Skip to content

Commit

Permalink
Updates for 2024-12-23
Browse files Browse the repository at this point in the history
Signed-off-by: Josh Bressers <[email protected]>
  • Loading branch information
joshbressers committed Dec 23, 2024
1 parent cd3ee13 commit b2bf061
Show file tree
Hide file tree
Showing 33 changed files with 1,465 additions and 0 deletions.
46 changes: 46 additions & 0 deletions data/anchore/2024/CVE-2024-10453.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-10453",
"description": "The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typography Settings in all versions up to, and including, 3.25.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/browser/elementor/tags/3.25.9/assets/js/editor.js",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/f23604b7-5a7f-4be7-bc73-cb4facdd1e73?source=cve"
],
"upstream": {
"datePublished": "2024-12-21T09:23:56.216Z",
"dateReserved": "2024-10-28T10:34:23.548Z",
"dateUpdated": "2024-12-21T09:23:56.216Z",
"digest": "fbf3cc022cc8e0782c5f89fafb98c9e92152b9e6237ed02587fd9f7a51b4ebf5"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:elementor:elementor_page_builder:*:*:*:*:*:wordpress:*:*",
"cpe:2.3:a:elementor:elementor_page_builder:*:*:*:*:pro:wordpress:*:*",
"cpe:2.3:a:elementor:page_builder:*:*:*:*:*:wordpress:*:*",
"cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*"
],
"packageName": "elementor",
"product": "Elementor Website Builder – More Than Just a Page Builder",
"vendor": "elemntor",
"versions": [
{
"lessThanOrEqual": "3.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
41 changes: 41 additions & 0 deletions data/anchore/2024/CVE-2024-10555.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"additionalMetadata": {
"cna": "wpscan",
"cveId": "CVE-2024-10555",
"description": "The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://wpscan.com/vulnerability/fcc97635-e939-4cb4-9851-6f6ac4f6ad47/"
],
"upstream": {
"datePublished": "2024-12-20T06:00:02.298Z",
"dateReserved": "2024-10-30T19:24:51.511Z",
"dateUpdated": "2024-12-20T16:18:14.404Z",
"digest": "b6b1616ceb145c19179dbdfeeddcb08075334a35e7c2d3b93a2682957e32e163"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:maxfoundry:maxbuttons:*:*:*:*:*:wordpress:*:*"
],
"packageName": "maxbuttons",
"product": "WordPress Button Plugin MaxButtons",
"versions": [
{
"lessThan": "9.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
42 changes: 42 additions & 0 deletions data/anchore/2024/CVE-2024-10706.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
"additionalMetadata": {
"cna": "wpscan",
"cveId": "CVE-2024-10706",
"description": "The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://wpscan.com/vulnerability/01193420-9a4c-4961-93b6-aa2e37e36be1/"
],
"upstream": {
"datePublished": "2024-12-20T06:00:03.975Z",
"dateReserved": "2024-11-01T18:06:01.715Z",
"dateUpdated": "2024-12-20T16:13:51.124Z",
"digest": "83e6634fc4f124ccfbae940d84ad21e579006f6bc7b69d7978dfe2c8b04a01e6"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:wpdownloadmanager:download_manager:*:*:*:*:*:wordpress:*:*",
"cpe:2.3:a:wpdownloadmanager:wordpress_download_manager:*:*:*:*:*:wordpress:*:*"
],
"packageName": "download-manager",
"product": "Download Manager",
"versions": [
{
"lessThan": "3.3.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
41 changes: 41 additions & 0 deletions data/anchore/2024/CVE-2024-11108.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{
"additionalMetadata": {
"cna": "wpscan",
"cveId": "CVE-2024-11108",
"description": "The Serious Slider WordPress plugin before 1.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://wpscan.com/vulnerability/7790af9d-621b-474c-b28c-c774e2a292bb/"
],
"upstream": {
"datePublished": "2024-12-20T06:00:04.403Z",
"dateReserved": "2024-11-11T21:55:01.923Z",
"dateUpdated": "2024-12-20T16:11:45.944Z",
"digest": "c43535e60ea4760163ea0699bb06e111bea972a2e7c23b3ad57357d2093de112"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:cryoutcreations:serious_slider:*:*:*:*:*:wordpress:*:*"
],
"packageName": "cryout-serious-slider",
"product": "Serious Slider",
"versions": [
{
"lessThan": "1.2.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
46 changes: 46 additions & 0 deletions data/anchore/2024/CVE-2024-11196.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11196",
"description": "The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mctagmap shortcode in all versions up to, and including, 17.0.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.33/mctagmap_functions.php#L1176",
"https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.33/mctagmap_functions.php#L1179",
"https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.33/mctagmap_functions.php#L135",
"https://wordpress.org/plugins/multi-column-tag-map/#developers",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/bb41862a-0cde-46f0-bd86-5a04e76f7345?source=cve"
],
"upstream": {
"datePublished": "2024-12-21T07:03:02.065Z",
"dateReserved": "2024-11-13T20:26:57.801Z",
"dateUpdated": "2024-12-21T07:03:02.065Z",
"digest": "340256d29854785ad52e8415101d103777f4a05e3a6e29ea64a9c48280a07f98"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:multi-column_tag_map_project:multi-column_tag_map:*:*:*:*:*:wordpress:*:*"
],
"packageName": "multi-column-tag-map",
"product": "Multi-column Tag Map",
"vendor": "tugbucket",
"versions": [
{
"lessThanOrEqual": "17.0.33",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
43 changes: 43 additions & 0 deletions data/anchore/2024/CVE-2024-11287.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11287",
"description": "The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/browser/ebook-store/trunk/functions.php#L827",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/001289a3-a1a9-441f-b399-e9b699094e1a?source=cve"
],
"upstream": {
"datePublished": "2024-12-21T07:02:58.343Z",
"dateReserved": "2024-11-15T20:21:08.450Z",
"dateUpdated": "2024-12-21T07:02:58.343Z",
"digest": "a18f3545e03420657df8599be365d91c5dcf8102caae465c016eb2d7093d743f"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:shopfiles:ebook_store:*:*:*:*:*:wordpress:*:*"
],
"packageName": "ebook-store",
"product": "Ebook Store",
"vendor": "motovnet",
"versions": [
{
"lessThanOrEqual": "5.8001",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
43 changes: 43 additions & 0 deletions data/anchore/2024/CVE-2024-11297.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11297",
"description": "The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://wordpress.org/plugins/page-and-post-restriction/",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/6d12ab8c-d5d0-4e02-986e-e894fae073e5?source=cve"
],
"upstream": {
"datePublished": "2024-12-20T06:59:07.444Z",
"dateReserved": "2024-11-16T00:54:57.625Z",
"dateUpdated": "2024-12-20T15:57:37.358Z",
"digest": "8f2404fcbcf7d2e0380e931a4876244081ba62f1fdbf930b499c9d41e8046c99"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:miniorange:page_restriction:*:*:*:*:*:wordpress:*:*"
],
"packageName": "page-and-post-restriction",
"product": "Page Restriction WordPress (WP) – Protect WP Pages/Post",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
43 changes: 43 additions & 0 deletions data/anchore/2024/CVE-2024-11688.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11688",
"description": "The LaTeX2HTML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ver' or 'date' parameter in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/browser/latex2html/trunk/inc/html/manual.php",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/b3d9af8b-1168-462d-a767-d16ee660f646?source=cve"
],
"upstream": {
"datePublished": "2024-12-21T09:23:55.806Z",
"dateReserved": "2024-11-25T16:19:08.508Z",
"dateUpdated": "2024-12-21T09:23:55.806Z",
"digest": "46fa9889fd134c3ec136e1955e60f5afa31337a38a8fa89a03dccad379dc8f61"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:latex2html:latex2html:*:*:*:*:*:*:*:*"
],
"packageName": "latex2html",
"product": "LaTeX2HTML",
"vendor": "van-abel",
"versions": [
{
"lessThanOrEqual": "2.5.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
Loading

0 comments on commit b2bf061

Please sign in to comment.