Web Application Detections—August 2024
In August, Qualys released QIDs targeting vulnerabilities in several widely-used software products, including JetBrains TeamCity, WordPress, LiteLLM, phpMyBackupPro, Apache OFBiz, Apache Superset, Automation Anywhere Automation 360, Microsoft IIS, Zabbix, nuxt/icon, Laravel, Jenkins, Nginx, SolarWinds Web Help Desk and OpenSSL.
The following table lists the new QIDs.
| QID | Title |
| 150929 | WordPress Form Vibes Plugin: SQL Injection Vulnerability (CVE-2024-5325) |
| 150951 | WordPress ERP Plugin: SQL Injection Vulnerability (CVE-2024-6666) |
| 152002 | WordPress Popup Builder Plugin: Unauthorized Modification and Loss of Data Vulnerability (CVE-2024-2544) |
| 152028 | WordPress UsersWP Plugin: Unauthenticated SQL Injection Vulnerability (CVE-2024-6265) |
| 152031 | WordPress InstaWP Connect Plugin: Authentication Bypass Vulnerability (CVE-2024-6397) |
| 152032 | WordPress Quiz Maker Plugin: Time-Based SQL Injection Vulnerability (CVE-2024-6028) |
| 152039 | WordPress Profile-Builder Plugin: Privilege Escalation Vulnerability (CVE-2024-6695) |
| 152053 | WordPress IQ Testimonials Plugin: Unauthenticated Arbitrary File Upload Vulnerability (CVE-2024-6314) |
| 152054 | WordPress SEOPress Plugin: Unauthenticated Object Injection Vulnerability (CVE-2024-5488) |
| 152058 | WordPress Brizy Page Builder Plugin: Arbitrary File Uploads Vulnerability(CVE-2024-3242) |
| 152059 | WordPress Nested Pages Plugin: Cross-Site Request Forgery(CVE-2024-5943) |
| 152063 | WordPress ContentLock Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-6024) |
| 152065 | WordPress Flipbox Builder Plugin: PHP Object Injection Vulnerability(CVE-2024-6152) |
| 152066 | WordPress Media. net Ads Manager Plugin: Arbitrary File Upload Vulnerability(CVE-2024-6431) |
| 152067 | WordPress IMGspider Plugin: Arbitrary File Upload Vulnerability (CVE-2024-6319) |
| 152068 | WordPress Unlimited Elements For Elementor Plugin: Time-based SQL Injection Vulnerability (CVE-2024-6166) |
| 152069 | WordPress Squirrly SEO Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6497) |
| 152070 | litellm Server-Side Request Forgery Vulnerability (CVE-2024-38514) |
| 152071 | phpMyBackupPro v2.3 Multiple Cross-Site Scripting Vulnerabilities |
| 152072 | Apache OFBiz Incorrect Authorization Vulnerability (CVE-2024-38856) |
| 152073 | Apache Superset Arbitrary File Read Vulnerability (CVE-2024-34693) |
| 152074 | Automation Anywhere Automation 360 Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-6922) |
| 152075 | WordPress Advanced File Manager Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-5598) |
| 152076 | WordPress Cookie Consent Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-4869) |
| 152077 | WordPress Tournamatch Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-5644) |
| 152078 | WordPress WooCommerce Social Login Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-6636) |
| 152079 | WordPress Laposta Plugin: Unauthenticated Full Path Disclosure Vulnerability (CVE-2024-6574) |
| 152080 | WordPress WooCommerce Social Login Plugin: Authentication Bypass Vulnerability (CVE-2024-6635) |
| 152081 | WordPress WooCommerce Social Login Plugin: Unauthenticated Privilege Escalation Vulnerability (CVE-2024-6637) |
| 152082 | Apache Superset SQL Injection Vulnerability (CVE-2024-39887) |
| 152083 | WordPress Gutenberg Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2024-6313) |
| 152084 | WordPress aThemes Starter Sites Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6897) |
| 152085 | WordPress Happy Addons for Elementor Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6627) |
| 152086 | WordPress WooCommerce Product Table Lite Plugin: Unauthorized Post Title Modification Vulnerability (CVE-2024-6458) |
| 152087 | WordPress WPBakery Visual Composer Plugin: Local File Inclusion Vulnerability (CVE-2024-5709) |
| 152089 | WordPress Master Currency Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-6634) |
| 152090 | WordPress CRM Perks Forms Plugin: Arbitrary File Upload Vulnerability (CVE-2024-7484) |
| 152091 | WordPress Ebook Store Plugin: Full Path Disclosure Vulnerability (CVE-2024-6567) |
| 152092 | WordPress Sync Post With Other Site Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-6709) |
| 152093 | WordPress Email Subscribers Plugin: SQL Injection Vulnerability (CVE-2024-5756) |
| 152094 | WordPress wpDiscuz Plugin: HTML Injection Vulnerability (CVE-2024-6704) |
| 152095 | WordPress Forminator Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-7389) |
| 152096 | WordPress UsersWP Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-6477) |
| 152097 | WordPress JetFormBuilder Plugin: Privilege Escalation Vulnerability (CVE-2024-7291) |
| 152098 | Microsoft IIS Tilde Character Information Disclosure Vulnerability |
| 152099 | WordPress Filester Plugin: Unauthorized Modification of Data Vulnerability (CVE-2024-7031) |
| 152101 | WordPress Business Directory Plugin: CSV Injection Vulnerability (CVE-2023-5527) |
| 152106 | WordPress Chatbot by Collect.chat Plugin: Cross-Site Scripting Vulnerability (CVE-2024-6498) |
| 152107 | WordPress Traffic Manager Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7485) |
| 152108 | WordPress YayExtra Plugin: Arbitrary File Upload Vulnerability (CVE-2024-7257) |
| 152109 | WordPress Slider By 10Web Plugin: Time-based SQL Injection Vulnerability (CVE-2024-7150) |
| 152110 | WordPress WooCommerce Social Login Plugin: Authentication Bypass Vulnerability (CVE-2024-7503) |
| 152111 | WordPress LearnPress Plugin: Time-based SQL Injection Vulnerability (CVE-2024-7548) |
| 152112 | WordPress JS Help Desk Plugin: PHP Code Injection Vulnerability (CVE-2024-7094) |
| 152113 | WordPress Christmasify! Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-7574) |
| 152114 | WordPress InPost for WooCommerce Plugin: Unauthorized Access Vulnerability (CVE-2024-6500) |
| 152115 | WordPress PDF Builder for WPForms Plugin: Full Path Disclosure Vulnerability (CVE-2024-7414) |
| 152116 | Zabbix Improper Authorization Vulnerability (CVE-2024-22114) |
| 152117 | Zabbix Remote Code Execution Vulnerability (CVE-2024-22116) |
| 152118 | Zabbix Improper Authorization Vulnerability (CVE-2024-22121) |
| 152119 | Zabbix Untrusted Pointer Dereference Vulnerability (CVE-2024-36461) |
| 152120 | WordPress LiteSpeed Cache Plugin: Incorrect Privilege Assignment Vulnerability (CVE-2024-28000) |
| 152121 | nuxt/icon Server-Side Request Forgery Vulnerability (CVE-2024-42352) |
| 152122 | Laravel Environment Configuration File Detected |
| 152123 | WordPress Horizontal Scrolling Announcements Plugin: SQL Injection Vulnerability (CVE-2023-5000) |
| 152124 | Jenkins Arbitrary File Read Vulnerability (CVE-2024-43044) |
| 152125 | Jenkins Improper Authorization Vulnerability (CVE-2024-43045) |
| 152126 | WordPress Reveal Template Plugin: Full Path Disclosure Vulnerability (CVE-2024-7416) |
| 152127 | WordPress affiliate-toolkit Plugin: Full Path Disclosure Vulnerability (CVE-2024-6562) |
| 152128 | WordPress Zephyr Project Manager Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-7356) |
| 152131 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-43807,CVE-2024-43808,CVE-2024-43809,CVE-2024-43810) |
| 152132 | JetBrains TeamCity Cross-Site Scripting (XSS) Vulnerabilities (CVE-2024-43807,CVE-2024-43808,CVE-2024-43809,CVE-2024-43810) |
| 152133 | WordPress Cost Calculator Builder Plugin: SQL Injection Vulnerability (CVE-2024-43144) |
| 152135 | WordPress Opti Marketing Plugin: SQL Injection Vulnerability (CVE-2024-6928) |
| 152136 | WordPress Viral Signup Plugin: SQL Injection Vulnerability (CVE-2024-6926) |
| 152137 | WordPress GeoDirectory Plugin: SQL Injection Vulnerability (CVE-2024-43145) |
| 152138 | WordPress BerqWP Plugin: Arbitrary File Upload Vulnerability (CVE-2024-43160) |
| 152160 | SolarWinds Web Help Desk Java Deserialization Remote Code Execution (RCE) Vulnerability (CVE-2024-28986) |
| 152161 | SolarWinds Web Help Desk Hardcoded Credential Vulnerability (CVE-2024-28987) |
| 520027 | Nginx HTTP/3 QUIC Multiple Vulnerabilities |
| 520028 | Open Secure Sockets Layer (OpenSSL) Buffer Overread Vulnerability (CVE-2024-5535) |
Qualys Notification Link: Web Application Detections Published in August 2024.