Skip to content

Commit

Permalink
updates 2024-12-19
Browse files Browse the repository at this point in the history
Signed-off-by: Weston Steimel <[email protected]>
  • Loading branch information
westonsteimel committed Dec 19, 2024
1 parent 9d32bcb commit c8af256
Show file tree
Hide file tree
Showing 48 changed files with 1,921 additions and 15 deletions.
44 changes: 44 additions & 0 deletions data/anchore/2024/CVE-2024-10892.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"additionalMetadata": {
"cna": "wpscan",
"cveId": "CVE-2024-10892",
"description": "The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://wpscan.com/vulnerability/ff1f5b84-a8cf-4574-a713-53d35739c6cb/"
],
"upstream": {
"datePublished": "2024-12-18T06:00:16.137Z",
"dateReserved": "2024-11-05T18:26:45.843Z",
"dateUpdated": "2024-12-18T15:10:31.241Z",
"digest": "700fe76bcb6d55b03d99e6fc03f0917852942b346a69f9827a3c408f48140b48"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:stylemixthemes:cost_calculator_builder:*:*:*:*:*:wordpress:*:*"
],
"packageName": "cost-calculator-builder",
"packageType": "wordpress-plugin",
"product": "Cost Calculator Builder",
"repo": "https://plugins.svn.wordpress.org/cost-calculator-builder",
"vendor": "stylemixthemes",
"versions": [
{
"lessThan": "3.2.43",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
46 changes: 46 additions & 0 deletions data/anchore/2024/CVE-2024-11254.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11254",
"description": "The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the disqus_name parameter in all versions up to, and including, 1.1.1 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.0.93/includes/disqus.html?rev=3024147#L34",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/5da82149-c827-4574-8269-b2b798edca59?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T03:22:05.525Z",
"dateReserved": "2024-11-15T10:03:40.779Z",
"dateUpdated": "2024-12-18T16:35:04.395Z",
"digest": "beb572e898580c52c899b149f913c269b1bf8fe885ee055e13688927b8136f56"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:ampforwp:accelerated_mobile_pages:*:*:*:*:*:wordpress:*:*",
"cpe:2.3:a:magazine3:amp_for_wp:*:*:*:*:*:wordpress:*:*"
],
"packageName": "accelerated-mobile-pages",
"packageType": "wordpress-plugin",
"product": "AMP for WP – Accelerated Mobile Pages",
"repo": "https://plugins.svn.wordpress.org/accelerated-mobile-pages",
"vendor": "mohammed_kaludi",
"versions": [
{
"lessThan": "1.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
45 changes: 45 additions & 0 deletions data/anchore/2024/CVE-2024-11291.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11291",
"description": "The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/changeset/3206206/paid-member-subscriptions",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/e207f1a3-2ca5-46d1-91a9-89652451266c?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T11:09:31.646Z",
"dateReserved": "2024-11-15T21:37:54.832Z",
"dateUpdated": "2024-12-18T16:29:54.185Z",
"digest": "80d42db5428bd90c7210fc77c735642e09f9101659e8566d2fb9bea37c6221b8"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:cozmoslabs:membership_\\&_content_restriction_-_paid_member_subscriptions:*:*:*:*:*:wordpress:*:*"
],
"packageName": "paid-member-subscriptions",
"packageType": "wordpress-plugin",
"product": "Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction",
"repo": "https://plugins.svn.wordpress.org/paid-member-subscriptions",
"vendor": "madalinungureanu",
"versions": [
{
"lessThan": "2.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
45 changes: 45 additions & 0 deletions data/anchore/2024/CVE-2024-11295.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-11295",
"description": "The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.29 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/changeset/3205648/simple-page-access-restriction",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/ed92806e-5d75-4a23-a588-821e9ada1b32?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T07:02:46.168Z",
"dateReserved": "2024-11-15T23:54:25.258Z",
"dateUpdated": "2024-12-18T16:33:27.786Z",
"digest": "b2dbbc3642edb147de02aa0790a9b92c951ed47a6f373f6c38e0827f333abe6c"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:pluginsandsnippets:simple_page_access_restriction:*:*:*:*:*:wordpress:*:*"
],
"packageName": "simple-page-access-restriction",
"packageType": "wordpress-plugin",
"product": "Simple Page Access Restriction",
"repo": "https://plugins.svn.wordpress.org/simple-page-access-restriction",
"vendor": "pluginsandsnippets",
"versions": [
{
"lessThan": "1.0.30",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
45 changes: 45 additions & 0 deletions data/anchore/2024/CVE-2024-12061.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-12061",
"description": "The Events Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.3 via the naevents_elementor_template shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208546%40events-addon-for-elementor&new=3208546%40events-addon-for-elementor&sfp_email=&sfph_mail=",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/f59d9d8a-467a-4920-963a-da45f1f4462f?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T03:22:07.346Z",
"dateReserved": "2024-12-02T20:40:21.531Z",
"dateUpdated": "2024-12-18T16:33:59.336Z",
"digest": "d6d2201b0a475b98bec6bc22ce4766d82dea737618099ca04f29d44d654f62c6"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:nicheaddons:events_addon_for_elementor:*:*:*:*:*:wordpress:*:*"
],
"packageName": "events-addon-for-elementor",
"packageType": "wordpress-plugin",
"product": "Events Addon for Elementor",
"repo": "https://plugins.svn.wordpress.org/events-addon-for-elementor",
"vendor": "nicheaddons",
"versions": [
{
"lessThan": "2.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
47 changes: 47 additions & 0 deletions data/anchore/2024/CVE-2024-12259.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-12259",
"description": "The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3204501%40computer-repair-shop&new=3204501%40computer-repair-shop&sfp_email=&sfph_mail=",
"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3206568%40computer-repair-shop&new=3206568%40computer-repair-shop&sfp_email=&sfph_mail=#file548",
"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208270%40computer-repair-shop&new=3208270%40computer-repair-shop&sfp_email=&sfph_mail=",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/80997d2f-3e16-48f6-969b-58844cb83d53?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T03:22:05.906Z",
"dateReserved": "2024-12-05T16:30:27.926Z",
"dateUpdated": "2024-12-18T16:34:53.057Z",
"digest": "f91e0fa51e7614fe2a4b1ea446545a2f0430fead300e1f15946bd867e0a86eff"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:webfulcreations:computer_repair_shop:*:*:*:*:*:wordpress:*:*"
],
"packageName": "computer-repair-shop",
"packageType": "wordpress-plugin",
"product": "CRM WordPress Plugin – RepairBuddy",
"repo": "https://plugins.svn.wordpress.org/computer-repair-shop",
"vendor": "sweetdaisy86",
"versions": [
{
"lessThan": "3.8122",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
45 changes: 45 additions & 0 deletions data/anchore/2024/CVE-2024-12432.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-12432",
"description": "The WPC Shop as a Customer for WooCommerce plugin for WordPress is vulnerable to account takeover and privilege escalation in all versions up to, and including, 1.2.8. This is due to the 'generate_key' function not producing a sufficiently random value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as site administrators, granted they have triggered the ajax_login() function which generates a unique key that can be used to log in.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3208130%40wpc-shop-as-customer&new=3208130%40wpc-shop-as-customer&sfp_email=&sfph_mail=",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/048625e8-10b7-418d-a13b-329f1d7e0171?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T03:22:00.850Z",
"dateReserved": "2024-12-10T17:11:11.238Z",
"dateUpdated": "2024-12-18T16:35:53.912Z",
"digest": "b98d5c7bd9e5c0609f97ec1cfc0dbedd5de4308ea3403df8d7467987c04defd2"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:wpclever:wpc_shop_as_a_customer_for_woocommerce:*:*:*:*:*:wordpress:*:*"
],
"packageName": "wpc-shop-as-customer",
"packageType": "wordpress-plugin",
"product": "WPC Shop as a Customer for WooCommerce",
"repo": "https://plugins.svn.wordpress.org/wpc-shop-as-customer",
"vendor": "wpclever",
"versions": [
{
"lessThan": "1.2.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
46 changes: 46 additions & 0 deletions data/anchore/2024/CVE-2024-12596.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"additionalMetadata": {
"cna": "wordfence",
"cveId": "CVE-2024-12596",
"description": "The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.",
"reason": "Added CPE configurations because not yet analyzed by NVD.",
"references": [
"https://plugins.trac.wordpress.org/changeset/3208662/lifterlms/trunk/includes/abstracts/llms-abstract-controller-user-engagements.php",
"https://plugins.trac.wordpress.org/changeset/3208662/lifterlms/trunk/includes/controllers/class.llms.controller.certificates.php",
"https://www.wordfence.com/threat-intel/vulnerabilities/id/8e75a03b-7552-4228-a4d0-13c78d20f6d5?source=cve"
],
"upstream": {
"datePublished": "2024-12-18T03:22:06.256Z",
"dateReserved": "2024-12-12T22:14:08.110Z",
"dateUpdated": "2024-12-18T16:34:43.867Z",
"digest": "9cb9f3bc8b21efdda84c1a41d383e0125061f2051d407e49bf20c0c13499de24"
}
},
"adp": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"cpes": [
"cpe:2.3:a:lifterlms:lifterlms:*:*:*:*:*:wordpress:*:*"
],
"packageName": "lifterlms",
"packageType": "wordpress-plugin",
"product": "LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes",
"repo": "https://plugins.svn.wordpress.org/lifterlms",
"vendor": "chrisbadgett",
"versions": [
{
"lessThan": "7.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
}
}
}
Loading

0 comments on commit c8af256

Please sign in to comment.