Web Application Detections Published in January 2025
In January, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including AngularJS, Apache Airflow, Apache APISIX, Apache Hive, Apache Nifi, Apache OpenMeetings, Apache Spark, Atlassian Crowd, Aviatrix Controller, ClipBucket, Craft CMS, CyberPanel, Dify, Drupal, FortiClient EMS, FortiOS, GitLab, Gradio, IBM Aspera Faspex, Ivanti Avalanche, Ivanti EPM, Ivanti ICS, Ivanti IPS, Jenkins, JetBrains TeamCity, Kerio Control, MarkUs, NodeJS, Oracle WebLogic Server, Python, SeaCMS, ServiceNow, SimpleHelp, Socket.IO, Software AG WebMethods, Splunk App for SOAR, WordPress, and XWiki.
The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. These vulnerabilities can pose security risks if not addressed. Security risks can include breaches, unauthorized access, and various malicious activities.
QID | Title |
151041 | Socket.IO Improper Input Validation Vulnerability (CVE-2024-38355) |
151042 | AngularJS ReDoS Vulnerability (CVE-2024-21490) |
152140 | Python Code Injection Vulnerability |
152141 | Python Blind Code Injection Vulnerability |
152142 | NodeJS Code Injection Vulnerability |
152143 | NodeJS Blind Code Injection Vulnerability |
152400 | CyberPanel Remote Code Execution (RCE) Vulnerability (CVE-2024-51378) |
152562 | WordPress Tabs Maker Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11865) |
152563 | WordPress Connatix Video Embed Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11883) |
152564 | Pandas Arbitrary Command Execution Vulnerability (CVE-2024-9880) |
152565 | Dify Sandbox Escape Vulnerability (CVE-2024-10252) |
152566 | Gradio Server Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-2206) |
152567 | WordPress Bukza Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11759) |
152568 | WordPress Companion Portfolio – Responsive Portfolio Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11867) |
152569 | WordPress Cricket Live Score Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11877) |
152570 | Apache Nifi Information Disclosure Vulnerability (CVE-2024-56512) |
152571 | IBM Aspera Faspex Code Execution Vulnerability (CVE-2022-47986) |
152572 | JetBrains TeamCity Insufficient Session Expiration Vulnerability (CVE-2024-56351) |
152573 | JetBrains TeamCity XML External Entity (XXE) Vulnerability (CVE-2024-56356) |
152574 | JetBrains TeamCity Sensitive Credential Exposure Vulnerabilities (CVE-2024-56353,CVE-2024-56354) |
152575 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-56352,CVE-2024-56355) |
152576 | JetBrains TeamCity Improper Access Control Vulnerabilities (CVE-2024-56348,CVE-2024-56349,CVE-2024-56350) |
152577 | WordPress UpdraftPlus Backup and Migration Plugin: PHP Object Injection Vulnerability (CVE-2024-10957) |
152578 | WordPress Backup Migration Plugin: PHP Object Injection Vulnerability (CVE-2024-10932) |
152579 | Jenkins Simple Queue Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-54003) |
152580 | WordPress Tourfic Plugin: SQL Injection Vulnerability (CVE-2024-12032) |
152581 | WordPress WP Data Access Plugin: SQL Injection Vulnerability (CVE-2024-12428) |
152582 | WordPress WP Travel Engine Plugin: Local File Inclusion Vulnerability (CVE-2024-12272) |
152583 | Software AG WebMethods Improper Access Control Vulnerability (CVE-2023-6578) |
152584 | WordPress WP Master ToolKit Plugin: Unrestricted File Upload Vulnerability (CVE-2024-56249) |
152585 | WordPress WP Courses LMS Plugin: Missing Authorization Vulnerability (CVE-2024-12172) |
152586 | WordPress Product Carousel Slider and Grid Ultimate Plugin: Local File Inclusion Vulnerability (CVE-2024-12040) |
152587 | WordPress OAuth Single Sign On Plugin: Authentication Bypass Vulnerability (CVE-2024-10111) |
152588 | Apache Hive CookieSigner Signature Exposure Vulnerability (CVE-2024-23945) |
152589 | WordPress WP Post Author Plugin: SQL Injection Vulnerability (CVE-2024-56247) |
152590 | Apache Spark CookieSigner Signature Exposure Vulnerability (CVE-2024-23945) |
152591 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2024-56145) |
152592 | Aviatrix Network Controller Command Injection Vulnerability (CVE-2024-50603) |
152593 | Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0282) |
152594 | Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0283) |
152595 | Ivanti Policy Secure (IPS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0282) |
152596 | Ivanti Policy Secure (IPS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0283) |
152597 | Kerio Control CRLF Injection Vulnerability (CVE-2024-52875) |
152598 | WordPress JobBoard Job listing Plugin: Unrestricted File Upload Vulnerability (CVE-2024-43243) |
152599 | WordPress Dynamics 365 Integration Plugin: Remote Code Execution Vulnerability (CVE-2024-12583) |
152600 | WordPress SakolaWP Plugin: Privilege Escalation Vulnerability (CVE-2024-12470) |
152601 | WordPress Themes Coder Plugin: Privilege Escalation Vulnerability (CVE-2024-12402) |
152602 | WordPress PayU CommercePro Plugin: Privilege Escalation Vulnerability (CVE-2024-12264) |
152603 | WordPress WP Travel Plugin: Missing Authorization Vulnerability (CVE-2023-47224) |
152604 | WordPress 4ECPS Web Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2025-22504) |
152605 | WordPress User Extra Fields Plugin: Arbitrary File Deletion Vulnerability (CVE-2024-11150) |
152606 | WordPress WooCommerce Upload Files Plugin: Arbitrary File Upload Vulnerability (CVE-2024-10820) |
152607 | ClipBucket V5 Path Traversal Vulnerability (CVE-2024-21622) |
152608 | ClipBucket V5 Denial of Service Vulnerability (CVE-2024-21623) |
152609 | ClipBucket V5 Arbitrary File Upload Vulnerability (CVE-2024-21624) |
152610 | WordPress File Upload Plugin: Remote Code Execution Vulnerability (CVE-2024-11635) |
152611 | Gradio Path Traversal Vulnerability (CVE-2024-1561) |
152612 | WordPress WP File Upload Plugin: Remote Code Execution Vulnerability (CVE-2024-11613) |
152613 | WordPress GiveWP Plugin: PHP Object Injection Vulnerabilities (CVE-2024-12877,CVE-2025-22777) |
152614 | WordPress WPBookit Plugin: Arbitrary User Password Change Vulnerability (CVE-2024-10215) |
152615 | WordPress Post Grid Master Plugin: Local File Inclusion Vulnerability (CVE-2024-11642) |
152616 | MarkUs Arbitrary File Upload Vulnerability (CVE-2024-51743) |
152617 | Apache APISIX Dashboard IP Bypass Vulnerability (CVE-2021-33190) |
152618 | WordPress The Ultimate WordPress Toolkit – WP Extended Plugin: Remote Code Execution Vulnerability (CVE-2024-11816) |
152619 | Apache APISIX Dashboard Manager API Authentication Bypass Vulnerability (CVE-2021-45232) |
152620 | WordPress WebinarPress Plugin: Arbitrary File Creation Vulnerability (CVE-2024-11270) |
152621 | WordPress WP Ultimate Exporter Plugin: Code Injection Vulnerability (CVE-2024-56278) |
152622 | Apache APISIX Remote Code Execution Vulnerability (CVE-2022-24112) |
152623 | WordPress SEO LAT Auto Post Plugin: File Overwrite Vulnerability (CVE-2024-12252) |
152624 | WordPress AdForest Theme: Authentication Bypass Vulnerability (CVE-2024-11349) |
152625 | Fortinet FortiOS Authorization Bypass Vulnerability (CVE-2024-55591) |
152626 | Ivanti Endpoint Manager (EPM) Path Traversal Vulnerabilities (CVE-2024-10811,CVE-2024-13159,CVE-2024-13160,CVE-2024-13161) |
152627 | WordPress Post Grid and Gutenberg Blocks Plugin: Privilege Escalation Vulnerability (CVE-2024-9636) |
152628 | Ivanti Avalanche Path Traversal Vulnerabilities (CVE-2024-13179,CVE-2024-13180,CVE-2024-13181) |
152629 | FortiClientEMS Login Brute Force Vulnerability (CVE-2024-23106) |
152630 | WordPress Paid Membership Subscriptions Plugin: Authentication Bypass Vulnerability (CVE-2024-12919) |
152631 | WordPress Multiple Shipping And Billing Address For Woocommerce Plugin: Authentication Bypass Vulnerability (CVE-2024-56290) |
152632 | Ivanti Endpoint Manager (EPM) Multiple Vulnerabilities (CVE-2024-13158,CVE-2024-13163,CVE-2024-13164) |
152633 | Ivanti Endpoint Manager (EPM) Out-of-bounds Read and Write Vulnerabilities |
152634 | Ivanti Endpoint Manager (EPM) Insufficient Filename Validation Vulnerability (CVE-2024-13171) |
152635 | Ivanti Endpoint Manager (EPM) Improper Signature Verification Vulnerability (CVE-2024-13172) |
152636 | Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2024-13162) |
152637 | WordPress W3 Total Cache Plugin: Unauthorized Access of Data Vulnerability (CVE-2024-12365) |
152638 | WordPress Appointment Booking Calendar and Scheduling Plugin: Unauthenticated Export File Download Vulnerability (CVE-2024-12274) |
152639 | WordPress linkid Plugin: Unauthorized Access of Data Vulnerability (CVE-2024-12542) |
152640 | WordPress SKT Page Builder Plugin: Arbitrary File Upload Vulnerability (CVE-2024-12848) |
152641 | WordPress WP Options Editor Plugin: Cross Site Request Forgery (CSRF) Vulnerability (CVE-2025-23797) |
152642 | WordPress Post Saint Plugin: Arbitrary File Upload Vulnerability (CVE-2024-12471) |
152643 | WordPress Auction Plugin: SQL Injection Vulnerability (CVE-2024-8855) |
152644 | WordPress User Management Plugin: Privilege Escalation Vulnerability (CVE-2025-22736) |
152645 | WordPress Integrate Google Drive Plugin: Missing Authorization Vulnerability(CVE-2023-32117) |
152646 | WordPress SSL Wireless SMS Notification Plugin: SQL Injection Vulnerability(CVE-2024-56284) |
152647 | WordPress Custom Sidebar Plugin: SQL Injection Vulnerability (CVE-2025-23912) |
152648 | ServiceNow Blind SQL Injection Vulnerability (CVE-2024-8924) |
152649 | WordPress Fancy Product Designer Plugin: Arbitrary File Upload Vulnerability (CVE-2024-51919) |
152650 | ServiceNow Remote Code Execution (RCE) Vulnerability (CVE-2024-8923) |
152651 | FortiClientEMS SQL injection Vulnerability (CVE-2023-48788) |
152652 | WordPress Solidres – Hotel Booking Plugin: SQL Injection Vulnerability (CVE-2025-23911) |
152653 | WordPress Easy Code Snippets Plugin: SQL Injection Vulnerability (CVE-2025-23780) |
152654 | WordPress ResAds Plugin: SQL Injection Vulnerability (CVE-2025-23779) |
152655 | WordPress Fancy Product Designer Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-51818) |
152656 | WordPress NitroPack Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11848) |
152657 | WordPress Just Writing Statistics Plugin: SQL Injection Vulnerability (CVE-2024-56250) |
152658 | Apache Airflow Fab Provider Insufficient Session Expiration Vulnerability (CVE-2024-45033) |
152659 | WordPress Passwords Manager Plugin: SQL Injection Vulnerability (CVE-2024-12613) |
152660 | SimpleHelp Remote Support Software Privilege Escalation Vulnerability (CVE-2024-57726) |
152661 | SimpleHelp Remote Support Software Path Traversal Vulnerability (CVE-2024-57727) |
152662 | SimpleHelp Remote Support Software Arbitrary File Upload Vulnerability (CVE-2024-57728) |
152663 | WordPress Ultimate Addons for Contact Form 7 Plugin: Missing Authorization Vulnerability (CVE-2023-47693) |
152664 | WordPress SMS Alert Order Notifications Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11725) |
152665 | WordPress ThePerfectWedding.nl Widget Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-12322) |
152666 | WordPress Host PHP Info Plugin: Unauthorized Access of Data Vulnerability (CVE-2024-12535) |
152667 | WordPress Error Log Viewer By WP Guru Plugin: Arbitrary File Read Vulnerability (CVE-2024-12849) |
152668 | Apache OpenMeetings Deserialization of Untrusted Data Vulnerability (CVE-2024-54676) |
152669 | Oracle WebLogic Server Multiple Vulnerabilities (CPU-JAN2025) |
152670 | WordPress Advanced File Manager Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13333) |
152671 | WordPress Rank Math SEO Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3665) |
152672 | WordPress AdForest Theme: Authentication Bypass Vulnerability (CVE-2024-12857) |
152673 | WordPress WPBot Pro WordPress Chatbot Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13091) |
152674 | WordPress String Locator Plugin: PHP Object Injection Vulnerability (CVE-2024-10936) |
152675 | WordPress WP Extended Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-13184) |
152676 | JetBrains TeamCity Improper Access Control Vulnerabilities (CVE-2025-24460,CVE-2025-24461) |
152677 | JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-24459) |
152678 | SeaCMS Incorrect Access Control Vulnerability (CVE-2024-54880) |
152679 | WordPress Passwords Manager Plugin: Broken Access Control Vulnerability (CVE-2024-12614) |
152680 | WordPress DynamicTags Plugin: SQL Injection Vulnerability (CVE-2025-22348) |
152682 | WordPress eDoc Easy Tables Plugin: SQL Injection Vulnerability (CVE-2025-22519) |
152683 | WordPress ElementInvader Addons for Elementor Plugin: Local File Inclusion Vulnerability (CVE-2025-22786) |
152684 | WordPress Logging Service Plugin: Cross Site Request Forgery Vulnerability (CVE-2025-23510) |
152685 | WordPress Post Grid, Slider and Carousel Ultimate Plugin: Local File Inclusion Vulnerability (CVE-2024-13409) |
152686 | WordPress Ultimate Member Plugin: Time-Based SQL Injection Vulnerability (CVE-2025-0308) |
152688 | Splunk App for SOAR Privilege Escalation Vulnerability (CVE-2025-22621) |
152689 | Jenkins Bitbucket Server Integration Plugin CSRF Protection Bypass Vulnerability (CVE-2025-24398) |
152690 | Jenkins OpenId Connect Authentication Plugin Case Sensitivity Vulnerability (CVE-2025-24399) |
152691 | WordPress Bootstrap Ultimate Theme: Local File Inclusion Vulnerability (CVE-2024-13545) |
152692 | Atlassian Crowd Data Center and Server SSRF (Server-Side Request Forgery) Vulnerability (CVE-2024-39338) |
152694 | GitLab CE/EE Cross-Site Scripting (XSS) Vulnerability (CVE-2025-0314) |
152695 | XWiki Reflected Cross-Site Scripting Vulnerability (CVE-2023-35158) |
152696 | WordPress Gravity Forms Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-13377) |
154170 | Drupal Cross-Site Scripting vulnerability (CVE-2024-12393) |
154171 | Drupal Access Bypass vulnerability (CVE-2024-55634) |
154172 | Drupal Cross-Site Scripting vulnerability (CVE-2024-55635) |
154173 | Drupal PHP Object Injection vulnerability (CVE-2024-55636) |