Severity
High
Analysis Summary
CVE-2024-50438 CVSS:7.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Reflected XSS.
CVE-2024-50441 CVSS:7.4
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CozyThemes Cozy Blocks allows Stored XSS.
CVE-2024-50448 CVSS:7.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.
CVE-2024-50491 CVSS:9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Micah Blu RSVP ME allows SQL Injection.This issue affects RSVP ME: from n/a through 1.9.9.
CVE-2024-50478 CVSS:9.8
Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.
CVE-2024-50483 CVSS:9.8
Authorization Bypass Through User-Controlled Key vulnerability in Meetup allows Privilege Escalation.
CVE-2024-50488 CVSS:8.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Priyabrata Sarkar Token Login allows Authentication Bypass.
CVE-2024-50408 CVSS:8.8
Deserialization of Untrusted Data vulnerability in Kiboko Labs Namaste! LMS allows Object Injection.
CVE-2024-50416 CVSS:8.8
Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce.
CVE-2024-50450 CVSS:7.3
Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.
CVE-2024-50492 CVSS:8.3
Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart allows Code Injection.
CVE-2024-50498 CVSS:10
Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.
CVE-2024-50477 CVSS:9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.
CVE-2024-50486 CVSS:9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API.
CVE-2024-50487 CVSS:9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API.
Impact
- Cross-Site Scripting
- Data Manipulation
- Gain Access
- Code Execution
Indicators of Compromise
CVE
- CVE-2024-50438
- CVE-2024-50441
- CVE-2024-50448
- CVE-2024-50491
- CVE-2024-50478
- CVE-2024-50483
- CVE-2024-50488
- CVE-2024-50408
- CVE-2024-50416
- CVE-2024-50450
- CVE-2024-50492
- CVE-2024-50498
- CVE-2024-50477
- CVE-2024-50486
- CVE-2024-50487
Affected Vendors
Affected Products
- Andy Moyle Church Admin - n/a
- CozyThemes Cozy Blocks - n/a
- YITH YITH WooCommerce Product Add-Ons - n/a
- Micah Blu RSVP ME - n/a
- Swoop 1-Click Login: Passwordless Authentication - 1.4.5
- Kiboko Labs Namaste! LMS - n/a
- WPClever WPC Shop as a Customer for WooCommerce - n/a
- realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) - n/a
- Scott Paterson ScottCart - n/a
- LUBUS WP Query Console - n/a
- Stacks Stacks Mobile App Builder - n/a
- Acnoo Acnoo Flutter API - n/a
- MaanTheme MaanStore API - n/a
Remediation
Upgrade to the latest version of Plugin, available from the WordPress Plugin Directory.