00:00",
"value": "Disclosed"
}
],
"title": "Google for WooCommerce \u003c= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10486",
"datePublished": "2024-11-18T21:31:09.032Z",
"dateReserved": "2024-10-28T22:56:03.530Z",
"dateUpdated": "2024-11-19T15:22:14.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9926 (GCVE-0-2024-9926)
Vulnerability from cvelistv5 – Published: 2024-11-07 15:02 – Updated: 2024-11-07 19:53
VLAI?
Summary
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
Severity ?
4.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Unknown | Jetpack |
Affected:
13.9 , < 13.9.1
(semver)
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Marc Montpas
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:automattic:jetpack:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "jetpack",
"vendor": "automattic",
"versions": [
{
"lessThan": "13.9.1",
"status": "affected",
"version": "13.9",
"versionType": "semver"
},
{
"lessThan": "13.8.2",
"status": "affected",
"version": "13.8",
"versionType": "semver"
},
{
"lessThan": "13.7.1",
"status": "affected",
"version": "13.7",
"versionType": "semver"
},
{
"lessThan": "13.6.1",
"status": "affected",
"version": "13.6",
"versionType": "semver"
},
{
"lessThan": "13.5.1",
"status": "affected",
"version": "13.5",
"versionType": "semver"
},
{
"lessThan": "13.4.4",
"status": "affected",
"version": "13.4",
"versionType": "semver"
},
{
"lessThan": "13.3.2",
"status": "affected",
"version": "13.3",
"versionType": "semver"
},
{
"lessThan": "13.2.3",
"status": "affected",
"version": "13.2",
"versionType": "semver"
},
{
"lessThan": "13.1.4",
"status": "affected",
"version": "13.1",
"versionType": "semver"
},
{
"lessThan": "13.0.1",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "12.9.4",
"status": "affected",
"version": "12.9",
"versionType": "semver"
},
{
"lessThan": "12.8.2",
"status": "affected",
"version": "12.8",
"versionType": "semver"
},
{
"lessThan": "12.7.2",
"status": "affected",
"version": "12.7",
"versionType": "semver"
},
{
"lessThan": "12.6.3",
"status": "affected",
"version": "12.6",
"versionType": "semver"
},
{
"lessThan": "12.5.1",
"status": "affected",
"version": "12.5",
"versionType": "semver"
},
{
"lessThan": "12.4.1",
"status": "affected",
"version": "12.4",
"versionType": "semver"
},
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3",
"versionType": "semver"
},
{
"lessThan": "12.2.2",
"status": "affected",
"version": "12.2",
"versionType": "semver"
},
{
"lessThan": "12.1.2",
"status": "affected",
"version": "12.1",
"versionType": "semver"
},
{
"lessThan": "12.0.2",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "11.9.3",
"status": "affected",
"version": "11.9",
"versionType": "semver"
},
{
"lessThan": "11.8.6",
"status": "affected",
"version": "11.8",
"versionType": "semver"
},
{
"lessThan": "11.7.3",
"status": "affected",
"version": "11.7",
"versionType": "semver"
},
{
"lessThan": "11.6.2",
"status": "affected",
"version": "11.6",
"versionType": "semver"
},
{
"lessThan": "11.5.3",
"status": "affected",
"version": "11.5",
"versionType": "semver"
},
{
"lessThan": "11.4.2",
"status": "affected",
"version": "11.4",
"versionType": "semver"
},
{
"lessThan": "11.3.4",
"status": "affected",
"version": "11.3",
"versionType": "semver"
},
{
"lessThan": "11.2.2",
"status": "affected",
"version": "11.2",
"versionType": "semver"
},
{
"lessThan": "11.1.4",
"status": "affected",
"version": "11.1",
"versionType": "semver"
},
{
"lessThan": "11.0.2",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "10.9.3",
"status": "affected",
"version": "10.9",
"versionType": "semver"
},
{
"lessThan": "10.8.2",
"status": "affected",
"version": "10.8",
"versionType": "semver"
},
{
"lessThan": "10.7.2",
"status": "affected",
"version": "10.7",
"versionType": "semver"
},
{
"lessThan": "10.6.2",
"status": "affected",
"version": "10.6",
"versionType": "semver"
},
{
"lessThan": "10.5.3",
"status": "affected",
"version": "10.5",
"versionType": "semver"
},
{
"lessThan": "10.4.2",
"status": "affected",
"version": "10.4",
"versionType": "semver"
},
{
"lessThan": "10.3.2",
"status": "affected",
"version": "10.3",
"versionType": "semver"
},
{
"lessThan": "10.2.3",
"status": "affected",
"version": "10.2",
"versionType": "semver"
},
{
"lessThan": "10.1.2",
"status": "affected",
"version": "10.1",
"versionType": "semver"
},
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "9.9.3",
"status": "affected",
"version": "9.9",
"versionType": "semver"
},
{
"lessThan": "9.8.3",
"status": "affected",
"version": "9.8",
"versionType": "semver"
},
{
"lessThan": "9.7.3",
"status": "affected",
"version": "9.7",
"versionType": "semver"
},
{
"lessThan": "9.6.4",
"status": "affected",
"version": "9.6",
"versionType": "semver"
},
{
"lessThan": "9.5.5",
"status": "affected",
"version": "9.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "semver"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "semver"
},
{
"lessThan": "9.2.4",
"status": "affected",
"version": "9.2",
"versionType": "semver"
},
{
"lessThan": "9.1.3",
"status": "affected",
"version": "9.1",
"versionType": "semver"
},
{
"lessThan": "9.0.5",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "8.9.4",
"status": "affected",
"version": "8.9",
"versionType": "semver"
},
{
"lessThan": "8.8.5",
"status": "affected",
"version": "8.8",
"versionType": "semver"
},
{
"lessThan": "8.7.4",
"status": "affected",
"version": "8.7",
"versionType": "semver"
},
{
"lessThan": "8.6.4",
"status": "affected",
"version": "8.6",
"versionType": "semver"
},
{
"lessThan": "8.5.3",
"status": "affected",
"version": "8.5",
"versionType": "semver"
},
{
"lessThan": "8.4.5",
"status": "affected",
"version": "8.4",
"versionType": "semver"
},
{
"lessThan": "8.3.3",
"status": "affected",
"version": "8.3",
"versionType": "semver"
},
{
"lessThan": "8.2.6",
"status": "affected",
"version": "8.2",
"versionType": "semver"
},
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1",
"versionType": "semver"
},
{
"lessThan": "8.0.3",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "7.9.4",
"status": "affected",
"version": "7.9",
"versionType": "semver"
},
{
"lessThan": "7.8.4",
"status": "affected",
"version": "7.8",
"versionType": "semver"
},
{
"lessThan": "7.7.6",
"status": "affected",
"version": "7.7",
"versionType": "semver"
},
{
"lessThan": "7.6.4",
"status": "affected",
"version": "7.6",
"versionType": "semver"
},
{
"lessThan": "7.5.7",
"status": "affected",
"version": "7.5",
"versionType": "semver"
},
{
"lessThan": "7.4.5",
"status": "affected",
"version": "7.4",
"versionType": "semver"
},
{
"lessThan": "7.3.5",
"status": "affected",
"version": "7.3",
"versionType": "semver"
},
{
"lessThan": "7.2.5",
"status": "affected",
"version": "7.2",
"versionType": "semver"
},
{
"lessThan": "7.1.5",
"status": "affected",
"version": "7.1",
"versionType": "semver"
},
{
"lessThan": "7.0.5",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "6.9.4",
"status": "affected",
"version": "6.9",
"versionType": "semver"
},
{
"lessThan": "6.8.5",
"status": "affected",
"version": "6.8",
"versionType": "semver"
},
{
"lessThan": "6.7.4",
"status": "affected",
"version": "6.7",
"versionType": "semver"
},
{
"lessThan": "6.6.5",
"status": "affected",
"version": "6.6",
"versionType": "semver"
},
{
"lessThan": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "semver"
},
{
"lessThan": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "semver"
},
{
"lessThan": "6.3.7",
"status": "affected",
"version": "6.3",
"versionType": "semver"
},
{
"lessThan": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "semver"
},
{
"lessThan": "6.1.5",
"status": "affected",
"version": "6.1",
"versionType": "semver"
},
{
"lessThan": "6.0.4",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "5.9.4",
"status": "affected",
"version": "5.9",
"versionType": "semver"
},
{
"lessThan": "5.8.4",
"status": "affected",
"version": "5.8",
"versionType": "semver"
},
{
"lessThan": "5.7.5",
"status": "affected",
"version": "5.7",
"versionType": "semver"
},
{
"lessThan": "5.6.5",
"status": "affected",
"version": "5.6",
"versionType": "semver"
},
{
"lessThan": "5.5.5",
"status": "affected",
"version": "5.5",
"versionType": "semver"
},
{
"lessThan": "5.4.4",
"status": "affected",
"version": "5.4",
"versionType": "semver"
},
{
"lessThan": "5.3.4",
"status": "affected",
"version": "5.3",
"versionType": "semver"
},
{
"lessThan": "5.2.5",
"status": "affected",
"version": "5.2",
"versionType": "semver"
},
{
"lessThan": "5.1.4",
"status": "affected",
"version": "5.1",
"versionType": "semver"
},
{
"lessThan": "5.0.3",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "4.9.3",
"status": "affected",
"version": "4.9",
"versionType": "semver"
},
{
"lessThan": "4.8.5",
"status": "affected",
"version": "4.8",
"versionType": "semver"
},
{
"lessThan": "4.7.4",
"status": "affected",
"version": "4.7",
"versionType": "semver"
},
{
"lessThan": "4.6.3",
"status": "affected",
"version": "4.6",
"versionType": "semver"
},
{
"lessThan": "4.5.3",
"status": "affected",
"version": "4.5",
"versionType": "semver"
},
{
"lessThan": "4.4.5",
"status": "affected",
"version": "4.4",
"versionType": "semver"
},
{
"lessThan": "4.3.5",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.2.5",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.1.4",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"lessThan": "4.0.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.9.10",
"status": "affected",
"version": "3.9.2",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:35:48.550122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T19:53:07.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.9.1",
"status": "affected",
"version": "13.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.8.2",
"status": "affected",
"version": "13.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.7.1",
"status": "affected",
"version": "13.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.6.1",
"status": "affected",
"version": "13.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.5.1",
"status": "affected",
"version": "13.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.4.4",
"status": "affected",
"version": "13.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.3.2",
"status": "affected",
"version": "13.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.2.3",
"status": "affected",
"version": "13.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.1.4",
"status": "affected",
"version": "13.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "13.0.1",
"status": "affected",
"version": "13.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.9.4",
"status": "affected",
"version": "12.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.8.2",
"status": "affected",
"version": "12.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.7.2",
"status": "affected",
"version": "12.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.6.3",
"status": "affected",
"version": "12.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.5.1",
"status": "affected",
"version": "12.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.4.1",
"status": "affected",
"version": "12.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.3.1",
"status": "affected",
"version": "12.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.2.2",
"status": "affected",
"version": "12.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.1.2",
"status": "affected",
"version": "12.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "12.0.2",
"status": "affected",
"version": "12.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.9.3",
"status": "affected",
"version": "11.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.8.6",
"status": "affected",
"version": "11.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.7.3",
"status": "affected",
"version": "11.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.6.2",
"status": "affected",
"version": "11.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.5.3",
"status": "affected",
"version": "11.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.4.2",
"status": "affected",
"version": "11.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.3.4",
"status": "affected",
"version": "11.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.2.2",
"status": "affected",
"version": "11.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.1.4",
"status": "affected",
"version": "11.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "11.0.2",
"status": "affected",
"version": "11.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.9.3",
"status": "affected",
"version": "10.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.8.2",
"status": "affected",
"version": "10.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.7.2",
"status": "affected",
"version": "10.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.6.2",
"status": "affected",
"version": "10.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.5.3",
"status": "affected",
"version": "10.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.4.2",
"status": "affected",
"version": "10.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.3.2",
"status": "affected",
"version": "10.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.2.3",
"status": "affected",
"version": "10.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.1.2",
"status": "affected",
"version": "10.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "10.0.2",
"status": "affected",
"version": "10.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.9.3",
"status": "affected",
"version": "9.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.8.3",
"status": "affected",
"version": "9.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.7.3",
"status": "affected",
"version": "9.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.6.4",
"status": "affected",
"version": "9.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.5.5",
"status": "affected",
"version": "9.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.2.4",
"status": "affected",
"version": "9.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.1.3",
"status": "affected",
"version": "9.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "9.0.5",
"status": "affected",
"version": "9.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.9.4",
"status": "affected",
"version": "8.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.8.5",
"status": "affected",
"version": "8.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.7.4",
"status": "affected",
"version": "8.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.6.4",
"status": "affected",
"version": "8.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.5.3",
"status": "affected",
"version": "8.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.4.5",
"status": "affected",
"version": "8.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.3.3",
"status": "affected",
"version": "8.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.2.6",
"status": "affected",
"version": "8.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.0.3",
"status": "affected",
"version": "8.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.9.4",
"status": "affected",
"version": "7.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.8.4",
"status": "affected",
"version": "7.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.7.6",
"status": "affected",
"version": "7.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.6.4",
"status": "affected",
"version": "7.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.5.7",
"status": "affected",
"version": "7.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.4.5",
"status": "affected",
"version": "7.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.3.5",
"status": "affected",
"version": "7.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.2.5",
"status": "affected",
"version": "7.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.1.5",
"status": "affected",
"version": "7.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.0.5",
"status": "affected",
"version": "7.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.9.4",
"status": "affected",
"version": "6.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.8.5",
"status": "affected",
"version": "6.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.7.4",
"status": "affected",
"version": "6.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.6.5",
"status": "affected",
"version": "6.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.4.6",
"status": "affected",
"version": "6.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.3.7",
"status": "affected",
"version": "6.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.2.5",
"status": "affected",
"version": "6.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.1.5",
"status": "affected",
"version": "6.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "6.0.4",
"status": "affected",
"version": "6.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.9.4",
"status": "affected",
"version": "5.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.8.4",
"status": "affected",
"version": "5.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.7.5",
"status": "affected",
"version": "5.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.6.5",
"status": "affected",
"version": "5.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.5.5",
"status": "affected",
"version": "5.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.4.4",
"status": "affected",
"version": "5.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.3.4",
"status": "affected",
"version": "5.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.2.5",
"status": "affected",
"version": "5.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.1.4",
"status": "affected",
"version": "5.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.0.3",
"status": "affected",
"version": "5.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.9.3",
"status": "affected",
"version": "4.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.8.5",
"status": "affected",
"version": "4.8",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.7.4",
"status": "affected",
"version": "4.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.6.3",
"status": "affected",
"version": "4.6",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.3",
"status": "affected",
"version": "4.5",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.4.5",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.3.5",
"status": "affected",
"version": "4.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.2.5",
"status": "affected",
"version": "4.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.1.4",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.0.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Jetpack",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.9.10",
"status": "affected",
"version": "3.9.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marc Montpas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:02:38.050Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/669382af-f836-4896-bdcb-5c6a57c99bd9/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Jetpack \u003c 13.9.1 - Subscriber+ Arbitrary Feedback Access",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-9926",
"datePublished": "2024-11-07T15:02:38.050Z",
"dateReserved": "2024-10-14T09:27:37.145Z",
"dateUpdated": "2024-11-07T19:53:07.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37425 (GCVE-0-2024-37425)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2024-11-01 17:45
VLAI?
Summary
Missing Authorization vulnerability in Automattic Newspack Blocks newspack-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack Blocks: from n/a through 3.0.8.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack Blocks |
Affected:
n/a , ≤ 3.0.8
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:44:50.882869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:45:01.095Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "newspack-blocks",
"product": "Newspack Blocks",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "3.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.0.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic Newspack Blocks newspack-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Newspack Blocks: from n/a through 3.0.8.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic Newspack Blocks newspack-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack Blocks: from n/a through 3.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:18:24.252Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/newspack-blocks/wordpress-newspack-blocks-plugin-3-0-8-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.0.9 or a higher version."
}
],
"value": "Update to 3.0.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack Blocks plugin \u003c= 3.0.8 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37425",
"datePublished": "2024-11-01T14:18:24.252Z",
"dateReserved": "2024-06-09T08:51:33.590Z",
"dateUpdated": "2024-11-01T17:45:01.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37423 (GCVE-0-2024-37423)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2024-11-01 17:09
VLAI?
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic Newspack Blocks allows Path Traversal.This issue affects Newspack Blocks: from n/a through 3.0.8.
Severity ?
8.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack Blocks |
Affected:
n/a , ≤ 3.0.8
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:09:02.638962Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:09:22.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "newspack-blocks",
"product": "Newspack Blocks",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "3.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.0.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Automattic Newspack Blocks allows Path Traversal.\u003cp\u003eThis issue affects Newspack Blocks: from n/a through 3.0.8.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in Automattic Newspack Blocks allows Path Traversal.This issue affects Newspack Blocks: from n/a through 3.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:18:24.871Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/newspack-blocks/wordpress-newspack-blocks-plugin-3-0-8-contributor-arbitrary-directory-deletion-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.0.9 or a higher version."
}
],
"value": "Update to 3.0.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack Blocks plugin \u003c= 3.0.8 - Contributor+ Arbitrary Directory Deletion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37423",
"datePublished": "2024-11-01T14:18:24.871Z",
"dateReserved": "2024-06-09T08:51:33.590Z",
"dateUpdated": "2024-11-01T17:09:22.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37443 (GCVE-0-2024-37443)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2024-11-01 17:38
VLAI?
Summary
Missing Authorization vulnerability in Automattic WP Job Manager - Resume Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WP Job Manager - Resume Manager |
Affected:
n/a , ≤ 2.1.0
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:38:06.985909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:38:13.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "wp-job-manager-resumes",
"product": "WP Job Manager - Resume Manager",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "2.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic WP Job Manager - Resume Manager allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic WP Job Manager - Resume Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager - Resume Manager: from n/a through 2.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:18:21.771Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-job-manager-resumes/wordpress-wp-job-manager-resume-manager-plugin-2-1-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.2.0 or a higher version."
}
],
"value": "Update to 2.2.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Job Manager plugin \u003c= 2.1.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37443",
"datePublished": "2024-11-01T14:18:21.771Z",
"dateReserved": "2024-06-09T08:52:00.673Z",
"dateUpdated": "2024-11-01T17:38:13.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37475 (GCVE-0-2024-37475)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2024-11-01 18:05
VLAI?
Summary
Missing Authorization vulnerability in Automattic Newspack Newsletters allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Newspack Newsletters: from n/a through 2.13.2.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack Newsletters |
Affected:
n/a , ≤ 2.13.2
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:automattic:newspack_newsletters:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "newspack_newsletters",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "2.13.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:04:58.291407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T18:05:03.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "newspack-newsletters",
"product": "Newspack Newsletters",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "2.13.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.13.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic Newspack Newsletters allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Newspack Newsletters: from n/a through 2.13.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic Newspack Newsletters allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Newspack Newsletters: from n/a through 2.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:18:17.439Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/newspack-newsletters/wordpress-newspack-newsletters-plugin-2-13-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.13.3 or a higher version."
}
],
"value": "Update to 2.13.3 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack Newsletters plugin \u003c= 2.13.2 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37475",
"datePublished": "2024-11-01T14:18:17.439Z",
"dateReserved": "2024-06-09T11:43:13.095Z",
"dateUpdated": "2024-11-01T18:05:03.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37477 (GCVE-0-2024-37477)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2024-11-01 17:21
VLAI?
Summary
Missing Authorization vulnerability in Automattic Newspack Content Converter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack Content Converter: from n/a through 0.1.5.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack Content Converter |
Affected:
n/a , ≤ 0.1.5
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:21:00.595371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:21:12.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "newspack-content-converter",
"product": "Newspack Content Converter",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "1.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "0.1.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Automattic Newspack Content Converter allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Newspack Content Converter: from n/a through 0.1.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Automattic Newspack Content Converter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack Content Converter: from n/a through 0.1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:18:16.833Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/newspack-content-converter/wordpress-newspack-content-converter-plugin-0-1-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.0.0 or a higher version."
}
],
"value": "Update to 1.0.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack Content Converter plugin \u003c= 0.1.5 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37477",
"datePublished": "2024-11-01T14:18:16.833Z",
"dateReserved": "2024-06-09T11:43:13.096Z",
"dateUpdated": "2024-11-01T17:21:12.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43968 (GCVE-0-2024-43968)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:17 – Updated: 2024-11-01 17:52
VLAI?
Summary
Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | Newspack |
Affected:
n/a , ≤ 3.8.6
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:51:50.550728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:52:10.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "newspack-plugin",
"product": "Newspack",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "3.8.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.8.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Newspack: from n/a through 3.8.6.\u003c/p\u003e"
}
],
"value": "Broken Access Control vulnerability in Automattic Newspack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newspack: from n/a through 3.8.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:15.589Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/newspack-plugin/wordpress-newspack-plugin-3-8-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.8.7 or a higher version."
}
],
"value": "Update to 3.8.7 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newspack plugin \u003c 3.8.7 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43968",
"datePublished": "2024-11-01T14:17:15.589Z",
"dateReserved": "2024-08-18T21:57:00.730Z",
"dateUpdated": "2024-11-01T17:52:10.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7786 (GCVE-0-2024-7786)
Vulnerability from cvelistv5 – Published: 2024-09-04 06:00 – Updated: 2025-08-27 12:00
VLAI?
Summary
The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Sensei LMS |
Affected:
0 , < 4.24.2
(semver)
|
Credits
Sushmita Poudel
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sensei_lms",
"vendor": "automattic",
"versions": [
{
"lessThan": "4.24.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-7786",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T14:16:06.300640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T14:17:10.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sensei LMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.24.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sushmita Poudel"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:00:45.823Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-9403305a548a/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Sensei LMS \u003c 4.24.2 - Unauthenticated Email Template Leak",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-7786",
"datePublished": "2024-09-04T06:00:04.429Z",
"dateReserved": "2024-08-14T08:29:31.987Z",
"dateUpdated": "2025-08-27T12:00:45.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}