Web Application Detections Published in August 2024
In August, Qualys released QIDs targeting vulnerabilities in several widely-used software products, including JetBrains TeamCity, WordPress, LiteLLM, phpMyBackupPro, Apache OFBiz, Apache Superset, Automation Anywhere Automation 360, Microsoft IIS, Zabbix, nuxt/icon, Laravel, Jenkins, Nginx, SolarWinds Web Help Desk and OpenSSL. Customers can get more details about the following QIDs in our knowledge base. Customers should review their reports for these detections. If any of the following are reported against their applications scanned, customers should follow the steps mentioned in the solution to ensure their systems are protected against the identified vulnerabilities.
| QID | Title |
| 150929 | WordPress Form Vibes Plugin: SQL Injection Vulnerability (CVE-2024-5325) |
| 150951 | WordPress ERP Plugin: SQL Injection Vulnerability (CVE-2024-6666) |
| 152002 | WordPress Popup Builder Plugin: Unauthorized Modification and Loss of Data Vulnerability (CVE-2024-2544) |
| 152028 | WordPress UsersWP Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-6265) |
| 152031 | WordPress InstaWP Connect Plugin: Authentication Bypass Vulnerability (CVE-2024-6397) |
| 152032 | WordPress Quiz Maker Plugin: Time-Based SQL Injection Vulnerability (CVE-2024-6028) |
| 152039 | WordPress Profile-Builder Plugin: Privilege Escalation Vulnerability (CVE-2024-6695) |
| 152053 | WordPress IQ Testimonials Plugin: Unauthenticated Arbitrary File Upload Vulnerability (CVE-2024-6314) |
| 152054 | WordPress SEOPress Plugin: Unauthenticated Object Injection Vulnerability (CVE-2024-5488) |
| 152058 | WordPress Brizy Page Builder Plugin: Arbitrary File Uploads Vulnerability(CVE-2024-3242) |
| 152059 | WordPress Nested Pages Plugin: Cross-Site Request Forgery(CVE-2024-5943) |
| 152063 | WordPress ContentLock Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-6024) |
| 152065 | WordPress Flipbox Builder Plugin: PHP Object Injection Vulnerability(CVE-2024-6152) |
| 152066 | WordPress Media. net Ads Manager Plugin: Arbitrary File Upload Vulnerability(CVE-2024-6431) |
| 152067 | WordPress IMGspider Plugin: Arbitrary File Upload Vulnerability (CVE-2024-6319) |
| 152068 | WordPress Unlimited Elements For Elementor Plugin: Time-based SQL Injection Vulnerability (CVE-2024-6166) |
| 152069 | WordPress Squirrly SEO Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6497) |
| 152070 | litellm Server-Side Request Forgery Vulnerability (CVE-2024-38514) |
| 152071 | phpMyBackupPro v2.3 Multiple Cross-Site Scripting Vulnerabilities |
| 152072 | Apache OFBiz Incorrect Authorization Vulnerability (CVE-2024-38856) |
| 152073 | Apache Superset Arbitrary File Read Vulnerability (CVE-2024-34693) |
| 152074 | Automation Anywhere Automation 360 Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-6922) |
| 152075 | WordPress Advanced File Manager Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-5598) |
| 152076 | WordPress Cookie Consent Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-4869) |
| 152077 | WordPress Tournamatch Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5644) |
| 152078 | WordPress WooCommerce Social Login Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-6636) |
| 152079 | WordPress Laposta Plugin: Unauthenticated Full Path Disclosure Vulnerability (CVE-2024-6574) |
| 152080 | WordPress WooCommerce Social Login Plugin: Authentication Bypass Vulnerability (CVE-2024-6635) |
| 152081 | WordPress WooCommerce Social Login Plugin: Unauthenticated Privilege Escalation Vulnerability (CVE-2024-6637) |
| 152082 | Apache Superset SQL Injection Vulnerability (CVE-2024-39887) |
| 152083 | WordPress Gutenberg Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2024-6313) |
| 152084 | WordPress aThemes Starter Sites Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6897) |
| 152085 | WordPress Happy Addons for Elementor Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6627) |
| 152086 | WordPress WooCommerce Product Table Lite Plugin: Unauthorized Post Title Modification Vulnerability (CVE-2024-6458) |
| 152087 | WordPress WPBakery Visual Composer Plugin: Local File Inclusion Vulnerability (CVE-2024-5709) |
| 152089 | WordPress Master Currency Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6634) |
| 152090 | WordPress CRM Perks Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2024-7484) |
| 152091 | WordPress Ebook Store Plugin: Full Path Disclosure Vulnerability (CVE-2024-6567) |
| 152092 | WordPress Sync Post With Other Site Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-6709) |
| 152093 | WordPress Email Subscribers Plugin: SQL Injection Vulnerability (CVE-2024-5756) |
| 152094 | WordPress wpDiscuz Plugin: HTML Injection Vulnerability (CVE-2024-6704) |
| 152095 | WordPress Forminator Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-7389) |
| 152096 | WordPress UsersWP Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-6477) |
| 152097 | WordPress JetFormBuilder Plugin: Privilege Escalation Vulnerability (CVE-2024-7291) |
| 152098 | Microsoft IIS Tilde Character Information Disclosure Vulnerability |
| 152099 | WordPress Filester Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-7031) |
| 152101 | WordPress Business Directory Plugin: CSV Injection Vulnerability (CVE-2023-5527) |
| 152106 | WordPress Chatbot by Collect.chat Plugin: Cross-Site Scripting Vulnerability (CVE-2024-6498) |
| 152107 | WordPress Traffic Manager Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7485) |
| 152108 | WordPress YayExtra Plugin: Arbitrary File Upload Vulnerability (CVE-2024-7257) |
| 152109 | WordPress Slider By 10Web Plugin: Time-based SQL Injection Vulnerability (CVE-2024-7150) |
| 152110 | WordPress WooCommerce Social Login Plugin: Authentication Bypass Vulnerability (CVE-2024-7503) |
| 152111 | WordPress LearnPress Plugin: Time-based SQL Injection Vulnerability (CVE-2024-7548) |
| 152112 | WordPress JS Help Desk Plugin: PHP Code Injection Vulnerability (CVE-2024-7094) |
| 152113 | WordPress Christmasify! Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-7574) |
| 152114 | WordPress InPost for WooCommerce Plugin: Unauthorized Access Vulnerability (CVE-2024-6500) |
| 152115 | WordPress PDF Builder for WPForms Plugin: Full Path Disclosure Vulnerability (CVE-2024-7414) |
| 152116 | Zabbix Improper Authorization Vulnerability (CVE-2024-22114) |
| 152117 | Zabbix Remote Code Execution Vulnerability (CVE-2024-22116) |
| 152118 | Zabbix Improper Authorization Vulnerability (CVE-2024-22121) |
| 152119 | Zabbix Untrusted Pointer Dereference Vulnerability (CVE-2024-36461) |
| 152120 | WordPress LiteSpeed Cache Plugin: Incorrect Privilege Assignment Vulnerability (CVE-2024-28000) |
| 152121 | nuxt/icon Server-Side Request Forgery Vulnerability (CVE-2024-42352) |
| 152122 | Laravel Environment Configuration File Detected |
| 152123 | WordPress Horizontal Scrolling Announcements Plugin: SQL Injection Vulnerability (CVE-2023-5000) |
| 152124 | Jenkins Arbitrary File Read Vulnerability (CVE-2024-43044) |
| 152125 | Jenkins Improper Authorization Vulnerability (CVE-2024-43045) |
| 152126 | WordPress Reveal Template Plugin: Full Path Disclosure Vulnerability (CVE-2024-7416) |
| 152127 | WordPress affiliate-toolkit Plugin: Full Path Disclosure Vulnerability (CVE-2024-6562) |
| 152128 | WordPress Zephyr Project Manager Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7356) |
| 152131 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-43807,CVE-2024-43808,CVE-2024-43809,CVE-2024-43810) |
| 152132 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-43807,CVE-2024-43808,CVE-2024-43809,CVE-2024-43810) |
| 152133 | WordPress Cost Calculator Builder Plugin: SQL Injection Vulnerability (CVE-2024-43144) |
| 152135 | WordPress Opti Marketing Plugin: SQL Injection Vulnerability (CVE-2024-6928) |
| 152136 | WordPress Viral Signup Plugin: SQL Injection Vulnerability (CVE-2024-6926) |
| 152137 | WordPress GeoDirectory Plugin: SQL Injection Vulnerability (CVE-2024-43145) |
| 152138 | WordPress BerqWP Plugin: Arbitrary File Upload Vulnerability (CVE-2024-43160) |
| 152160 | SolarWinds Web Help Desk Java Deserialization Remote Code Execution (RCE) Vulnerability (CVE-2024-28986) |
| 152161 | SolarWinds Web Help Desk Hardcoded Credential Vulnerability (CVE-2024-28987) |
| 520027 | Nginx HTTP/3 QUIC Multiple Vulnerabilities |
| 520028 | Open Secure Sockets Layer (OpenSSL) Buffer Overread Vulnerability (CVE-2024-5535) |
