Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-12620

Publication date:

01/02/2025

The AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the &#39;agl_json&#39; AJAX action in all versions up to, and including, 1.4.23. This makes it possible for unauthenticated attackers to update the plugin&#39;s settings.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2025

CVE-2024-13343

Publication date:

01/02/2025

The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2025

CVE-2024-13547

Publication date:

01/02/2025

The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2025

CVE-2024-13651

Publication date:

01/02/2025

The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_deactivate() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset some of the plugin&#39;s settings.

Severity CVSS v4.0: Pending analysis

Last modification:

21/02/2025

CVE-2024-11780

Publication date:

01/02/2025

The Site Search 360 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&#39;s &#39;ss360-resultblock&#39; shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity CVSS v4.0: Pending analysis

Last modification:

24/02/2025

CVE-2025-24891

Publication date:

31/01/2025

Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it&#39;s possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.

Severity CVSS v4.0: Pending analysis

Last modification:

31/01/2025

CVE-2024-57435

Publication date:

31/01/2025

In macrozheng mall-tiny 1.0.1, an attacker can send null data through the resource creation interface resulting in a null pointer dereference occurring in all subsequent operations that require authentication, which triggers a denial-of-service attack and service restart failure.

Severity CVSS v4.0: Pending analysis

Last modification:

22/04/2025

CVE-2024-57587

Publication date:

31/01/2025

Multiple SQL injection vulnerabilities in EasyVirt DCScope

Severity CVSS v4.0: Pending analysis

Last modification:

24/05/2025

CVE-2024-57433

Publication date:

31/01/2025

macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control via the logout function. After a user logs out, their token is still available and fetches information in the logged-in state.

Severity CVSS v4.0: Pending analysis

Last modification:

22/04/2025

CVE-2024-57434

Publication date:

31/01/2025

macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control. The project imports users by default, and the test user is made a super administrator.

Severity CVSS v4.0: Pending analysis

Last modification:

22/04/2025