marzo 2025 - Página 185 de 185

1 Mar 2025

CVE-2024-13568

Título es
CVE-2024-13568

Sáb, 01/03/2025 – 05:15

Tipo
CWE-200

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13568

Descripción en
The Fluent Support – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the 'fluent-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/fluent-support directory which can contain file attachments included in support tickets.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
7.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

https://plugins.trac.wordpress.org/browser/fluent-support/trunk/app/Services/Includes/FileSystem.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/17f40832-8ae5-443a-aa98-f0e61d1152cc?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2024-13559

Título es
CVE-2024-13559

Sáb, 01/03/2025 – 05:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13559

Descripción en
The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tx_woo_wishlist_table' shortcode in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/templatesnext-toolkit/trunk/inc/woo-compare-wishlist/includes/wishlist/shortcode.php#L13

https://www.wordfence.com/threat-intel/vulnerabilities/id/775b6034-617a-4d84-a8fe-773ffbd9742a?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2025-0820

Título es
CVE-2025-0820

Sáb, 01/03/2025 – 05:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-0820

Descripción en
The Clicface Trombi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nom’ parameter in all versions up to, and including, 2.08 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/clicface-trombi/trunk/clicface-trombi.php#L80

https://wordpress.org/plugins/clicface-trombi/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id/1d9ff834-8a11-4ec7-9371-15d56bc84106?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2024-9217

Título es
CVE-2024-9217

Sáb, 01/03/2025 – 05:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-9217

Descripción en
The Currency Switcher for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.16.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/currency-switcher-woocommerce/trunk/includes/functions/alg-switcher-selector-functions.php#L139

https://www.wordfence.com/threat-intel/vulnerabilities/id/3357892e-c047-406b-8914-018ea966e799?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2024-9212

Título es
CVE-2024-9212

Sáb, 01/03/2025 – 05:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-9212

Descripción en
The SKU Generator for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/sku-for-woocommerce/tags/1.6.2/includes/settings/class-wc-sku-tools-regenerator.php#L43

https://www.wordfence.com/threat-intel/vulnerabilities/id/f59ccb78-722b-490b-874e-7026afc3511b?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2024-13750

Título es
CVE-2024-13750

Sáb, 01/03/2025 – 05:15

Tipo
CWE-89

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13750

Descripción en
The Multilevel Referral Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.27 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/multilevel-referral-plugin-for-woocommerce/tags/2.27/classes/referral-program.php#L310

https://www.wordfence.com/threat-intel/vulnerabilities/id/4389ddc9-de69-4316-9bfa-ff3bd3346c69?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2024-13746

Título es
CVE-2024-13746

Sáb, 01/03/2025 – 05:15

Tipo
CWE-862

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-13746

Descripción en
The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(), wpcb_update_booking_post(), and wpcb_delete_posts() functions in all versions up to, and including, 4.0.3. This makes it possible for unauthenticated attackers to extract data, create or update bookings, or delete arbitrary posts.

01/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/tags/4.0.3/lib/includes/function.php

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L134

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L188

https://plugins.trac.wordpress.org/browser/booking-calendar-and-notification/trunk/lib/classes/api.php#L270

https://www.wordfence.com/threat-intel/vulnerabilities/id/422bb9a5-c848-4492-add7-bc65b1111565?source=cve

Enviar en el boletín
Off

1 Mar 2025

CVE-2025-27416

Título es
CVE-2025-27416

Sáb, 01/03/2025 – 01:15

Tipo
CWE-287

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-27416

Descripción en
Scratch-Coding-Hut.github.io is the website for Coding Hut. The website as of 28 February 2025 contained a sign in with scratch username and password form. Any user who used the sign in page would be susceptible to any other user signing into their account. As of time of publication, a fix is not available but work on a fix is underway. As a workaround, users should avoid signing in.

01/03/2025

Vector CVSS:4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Gravedad 4.0
5.90

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/issues/3

https://github.com/Scratch-Coding-Hut/Scratch-Coding-Hut.github.io/security/advisories/GHSA-xx32-r9wr-whff

Enviar en el boletín
Off

1 Mar 2025

CVE-2025-1803

Título es
CVE-2025-1803

Sáb, 01/03/2025 – 01:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-1803

Descripción en
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

01/03/2025

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Enviar en el boletín
Off

Archivos mensuales: marzo 2025