Security Vulnerabilities - CVEs Published In June 2024
An issue has been identified in both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR which may allow a malicious administrator of a guest VM to cause the host to become slow and/or unresponsive.
CVSS Score
6.0
EPSS Score
0.001
Published
2024-06-13
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.004
Published
2024-06-13
The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
CVSS Score
5.4
EPSS Score
0.003
Published
2024-06-13
Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
CVSS Score
6.1
EPSS Score
0.025
Published
2024-06-13
The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.
CVSS Score
9.8
EPSS Score
0.936
Published
2024-06-13
The Search & Replace WordPress plugin before 3.2.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks (such as within a multi-site network).
CVSS Score
7.2
EPSS Score
0.005
Published
2024-06-13
The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.
CVSS Score
7.5
EPSS Score
0.017
Published
2024-06-13
ALCASAR before 3.6.1 allows CSRF and remote code execution in activity.php.
CVSS Score
9.6
EPSS Score
0.029
Published
2024-06-13
ALCASAR before 3.6.1 allows email_registration_back.php remote code execution.
CVSS Score
9.8
EPSS Score
0.071
Published
2024-06-13
ALCASAR before 3.6.1 allows still_connected.php remote code execution.
CVSS Score
9.8
EPSS Score
0.068
Published
2024-06-13