Web Application Detections Published in January 2025

Mayank Deshmukh

In January, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including AngularJS, Apache Airflow, Apache APISIX, Apache Hive, Apache Nifi, Apache OpenMeetings, Apache Spark, Atlassian Crowd, Aviatrix Controller, ClipBucket, Craft CMS, CyberPanel, Dify, Drupal, FortiClient EMS, FortiOS, GitLab, Gradio, IBM Aspera Faspex, Ivanti Avalanche, Ivanti EPM, Ivanti ICS, Ivanti IPS, Jenkins, JetBrains TeamCity, Kerio Control, MarkUs, NodeJS, Oracle WebLogic Server, Python, SeaCMS, ServiceNow, SimpleHelp, Socket.IO, Software AG WebMethods, Splunk App for SOAR, WordPress, and XWiki.

The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. These vulnerabilities can pose security risks if not addressed. Security risks can include breaches, unauthorized access, and various malicious activities.

QIDTitle
151041Socket.IO Improper Input Validation Vulnerability (CVE-2024-38355)
151042AngularJS ReDoS Vulnerability (CVE-2024-21490)
152140Python Code Injection Vulnerability
152141Python Blind Code Injection Vulnerability
152142NodeJS Code Injection Vulnerability
152143NodeJS Blind Code Injection Vulnerability
152400CyberPanel Remote Code Execution (RCE) Vulnerability (CVE-2024-51378)
152562WordPress Tabs Maker Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11865)
152563WordPress Connatix Video Embed Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11883)
152564Pandas Arbitrary Command Execution Vulnerability (CVE-2024-9880)
152565Dify Sandbox Escape Vulnerability (CVE-2024-10252)
152566Gradio Server Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-2206)
152567WordPress Bukza Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11759)
152568WordPress Companion Portfolio – Responsive Portfolio Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11867)
152569WordPress Cricket Live Score Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-11877)
152570Apache Nifi Information Disclosure Vulnerability (CVE-2024-56512)
152571IBM Aspera Faspex Code Execution Vulnerability (CVE-2022-47986)
152572JetBrains TeamCity Insufficient Session Expiration Vulnerability (CVE-2024-56351)
152573JetBrains TeamCity XML External Entity (XXE) Vulnerability (CVE-2024-56356)
152574JetBrains TeamCity Sensitive Credential Exposure Vulnerabilities (CVE-2024-56353,CVE-2024-56354)
152575JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-56352,CVE-2024-56355)
152576JetBrains TeamCity Improper Access Control Vulnerabilities (CVE-2024-56348,CVE-2024-56349,CVE-2024-56350)
152577WordPress UpdraftPlus Backup and Migration Plugin: PHP Object Injection Vulnerability (CVE-2024-10957)
152578WordPress Backup Migration Plugin: PHP Object Injection Vulnerability (CVE-2024-10932)
152579Jenkins Simple Queue Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2024-54003)
152580WordPress Tourfic Plugin: SQL Injection Vulnerability (CVE-2024-12032)
152581WordPress WP Data Access Plugin: SQL Injection Vulnerability (CVE-2024-12428)
152582WordPress WP Travel Engine Plugin: Local File Inclusion Vulnerability (CVE-2024-12272)
152583Software AG WebMethods Improper Access Control Vulnerability (CVE-2023-6578)
152584WordPress WP Master ToolKit Plugin: Unrestricted File Upload Vulnerability (CVE-2024-56249)
152585WordPress WP Courses LMS Plugin: Missing Authorization Vulnerability (CVE-2024-12172)
152586WordPress Product Carousel Slider and Grid Ultimate Plugin: Local File Inclusion Vulnerability (CVE-2024-12040)
152587WordPress OAuth Single Sign On Plugin: Authentication Bypass Vulnerability (CVE-2024-10111)
152588Apache Hive CookieSigner Signature Exposure Vulnerability (CVE-2024-23945)
152589WordPress WP Post Author Plugin: SQL Injection Vulnerability (CVE-2024-56247)
152590Apache Spark CookieSigner Signature Exposure Vulnerability (CVE-2024-23945)
152591Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2024-56145)
152592Aviatrix Network Controller Command Injection Vulnerability (CVE-2024-50603)
152593Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0282)
152594Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0283)
152595Ivanti Policy Secure (IPS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0282)
152596Ivanti Policy Secure (IPS) Stack-based Buffer Overflow Vulnerability (CVE-2025-0283)
152597Kerio Control CRLF Injection Vulnerability (CVE-2024-52875)
152598WordPress JobBoard Job listing Plugin: Unrestricted File Upload Vulnerability (CVE-2024-43243)
152599WordPress Dynamics 365 Integration Plugin: Remote Code Execution Vulnerability (CVE-2024-12583)
152600WordPress SakolaWP Plugin: Privilege Escalation Vulnerability (CVE-2024-12470)
152601WordPress Themes Coder Plugin: Privilege Escalation Vulnerability (CVE-2024-12402)
152602WordPress PayU CommercePro Plugin: Privilege Escalation Vulnerability (CVE-2024-12264)
152603WordPress WP Travel Plugin: Missing Authorization Vulnerability (CVE-2023-47224)
152604WordPress 4ECPS Web Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2025-22504)
152605WordPress User Extra Fields Plugin: Arbitrary File Deletion Vulnerability (CVE-2024-11150)
152606WordPress WooCommerce Upload Files Plugin: Arbitrary File Upload Vulnerability (CVE-2024-10820)
152607ClipBucket V5 Path Traversal Vulnerability (CVE-2024-21622)
152608ClipBucket V5 Denial of Service Vulnerability (CVE-2024-21623)
152609ClipBucket V5 Arbitrary File Upload Vulnerability (CVE-2024-21624)
152610WordPress File Upload Plugin: Remote Code Execution Vulnerability (CVE-2024-11635)
152611Gradio Path Traversal Vulnerability (CVE-2024-1561)
152612WordPress WP File Upload Plugin: Remote Code Execution Vulnerability (CVE-2024-11613)
152613WordPress GiveWP Plugin: PHP Object Injection Vulnerabilities (CVE-2024-12877,CVE-2025-22777)
152614WordPress WPBookit Plugin: Arbitrary User Password Change Vulnerability (CVE-2024-10215)
152615WordPress Post Grid Master Plugin: Local File Inclusion Vulnerability (CVE-2024-11642)
152616MarkUs Arbitrary File Upload Vulnerability (CVE-2024-51743)
152617Apache APISIX Dashboard IP Bypass Vulnerability (CVE-2021-33190)
152618WordPress The Ultimate WordPress Toolkit – WP Extended Plugin: Remote Code Execution Vulnerability (CVE-2024-11816)
152619Apache APISIX Dashboard Manager API Authentication Bypass Vulnerability (CVE-2021-45232)
152620WordPress WebinarPress Plugin: Arbitrary File Creation Vulnerability (CVE-2024-11270)
152621WordPress WP Ultimate Exporter Plugin: Code Injection Vulnerability (CVE-2024-56278)
152622Apache APISIX Remote Code Execution Vulnerability (CVE-2022-24112)
152623WordPress SEO LAT Auto Post Plugin: File Overwrite Vulnerability (CVE-2024-12252)
152624WordPress AdForest Theme: Authentication Bypass Vulnerability (CVE-2024-11349)
152625Fortinet FortiOS Authorization Bypass Vulnerability (CVE-2024-55591)
152626Ivanti Endpoint Manager (EPM) Path Traversal Vulnerabilities (CVE-2024-10811,CVE-2024-13159,CVE-2024-13160,CVE-2024-13161)
152627WordPress Post Grid and Gutenberg Blocks Plugin: Privilege Escalation Vulnerability (CVE-2024-9636)
152628Ivanti Avalanche Path Traversal Vulnerabilities (CVE-2024-13179,CVE-2024-13180,CVE-2024-13181)
152629FortiClientEMS Login Brute Force Vulnerability (CVE-2024-23106)
152630WordPress Paid Membership Subscriptions Plugin: Authentication Bypass Vulnerability (CVE-2024-12919)
152631WordPress Multiple Shipping And Billing Address For Woocommerce Plugin: Authentication Bypass Vulnerability (CVE-2024-56290)
152632Ivanti Endpoint Manager (EPM) Multiple Vulnerabilities (CVE-2024-13158,CVE-2024-13163,CVE-2024-13164)
152633Ivanti Endpoint Manager (EPM) Out-of-bounds Read and Write Vulnerabilities
152634Ivanti Endpoint Manager (EPM) Insufficient Filename Validation Vulnerability (CVE-2024-13171)
152635Ivanti Endpoint Manager (EPM) Improper Signature Verification Vulnerability (CVE-2024-13172)
152636Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2024-13162)
152637WordPress W3 Total Cache Plugin: Unauthorized Access of Data Vulnerability (CVE-2024-12365)
152638WordPress Appointment Booking Calendar and Scheduling Plugin: Unauthenticated Export File Download Vulnerability (CVE-2024-12274)
152639WordPress linkid Plugin: Unauthorized Access of Data Vulnerability (CVE-2024-12542)
152640WordPress SKT Page Builder Plugin: Arbitrary File Upload Vulnerability (CVE-2024-12848)
152641WordPress WP Options Editor Plugin: Cross Site Request Forgery (CSRF) Vulnerability (CVE-2025-23797)
152642WordPress Post Saint Plugin: Arbitrary File Upload Vulnerability (CVE-2024-12471)
152643WordPress Auction Plugin: SQL Injection Vulnerability (CVE-2024-8855)
152644WordPress User Management Plugin: Privilege Escalation Vulnerability (CVE-2025-22736)
152645WordPress Integrate Google Drive Plugin: Missing Authorization Vulnerability(CVE-2023-32117)
152646WordPress SSL Wireless SMS Notification Plugin: SQL Injection Vulnerability(CVE-2024-56284)
152647WordPress Custom Sidebar Plugin: SQL Injection Vulnerability (CVE-2025-23912)
152648ServiceNow Blind SQL Injection Vulnerability (CVE-2024-8924)
152649WordPress Fancy Product Designer Plugin: Arbitrary File Upload Vulnerability (CVE-2024-51919)
152650ServiceNow Remote Code Execution (RCE) Vulnerability (CVE-2024-8923)
152651FortiClientEMS SQL injection Vulnerability (CVE-2023-48788)
152652WordPress Solidres – Hotel Booking Plugin: SQL Injection Vulnerability (CVE-2025-23911)
152653WordPress Easy Code Snippets Plugin: SQL Injection Vulnerability (CVE-2025-23780)
152654WordPress ResAds Plugin: SQL Injection Vulnerability (CVE-2025-23779)
152655WordPress Fancy Product Designer Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-51818)
152656WordPress NitroPack Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11848)
152657WordPress Just Writing Statistics Plugin: SQL Injection Vulnerability (CVE-2024-56250)
152658Apache Airflow Fab Provider Insufficient Session Expiration Vulnerability (CVE-2024-45033)
152659WordPress Passwords Manager Plugin: SQL Injection Vulnerability (CVE-2024-12613)
152660SimpleHelp Remote Support Software Privilege Escalation Vulnerability (CVE-2024-57726)
152661SimpleHelp Remote Support Software Path Traversal Vulnerability (CVE-2024-57727)
152662SimpleHelp Remote Support Software Arbitrary File Upload Vulnerability (CVE-2024-57728)
152663WordPress Ultimate Addons for Contact Form 7 Plugin: Missing Authorization Vulnerability (CVE-2023-47693)
152664WordPress SMS Alert Order Notifications Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-11725)
152665WordPress ThePerfectWedding.nl Widget Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-12322)
152666WordPress Host PHP Info Plugin: Unauthorized Access of Data Vulnerability (CVE-2024-12535)
152667WordPress Error Log Viewer By WP Guru Plugin: Arbitrary File Read Vulnerability (CVE-2024-12849)
152668Apache OpenMeetings Deserialization of Untrusted Data Vulnerability (CVE-2024-54676)
152669Oracle WebLogic Server Multiple Vulnerabilities (CPU-JAN2025)
152670WordPress Advanced File Manager Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13333)
152671WordPress Rank Math SEO Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3665)
152672WordPress AdForest Theme: Authentication Bypass Vulnerability (CVE-2024-12857)
152673WordPress WPBot Pro WordPress Chatbot Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13091)
152674WordPress String Locator Plugin: PHP Object Injection Vulnerability (CVE-2024-10936)
152675WordPress WP Extended Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-13184)
152676JetBrains TeamCity Improper Access Control Vulnerabilities (CVE-2025-24460,CVE-2025-24461)
152677JetBrains TeamCity Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-24459)
152678SeaCMS Incorrect Access Control Vulnerability (CVE-2024-54880)
152679WordPress Passwords Manager Plugin: Broken Access Control Vulnerability (CVE-2024-12614)
152680WordPress DynamicTags Plugin: SQL Injection Vulnerability (CVE-2025-22348)
152682WordPress eDoc Easy Tables Plugin: SQL Injection Vulnerability (CVE-2025-22519)
152683WordPress ElementInvader Addons for Elementor Plugin: Local File Inclusion Vulnerability (CVE-2025-22786)
152684WordPress Logging Service Plugin: Cross Site Request Forgery Vulnerability (CVE-2025-23510)
152685WordPress Post Grid, Slider and Carousel Ultimate Plugin: Local File Inclusion Vulnerability (CVE-2024-13409)
152686WordPress Ultimate Member Plugin: Time-Based SQL Injection Vulnerability (CVE-2025-0308)
152688Splunk App for SOAR Privilege Escalation Vulnerability (CVE-2025-22621)
152689Jenkins Bitbucket Server Integration Plugin CSRF Protection Bypass Vulnerability (CVE-2025-24398)
152690Jenkins OpenId Connect Authentication Plugin Case Sensitivity Vulnerability (CVE-2025-24399)
152691WordPress Bootstrap Ultimate Theme: Local File Inclusion Vulnerability (CVE-2024-13545)
152692Atlassian Crowd Data Center and Server SSRF (Server-Side Request Forgery) Vulnerability (CVE-2024-39338)
152694GitLab CE/EE Cross-Site Scripting (XSS) Vulnerability (CVE-2025-0314)
152695XWiki Reflected Cross-Site Scripting Vulnerability (CVE-2023-35158)
152696WordPress Gravity Forms Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-13377)
154170Drupal Cross-Site Scripting vulnerability (CVE-2024-12393)
154171Drupal Access Bypass vulnerability (CVE-2024-55634)
154172Drupal Cross-Site Scripting vulnerability (CVE-2024-55635)
154173Drupal PHP Object Injection vulnerability (CVE-2024-55636)
Share your Comments

Comments

Your email address will not be published. Required fields are marked *