{"vulnerability": "cve-2024-1385", "sightings": [{"uuid": "d1ca111b-aef2-4445-bf0e-9947d32d1e3d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13851", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/5854", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13851\n\ud83d\udd25 CVSS Score: 5.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)\n\ud83d\udd39 Description: The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.\n\ud83d\udccf Published: 2025-02-28T08:23:18.930Z\n\ud83d\udccf Modified: 2025-02-28T08:23:18.930Z\n\ud83d\udd17 References:\n1. https://www.wordfence.com/threat-intel/vulnerabilities/id/dc049cab-6793-4656-9b17-8ca64c566c4c?source=cve\n2. https://wordpress.org/plugins/modal-portfolio/#developers", "creation_timestamp": "2025-02-28T09:27:26.000000Z"}, {"uuid": "3c779033-04d2-4405-b3f3-42df5e12c87d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13857", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/6837", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13857\n\ud83d\udd25 CVSS Score: 5.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)\n\ud83d\udd39 Description: The WPGet API \u2013 Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.\n\ud83d\udccf Published: 2025-03-07T09:21:14.921Z\n\ud83d\udccf Modified: 2025-03-07T13:36:06.585Z\n\ud83d\udd17 References:\n1. https://www.wordfence.com/threat-intel/vulnerabilities/id/cd2a8e7b-6fca-49f3-ba6d-bdaa418f611a?source=cve\n2. https://wordpress.org/plugins/wpgetapi/#developers\n3. https://plugins.trac.wordpress.org/changeset/3251647/", "creation_timestamp": "2025-03-07T14:38:27.000000Z"}, {"uuid": "c3f0c42a-746c-4e92-9851-6957f4da9619", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13853", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/7138", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13853\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin\n\ud83d\udccf Published: 2025-03-11T06:00:11.237Z\n\ud83d\udccf Modified: 2025-03-11T13:15:20.635Z\n\ud83d\udd17 References:\n1. https://wpscan.com/vulnerability/52991dd9-41f7-4cf8-b8c9-56dd4e62bf0c/", "creation_timestamp": "2025-03-11T13:39:57.000000Z"}, {"uuid": "9e01d60b-2151-4536-9f88-5170aae5d314", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13856", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lkx7uyu6322k", "content": "", "creation_timestamp": "2025-03-22T07:38:48.667719Z"}, {"uuid": "db0ebad3-66b9-40eb-92f0-2834209c69f7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13853", "type": "seen", "source": "https://t.me/cvedetector/20045", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13853 - \"WordPress SEO Tools Reflected Cross-Site Scripting Vulnerability\"\", \n  \"Content\": \"CVE ID : CVE-2024-13853 \nPublished : March 11, 2025, 6:15 a.m. | 1\u00a0hour, 47\u00a0minutes ago \nDescription : The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Mar 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-03-11T09:15:54.000000Z"}, {"uuid": "7af08d6f-c372-4556-a16b-e73ed59b0197", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13857", "type": "seen", "source": "https://t.me/cvedetector/19801", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13857 - WordPress WPGet API Server-Side Request Forgery Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-13857 \nPublished : March 7, 2025, 10:15 a.m. | 46\u00a0minutes ago \nDescription : The WPGet API \u2013 Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. \nSeverity: 5.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"07 Mar 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-03-07T12:25:39.000000Z"}, {"uuid": "f147e834-a74f-449e-837d-e20d2e9073c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13854", "type": "seen", "source": "https://t.me/cvedetector/18426", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13854 - Elementor Education Addon WordPress Insecure Direct Object Reference\", \n  \"Content\": \"CVE ID : CVE-2024-13854 \nPublished : Feb. 19, 2025, 8:15 a.m. | 2\u00a0hours, 7\u00a0minutes ago \nDescription : The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naedu_elementor_template shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, password protected, and restricted posts. This applies to posts created with Elementor only. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"19 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-19T12:03:12.000000Z"}, {"uuid": "1c77fece-e18a-490e-8753-416834f415bf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13852", "type": "seen", "source": "https://t.me/cvedetector/18281", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13852 - WordPress Option Editor CSRF\", \n  \"Content\": \"CVE ID : CVE-2024-13852 \nPublished : Feb. 18, 2025, 5:15 a.m. | 2\u00a0hours, 15\u00a0minutes ago \nDescription : The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. \nSeverity: 8.8 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-18T09:16:51.000000Z"}, {"uuid": "b259c047-f18f-44c0-865b-3a5b204e7b6c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13851", "type": "seen", "source": "https://t.me/cvedetector/19142", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13851 - \"WordPress Modal Portfolio Stored Cross-Site Scripting\"\", \n  \"Content\": \"CVE ID : CVE-2024-13851 \nPublished : Feb. 28, 2025, 9:15 a.m. | 51\u00a0minutes ago \nDescription : The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. \nSeverity: 5.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"28 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-28T11:10:33.000000Z"}, {"uuid": "4d7d571f-e637-4afe-ba01-4709aceee126", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13854", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/4794", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13854\n\ud83d\udd25 CVSS Score: 4.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naedu_elementor_template shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, password protected, and restricted posts. This applies to posts created with Elementor only.\n\ud83d\udccf Published: 2025-02-19T07:32:08.945Z\n\ud83d\udccf Modified: 2025-02-19T07:32:08.945Z\n\ud83d\udd17 References:\n1. https://www.wordfence.com/threat-intel/vulnerabilities/id/50e8811c-07b1-4325-92a4-dc1c91afbe9e?source=cve\n2. https://wordpress.org/plugins/education-addon/#developers", "creation_timestamp": "2025-02-19T08:41:16.000000Z"}, {"uuid": "2216db95-278a-49bb-a6a9-f4e13ca3d5ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13856", "type": "seen", "source": "https://t.me/cvedetector/20857", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13856 - WordPress Make Builder SSRF\", \n  \"Content\": \"CVE ID : CVE-2024-13856 \nPublished : March 22, 2025, 7:15 a.m. | 1\u00a0hour, 56\u00a0minutes ago \nDescription : The Your Friendly Drag and Drop Page Builder \u2014 Make Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.10 via the make_builder_ajax_subscribe() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. \nSeverity: 6.4 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"22 Mar 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-03-22T10:22:26.000000Z"}, {"uuid": "6cc6a22d-8584-4fcb-8da6-7530f83a1fb3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13858", "type": "seen", "source": "https://t.me/cvedetector/24339", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13858 - Buddyboss Platform Stored Cross-Site Scripting Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-13858 \nPublished : May 2, 2025, 7:15 a.m. | 1\u00a0hour, 41\u00a0minutes ago \nDescription : The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018invitee_name\u2019 parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. \nSeverity: 6.4 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"02 May 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-05-02T11:45:46.000000Z"}, {"uuid": "6220a83e-8c01-44f1-96a5-515a42be0f06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13850", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113968257327109943", "content": "", "creation_timestamp": "2025-02-08T12:26:39.205363Z"}, {"uuid": "b16dd79c-993b-4480-b319-39f820487901", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13850", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lho74czs4a22", "content": "", "creation_timestamp": "2025-02-08T13:15:24.599745Z"}, {"uuid": "8b9c05f0-ea47-4e58-8be7-9b5b3ea7ba6c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13850", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lhoayphci62p", "content": "", "creation_timestamp": "2025-02-08T13:49:10.893440Z"}, {"uuid": "7932a197-3b52-48dc-89c4-4251ae7795cc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13852", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3ligj2dh4de2y", "content": "", "creation_timestamp": "2025-02-18T05:17:08.845803Z"}, {"uuid": "efcd1252-4021-4096-8e55-9328f8974210", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13852", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ligm2xauad2m", "content": "", "creation_timestamp": "2025-02-18T06:11:11.044593Z"}, {"uuid": "31cea397-a017-421c-8240-3cdbcafa88df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13852", "type": "seen", "source": "https://mastodon.social/users/CyberSignaler/statuses/114023552710702386", "content": "", "creation_timestamp": "2025-02-18T06:48:59.640089Z"}, {"uuid": "20dadc8d-8623-4a7f-8f15-5da260cbe929", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13854", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lijq3wnvex2v", "content": "", "creation_timestamp": "2025-02-19T12:01:19.852023Z"}, {"uuid": "ae8ec767-faa6-4d1a-aa88-090988ad4eaa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13858", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lo6e7pqa6g22", "content": "", "creation_timestamp": "2025-05-02T08:00:37.325936Z"}, {"uuid": "902c645f-1d6c-4c15-900e-9fb0881ab451", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13859", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lo6e7q3axo2l", "content": "", "creation_timestamp": "2025-05-02T08:00:39.044504Z"}, {"uuid": "6c11b7cc-e8e2-4c28-9c80-5cb63bdf3a57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13859", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/14448", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13859\n\ud83d\udd25 CVSS Score: 6.4 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)\n\ud83d\udd39 Description: The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018bp_nouveau_ajax_media_save\u2019 function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.\n\ud83d\udccf Published: 2025-05-02T06:41:51.037Z\n\ud83d\udccf Modified: 2025-05-02T06:41:51.037Z\n\ud83d\udd17 References:\n1. https://www.wordfence.com/threat-intel/vulnerabilities/id/d77c8096-40b1-4ac7-881f-6aed98da6752?source=cve\n2. https://www.buddyboss.com/platform/", "creation_timestamp": "2025-05-02T07:16:17.000000Z"}, {"uuid": "399fb246-6211-4881-b37c-acca57f48b90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13855", "type": "seen", "source": "https://t.me/cvedetector/18524", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13855 - Elementor Prime Addons for WordPress Insecure Direct Object Reference\", \n  \"Content\": \"CVE ID : CVE-2024-13855 \nPublished : Feb. 20, 2025, 10:15 a.m. | 1\u00a0hour, 3\u00a0minutes ago \nDescription : The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only. \nSeverity: 4.3 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"20 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-20T13:08:55.000000Z"}, {"uuid": "c15081da-4fdd-42bd-bf94-8dc897ec51c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13857", "type": "seen", "source": "Telegram/nBki0DXBUKl37j3HGBXr4i9WlIHFlSXArqngbavIgCQbwHrH", "content": "", "creation_timestamp": "2025-03-08T04:34:56.000000Z"}, {"uuid": "d31e21c2-b4e6-482f-8f94-f7a09a715d17", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13850", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/3876", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13850\n\ud83d\udd25 CVSS Score: 4.5 (CVSS_V3)\n\ud83d\udd39 Description: The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.\n\ud83d\udccf Published: 2025-02-08T15:30:31Z\n\ud83d\udccf Modified: 2025-02-08T15:30:31Z\n\ud83d\udd17 References:\n1. https://nvd.nist.gov/vuln/detail/CVE-2024-13850\n2. https://plugins.trac.wordpress.org/browser/simple-add-pages-or-posts/tags/2.0.0/form.php\n3. https://wordpress.org/plugins/simple-add-pages-or-posts/#developers\n4. https://www.wordfence.com/threat-intel/vulnerabilities/id/65a3604d-eb6b-484f-834a-b3d75fe3bda7?source=cve", "creation_timestamp": "2025-02-08T16:03:52.000000Z"}, {"uuid": "1f0134b9-736a-4509-809d-a0bab06a084d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13850", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/3878", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13850\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: No description available\n\ud83d\udccf Published: 2025-02-08T13:15:06.840\n\ud83d\udccf Modified: N/A\n\ud83d\udd17 References:\n1. https://plugins.trac.wordpress.org/browser/simple-add-pages-or-posts/tags/2.0.0/form.php\n2. https://wordpress.org/plugins/simple-add-pages-or-posts/#developers\n3. https://www.wordfence.com/threat-intel/vulnerabilities/id/65a3604d-eb6b-484f-834a-b3d75fe3bda7?source=cve", "creation_timestamp": "2025-02-08T16:03:53.000000Z"}, {"uuid": "efaa30ce-d2d6-4814-9afd-9d6f387697cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13851", "type": "seen", "source": "Telegram/DmM-npVJveckzw7r2AdRVe2S9OoIeoEyXwhSSUg-QQJcggUd", "content": "", "creation_timestamp": "2025-03-02T11:44:22.000000Z"}, {"uuid": "f8e7255a-9e9f-4b9c-b706-293591b10bb9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13859", "type": "seen", "source": "https://t.me/cvedetector/24338", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13859 - Buddyboss WordPress Stored Cross-Site Scripting\", \n  \"Content\": \"CVE ID : CVE-2024-13859 \nPublished : May 2, 2025, 7:15 a.m. | 1\u00a0hour, 41\u00a0minutes ago \nDescription : The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018bp_nouveau_ajax_media_save\u2019 function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41. \nSeverity: 6.4 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"02 May 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-05-02T11:45:46.000000Z"}, {"uuid": "3a791200-f333-465b-93e5-466246b0fa3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13854", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lijdks3ngk2t", "content": "", "creation_timestamp": "2025-02-19T08:16:57.720232Z"}, {"uuid": "74725b2c-d6e1-4793-89d7-db178717d130", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13855", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3limctgtfot2c", "content": "", "creation_timestamp": "2025-02-20T12:41:57.533039Z"}, {"uuid": "4b7aa74b-ee4e-4a88-9ee3-fae32fcedade", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13853", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2024/CVE-2024-13853.yaml", "content": "", "creation_timestamp": "2025-03-12T06:44:39.000000Z"}, {"uuid": "f2fe3b5c-1b5c-48af-b148-23bf939e663a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13859", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lo6g65d2k5f2", "content": "", "creation_timestamp": "2025-05-02T13:21:01.296834Z"}, {"uuid": "e5ef8202-9f5f-4f86-aceb-5627b145cd67", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13858", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lo6g65osqkk2", "content": "", "creation_timestamp": "2025-05-02T13:21:01.884941Z"}, {"uuid": "22ba42e1-63aa-49b9-888c-72a33ffe3300", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13858", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/14450", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13858\n\ud83d\udd25 CVSS Score: 6.4 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)\n\ud83d\udd39 Description: The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018invitee_name\u2019 parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.\n\ud83d\udccf Published: 2025-05-02T06:41:50.012Z\n\ud83d\udccf Modified: 2025-05-02T06:41:50.012Z\n\ud83d\udd17 References:\n1. https://www.wordfence.com/threat-intel/vulnerabilities/id/5f50e293-aebd-44dd-a692-64dea8f6622f?source=cve\n2. https://www.buddyboss.com/platform/", "creation_timestamp": "2025-05-02T07:16:19.000000Z"}, {"uuid": "02b57414-2276-4749-8627-0dc676e09358", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13850", "type": "seen", "source": "https://t.me/cvedetector/17536", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-13850 - \"WordPress Simple Add Pages/Posts Stored XSS Vulnerability\"\", \n  \"Content\": \"CVE ID : CVE-2024-13850 \nPublished : Feb. 8, 2025, 1:15 p.m. | 48\u00a0minutes ago \nDescription : The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. \nSeverity: 5.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-08T15:44:48.000000Z"}, {"uuid": "c5a4bcb9-39f5-4872-941f-a0ae47b7d8a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-13852", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/4747", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-13852\n\ud83d\udd25 CVSS Score: 8.8 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\ud83d\udd39 Description: The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.\n\ud83d\udccf Published: 2025-02-18T04:21:15.377Z\n\ud83d\udccf Modified: 2025-02-18T04:21:15.377Z\n\ud83d\udd17 References:\n1. https://www.wordfence.com/threat-intel/vulnerabilities/id/50adbe1d-9d79-4015-9e09-2166f97efc47?source=cve\n2. https://plugins.trac.wordpress.org/browser/option-editor/trunk/option-editor.php#L70\n3. https://wordpress.org/plugins/option-editor/#developers", "creation_timestamp": "2025-02-18T07:57:00.000000Z"}]}