Publish Advisories

GHSA-244g-mc48-hxgx
GHSA-2w64-q994-w6rw
GHSA-48qf-jjwf-7c3j
GHSA-5mw4-48mm-4hwr
GHSA-5xf6-7w2g-9f4w
GHSA-62c8-7p5q-m59c
GHSA-67xq-pgrv-jjfv
GHSA-7rxr-hv3w-h99r
GHSA-c8wh-grp4-2gjm
GHSA-cx2v-ghwh-m3w7
GHSA-f66r-7mc6-x4rf
GHSA-fqq3-cpcq-8fhc
GHSA-gphg-348r-v598
GHSA-hg2c-f5rw-v45v
GHSA-jcfw-r7j2-hvv7
GHSA-prwf-p7rw-xrr2
GHSA-qj6m-6wr4-jg9x
GHSA-qpxm-8xgh-55mq
GHSA-qwf8-w2rv-v3j4
GHSA-rpr9-6rwm-4w63
GHSA-v9hf-gmhj-865f

Author: advisory-database[bot]

advisories/unreviewed/2024/02/GHSA-244g-mc48-hxgx/GHSA-244g-mc48-hxgx.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-244g-mc48-hxgx",
+  "modified": "2024-02-10T09:30:21Z",
+  "published": "2024-02-10T09:30:21Z",
+  "aliases": [
+    "CVE-2024-23517"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Start Booking Scheduling Plugin – Online Booking for WordPress allows Stored XSS.This issue affects Scheduling Plugin – Online Booking for WordPress: from n/a through 3.5.10.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23517"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/calendar-booking/wordpress-scheduling-plugin-online-booking-for-wordpress-plugin-3-5-10-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T09:15:09Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-2w64-q994-w6rw/GHSA-2w64-q994-w6rw.json

@@ -0,0 +1,46 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2w64-q994-w6rw",
+  "modified": "2024-02-10T09:30:20Z",
+  "published": "2024-02-10T09:30:20Z",
+  "aliases": [
+    "CVE-2024-1406"
+  ],
+  "details": "A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1406"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.253330"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.253330"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T08:15:07Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-48qf-jjwf-7c3j/GHSA-48qf-jjwf-7c3j.json

@@ -0,0 +1,50 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-48qf-jjwf-7c3j",
+  "modified": "2024-02-10T09:30:19Z",
+  "published": "2024-02-10T09:30:19Z",
+  "aliases": [
+    "CVE-2024-0594"
+  ],
+  "details": "The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0594"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L1279"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T07:15:07Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-5mw4-48mm-4hwr/GHSA-5mw4-48mm-4hwr.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5mw4-48mm-4hwr",
+  "modified": "2024-02-10T09:30:20Z",
+  "published": "2024-02-10T09:30:20Z",
+  "aliases": [
+    "CVE-2024-24717"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark Kinchin Beds24 Online Booking allows Stored XSS.This issue affects Beds24 Online Booking: from n/a through 2.0.23.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24717"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/beds24-online-booking/wordpress-beds24-online-booking-plugin-2-0-23-admin-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T08:15:08Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-5xf6-7w2g-9f4w/GHSA-5xf6-7w2g-9f4w.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5xf6-7w2g-9f4w",
+  "modified": "2024-02-10T09:30:21Z",
+  "published": "2024-02-10T09:30:21Z",
+  "aliases": [
+    "CVE-2024-23516"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Calculators World CC BMI Calculator allows Stored XSS.This issue affects CC BMI Calculator: from n/a through 2.0.1.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23516"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/cc-bmi-calculator/wordpress-cc-bmi-calculator-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T09:15:09Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-62c8-7p5q-m59c/GHSA-62c8-7p5q-m59c.json

@@ -0,0 +1,42 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-62c8-7p5q-m59c",
+  "modified": "2024-02-10T09:30:19Z",
+  "published": "2024-02-10T09:30:19Z",
+  "aliases": [
+    "CVE-2024-0596"
+  ],
+  "details": "The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the editor_html() function in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view password protected and draft posts.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0596"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail="
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T07:15:08Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-67xq-pgrv-jjfv/GHSA-67xq-pgrv-jjfv.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-67xq-pgrv-jjfv",
+  "modified": "2024-02-10T09:30:20Z",
+  "published": "2024-02-10T09:30:20Z",
+  "aliases": [
+    "CVE-2024-24801"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt OWL Carousel – WordPress Owl Carousel Slider allows Stored XSS.This issue affects OWL Carousel – WordPress Owl Carousel Slider: from n/a through 1.4.0.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24801"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/lgx-owl-carousel/wordpress-owl-carousel-plugin-1-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T08:15:08Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-7rxr-hv3w-h99r/GHSA-7rxr-hv3w-h99r.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7rxr-hv3w-h99r",
+  "modified": "2024-02-10T09:30:21Z",
+  "published": "2024-02-10T09:30:21Z",
+  "aliases": [
+    "CVE-2023-51492"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in If So Plugin If-So Dynamic Content Personalization allows Stored XSS.This issue affects If-So Dynamic Content Personalization: from n/a through 1.6.3.1.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51492"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/if-so/wordpress-if-so-dynamic-content-personalization-plugin-1-6-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T09:15:08Z"
+  }
+}

advisories/unreviewed/2024/02/GHSA-c8wh-grp4-2gjm/GHSA-c8wh-grp4-2gjm.json

@@ -0,0 +1,38 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c8wh-grp4-2gjm",
+  "modified": "2024-02-10T09:30:20Z",
+  "published": "2024-02-10T09:30:20Z",
+  "aliases": [
+    "CVE-2024-24803"
+  ],
+  "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPoperation Ultra Companion – Companion plugin for WPoperation Themes allows Stored XSS.This issue affects Ultra Companion – Companion plugin for WPoperation Themes: from n/a through 1.1.9.\n\n",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24803"
+    },
+    {
+      "type": "WEB",
+      "url": "https://patchstack.com/database/vulnerability/ultra-companion/wordpress-ultra-companion-plugin-1-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2024-02-10T08:15:08Z"
+  }
+}