Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In December 2019
CVE-2019-19541
The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Best Day/Night field on the new listing submit page.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-12-26
CVE-2019-19542
The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS via the Good For field on the new listing submit page.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-12-26
CVE-2019-20000
The malware scan function in BullGuard Premium Protection 20.0.371.8 has a TOCTOU issue that enables a symbolic link attack, allowing privileged files to be deleted.
CVSS Score
5.9
EPSS Score
0.002
Published
2019-12-26
CVE-2019-19998
Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-12-26
CVE-2019-19999
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
CVSS Score
7.2
EPSS Score
0.004
Published
2019-12-26
CVE-2019-19979
A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed attackers to enable a vulnerable site's maintenance mode and inject malicious code affecting site visitors. There was CSRF with resultant XSS.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-12-26
CVE-2019-19980
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users (Subscriber or greater access) to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wp_ajax function to send_test_email.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-12-26
CVE-2019-19981
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings.
CVSS Score
5.4
EPSS Score
0.001
Published
2019-12-26
CVE-2019-19982
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-12-26
CVE-2019-19983
In the WordPress plugin, Fast Velocity Minify before 2.7.7, the full web root path to the running WordPress application can be discovered. In order to exploit this vulnerability, FVM Debug Mode needs to be enabled and an admin-ajax request needs to call the fastvelocity_min_files action.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-12-26


Products
Pricing
Contact Us

Shodan ® - All rights reserved