Security Vulnerabilities - CVEs Published In January 2024
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for contributors and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.002
Published
2024-01-03
The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the powerpack-lite-for-elementor/classes/class-pp-admin-settings.php file. This makes it possible for unauthenticated attackers to modify and reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-01-03
The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to export orders which can contain sensitive information.
CVSS Score
4.3
EPSS Score
0.003
Published
2024-01-03
FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-01-03
Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
CVSS Score
8.2
EPSS Score
0.001
Published
2024-01-03
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
CVSS Score
9.6
EPSS Score
0.003
Published
2024-01-03
PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.
CVSS Score
9.6
EPSS Score
0.003
Published
2024-01-03
Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-01-03
An issue was discovered on GL.iNet devices through 4.5.0. Attackers can invoke the add_user interface in the system module to gain root privileges. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-01-03
Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-01-03