[CVE] All the CVEs I own

Blogs about my CVE:

Wordfence

1. https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-4-2023-to-september-10-2023/
2. https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-25-2023-to-october-1-2023/
3. https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-30-2023-to-november-5-2023/
4. https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-13-2023-to-november-19-2023/
5. https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-20-2023-to-november-26-2023/
6. https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-27-2023-to-december-3-2023/
7. https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-december-4-2023-to-december-10-2023/
8. https://www.wordfence.com/blog/2024/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-december-18-2023-to-december-31-2023/
9. https://www.wordfence.com/blog/2024/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-1-2024-to-january-7-2024/
10. https://www.wordfence.com/blog/2024/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-8-2024-to-january-14-2024/
11. https://www.wordfence.com/blog/2024/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-15-2024-to-january-21-2024/
12. https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-29-2024-to-february-4-2024/

Patchstack

1. https://patchstack.com/articles/patchstack-alliance-bounty-program-events-for-december/

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

List of CVEs

CVE-2024-24842

Description: The Knowledge Base for Documentation, FAQs with AI Assistance plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 11.30.2 via deserialization of untrusted input in the is_article_recently_viewed function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

POC: https://hackmd.io/@ancorn/CVE-2024-24842

Affected Software/Platform: Wordpress Plugin

CVE-2024-3018

Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affected Software/Platform: Wordpress Plugin

CVE-2023-50841

Description: WordPress BookingPress Plugin <= 1.0.72 is vulnerable to SQL Injection

Affected Software/Platform: Wordpress Plugin

CVE-2023-52204

Description: Randomize <= 1.4.3 - Authenticated (Contributor+) SQL Injection

Affected Software/Platform: Wordpress Plugin

CVE-2023-50840

Description: WordPress Booking Manager Plugin <= 2.1.5 is vulnerable to SQL Injection

Affected Software/Platform: Wordpress Plugin

CVE-2024-24796

Description: WordPress Event Manager for WooCommerce Plugin <= 4.1.1 is vulnerable to PHP Object Injection

Affected Software/Platform: Wordpress Plugin

CVE-2023-4308

Description: The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected Software/Platform: Wordpress Plugin

CVE-2023-51513

Description: WordPress Geo Controller Plugin <= 8.5.2 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-51506

Description: WordPress WPCS Plugin <= 1.2.0 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-51504

Description: WordPress Dan's Embedder for Google Calendar Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-51493

Description: WordPress Custom Post Carousels with Owl Plugin <= 1.4.6 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-51399

Description: WordPress Back Button Widget Plugin <= 1.6.3 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50881

Description: WordPress Advanced Access Manager Plugin <= 6.9.15 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50874

Description: WordPress Ajax Load More Plugin <= 6.1.0.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50860

Description: WordPress Amelia Plugin <= 1.0.85 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-6995

Description: Popup Builder – Create highly converting, mobile friendly marketing popups. (<= 4.2.5) - XSS

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-6994

Description: List category posts <= 0.89.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-6808

Description: Booking for Appointments and Events Calendar – Amelia <= 1.0.93 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-6986

Description: EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50823

Description: WordPress CSS & JavaScript Toolbox Plugin <= 11.8 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50822

Description: WordPress Currency Converter Widget Plugin <= 3.0.2 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-6782

Description: AMP for WP – Accelerated Mobile Pages <= 1.0.92 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50369

Description: WordPress Alma – Pay in installments or later for WooCommerce Plugin <= 5.1.3 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-50368

Description: WordPress Shortcodes and extra features for Phlox theme Plugin <= 2.15.4 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49846

Description: WordPress Author Avatars List/Block Plugin <= 2.1.16 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49823

Description: WordPress Bold Page Builder Plugin <= 4.6.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49173

Description: WordPress 10to8 Online Appointment Booking System Plugin <= 1.0.9 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49169

Description: WordPress Ads by datafeedr.com Plugin <= 1.2.0 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49152

Description: WordPress Credit Tracker Plugin <= 1.1.17 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49150

Description: WordPress Crypto Converter Widget Plugin <= 1.8.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-49149

Description: WordPress Currency Converter Calculator Plugin <= 1.3.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-48336

Description: WordPress Easy Social Icons Plugin <= 3.2.4 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-48321

Description: WordPress Accelerated Mobile Pages Plugin <= 1.0.88.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47851

Description: Cross Site Scripting (XSS) in Bootstrap Shortcodes Ultimate 4.3.1

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47821

Description: WordPress Email Encoder Bundle Plugin <= 2.1.8 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47808

Description: Cross Site Scripting (XSS) in Add Widgets to Page 1.3.2

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47809

Description: WordPress Accordion Plugin <= 2.6 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47810

Description: WordPress Ajax Domain Checker Plugin <= 1.3.0 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47811

Description: Cross Site Scripting (XSS) in Anywhere Flash Embed 1.0.5

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47812

Description: WordPress Bamboo Columns Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47813

Description: WordPress Better RSS Widget Plugin <= 2.8.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47814

Description: WordPress BMI Calculator Plugin Plugin <= 1.0.3 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47815

Description: WordPress BP Profile Shortcodes Extra Plugin <= 2.5.2 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47816

Description: WordPress Charitable Plugin <= 1.7.0.13 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47817

Description: WordPress Daily Prayer Time Plugin <= 2023.10.13 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-44143

Description: WordPress Bamboo Columns Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-44145

Description: WordPress Anchor Episodes Index (Spotify for Podcasters) Plugin <= 2.1.7 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-44984

Description: WordPress BuddyMeet Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-44985

Description: WordPress BuddyMeet Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-46069

Description: WordPress Ajax Archive Calendar Plugin <= 2.6.7 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-46613

Description: WordPress Add to Calendar Button Plugin < 1.5.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-46782

Description: WordPress MomentoPress for Momento360 Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47190

Description: WordPress Apollo13 Framework Extensions Plugin <= 1.9.0 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-47239

Description: WordPress Easy PayPal Shopping Cart Plugin <= 1.1.10 is vulnerable to Cross Site Scripting (XSS)

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-44242

Description: WordPress Images Slideshow by 2J Plugin <= 1.3.54 is vulnerable to Cross Site Scripting (XSS

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-41696

Description: Cross Site Scripting (XSS) vulnerability in WordPress User Submitted Posts Plugin

Affected Software/Platform: Wordpress Plugin

CVSS: 6.5

CVE-2023-4838

Description: Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes

Affected Software/Platform: Wordpress Plugin

CVSS: 6.4

CVE-2023-4779

Description: User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [usp_gallery] shortcode

Affected Software/Platform: Wordpress Plugin

CVSS: 6.4

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Conclusion

Maintaining a list of CVEs helps in tracking discovered vulnerabilities and contributes to improving cybersecurity. I'm committed to continuing my efforts in identifying and reporting vulnerabilities to enhance the security of digital systems.

Feel free to reach out for further details or collaboration opportunities related to these CVEs.