Blog – iPRESIDIUM

Skip to content

Security Without Compromise

Home
Cyber Security Services
Cyber Security Solutions
Managed Security Services
Resources
Contact Us

Menu

Home
Cyber Security Services
Cyber Security Solutions
Managed Security Services
Resources
Contact Us

VUNERABILITIES

CVE-2020-27184 May 14, 2021
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
CVE-2020-27185 May 14, 2021
Cleartext transmission of sensitive information via Moxa Service in NPort IA5000A series serial devices. Successfully exploiting the vulnerability could enable attackers to read authentication data, device configuration, and other sensitive data transmitted over Moxa Service.
CVE-2021-32613 May 14, 2021
In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS.
CVE-2021-24280 May 14, 2021
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
CVE-2021-24279 May 14, 2021
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
CVE-2021-24284 May 14, 2021
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
CVE-2021-24287 May 14, 2021
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
CVE-2021-24192 May 14, 2021
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
CVE-2021-24194 May 14, 2021
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical […]
CVE-2021-24291 May 14, 2021
The Photo Gallery by 10Web Ã¢â‚¬â€œ Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)
CVE-2021-24278 May 14, 2021
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
CVE-2021-24193 May 14, 2021
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like […]
CVE-2021-24286 May 14, 2021
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
CVE-2021-24285 May 14, 2021
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue.
CVE-2021-24277 May 14, 2021
The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its Ã�Â¡Ã‘â€¡Ã�ÂµÃ‘â€šÃ‘â€¡Ã�Â¸Ã�ÂºÃ�Â¸ settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues
CVE-2021-24195 May 14, 2021
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical […]
CVE-2021-24283 May 14, 2021
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
CVE-2021-24282 May 14, 2021
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the pluginâ€™s settings, wpcf7r_add_action to add actions to a form, and more.
CVE-2021-24281 May 14, 2021
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
CVE-2021-24188 May 14, 2021
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more […]

LATEST POSTS

EVENTS

CONTACT US

info@ipresidium.com
Office: (949) 721-6612
Fax: (866) 205-2904
620 Newport Center Dr. STE 1100
Newport Beach, CA 92660
Career Opportunities

Envelope

Facebook

Twitter