Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-5969

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-27 Jul, 2024 | 07:33
Updated At-01 Aug, 2024 | 21:25
Rejected At-
Credits

AIomatic - Automatic AI Content Writer <= 2.0.5 - Unauthenticated Arbitrary Email Sending

The AIomatic - Automatic AI Content Writer for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 2.0.5. This is due to insufficient limitations on the email recipient and the content in the 'aiomatic_send_email' function which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:27 Jul, 2024 | 07:33
Updated At:01 Aug, 2024 | 21:25
Rejected At:
▼CVE Numbering Authority (CNA)
AIomatic - Automatic AI Content Writer <= 2.0.5 - Unauthenticated Arbitrary Email Sending

The AIomatic - Automatic AI Content Writer for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 2.0.5. This is due to insufficient limitations on the email recipient and the content in the 'aiomatic_send_email' function which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.

Affected Products
Vendor
CodeRevolution
Product
Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit
Default Status
unaffected
Versions
Affected
  • From * through 2.0.5 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper Input Validation
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper Input Validation
Metrics
VersionBase scoreBase severityVector
3.15.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Version: 3.1
Base score: 5.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
István Márton
Timeline
EventDate
Discovered2024-06-13 00:00:00
Vendor Notified2024-06-13 00:00:00
Disclosed2024-06-14 00:00:00
Event: Discovered
Date: 2024-06-13 00:00:00
Event: Vendor Notified
Date: 2024-06-13 00:00:00
Event: Disclosed
Date: 2024-06-14 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cve
N/A
https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8S
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cve
Resource: N/A
Hyperlink: https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8S
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
coderevolution
Product
aiomatic-automatic_ai_content_writer_\&_editor
CPEs
  • cpe:2.3:a:coderevolution:aiomatic-automatic_ai_content_writer_\&_editor:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 2.0.5 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cve
x_transferred
https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8S
x_transferred
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cve
Resource:
x_transferred
Hyperlink: https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8S
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:27 Jul, 2024 | 08:15
Updated At:08 Aug, 2025 | 01:53

The AIomatic - Automatic AI Content Writer for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 2.0.5. This is due to insufficient limitations on the email recipient and the content in the 'aiomatic_send_email' function which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
coderevolution
coderevolution
>>aiomatic>>Versions before 2.0.6(exclusive)
cpe:2.3:a:coderevolution:aiomatic:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-20Secondarysecurity@wordfence.com
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE ID: CWE-20
Type: Secondary
Source: security@wordfence.com
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8Ssecurity@wordfence.com
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cvesecurity@wordfence.com
Third Party Advisory
https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8Saf854a3a-2127-422b-91ae-364da2661108
Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cveaf854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8S
Source: security@wordfence.com
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cve
Source: security@wordfence.com
Resource:
Third Party Advisory
Hyperlink: https://codecanyon.net/item/aiomatic-automatic-ai-content-writer/38877369?srsltid=AfmBOornCSKshlaSyZi2nonTcpSskMpBNJpdAS_No91A5V5lTIAD1h8S
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Product
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/be5be40f-89da-4b97-9a85-527602d84c4d?source=cve
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

110Records found
CVE-2022-34350
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.39% / 59.55%
||
7 Day CHG+0.22%
Published-08 Feb, 2023 | 19:12
Updated-25 Mar, 2025 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM API Connect security bypass

IBM API Connect 10.0.0.0 through 10.0.5.0, 10.0.1.0 through 10.0.1.7, and 2018.4.1.0 through 2018.4.1.20 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 230264.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-20
Improper Input Validation
CVE-2022-25839
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.36%
||
7 Day CHG~0.00%
Published-11 Mar, 2022 | 20:00
Updated-16 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation

The package url-js before 2.1.0 are vulnerable to Improper Input Validation due to improper parsing, which makes it is possible for the hostname to be spoofed. http://\\\\\\\\localhost and http://localhost are the same URL. However, the hostname is not parsed as localhost, and the backslash is reflected as it is.

Action-Not Available
Vendor-url-js_projectn/a
Product-url-jsurl-js
CWE ID-CWE-20
Improper Input Validation
CVE-2025-23041
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.15% / 35.39%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:54
Updated-19 Sep, 2025 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-Umbraco A/S (Umbraco)
Product-umbraco_formsUmbraco.Forms.Issues
CWE ID-CWE-20
Improper Input Validation
CVE-2022-23814
Matching Score-4
Assigner-Advanced Micro Devices Inc.
ShareView Details
Matching Score-4
Assigner-Advanced Micro Devices Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 58.98%
||
7 Day CHG~0.00%
Published-10 Jan, 2023 | 20:56
Updated-09 Apr, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Failure to validate addresses provided by software to BIOS commands may result in a potential loss of integrity of guest memory in a confidential compute environment.

Action-Not Available
Vendor-Advanced Micro Devices, Inc.
Product-milanpi-sp3_firmwaremilanpi-sp33rd Gen EPYC
CWE ID-CWE-20
Improper Input Validation
CVE-2022-20784
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.53% / 66.60%
||
7 Day CHG~0.00%
Published-06 Apr, 2022 | 18:11
Updated-06 Nov, 2024 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Web Security Appliance Filter Bypass Vulnerability

A vulnerability in the Web-Based Reputation Score (WBRS) engine of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass established web request policies and access blocked content on an affected device. This vulnerability is due to incorrect handling of certain character combinations inserted into a URL. An attacker could exploit this vulnerability by sending crafted URLs to be processed by an affected device. A successful exploit could allow the attacker to bypass the web proxy and access web content that has been blocked by policy.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-web_security_applianceCisco Web Security Appliance (WSA)
CWE ID-CWE-20
Improper Input Validation
CVE-2022-20952
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 37.45%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 15:27
Updated-03 Aug, 2024 | 02:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the scanning engines of Cisco AsyncOS Software for Cisco Secure Web Appliance, formerly known as Cisco Web Security Appliance (WSA), could allow an unauthenticated, remote attacker to bypass a configured rule, thereby allowing traffic onto a network that should have been blocked. This vulnerability exists because malformed, encoded traffic is not properly detected. An attacker could exploit this vulnerability by connecting through an affected device to a malicious server and receiving malformed HTTP responses. A successful exploit could allow the attacker to bypass an explicit block rule and receive traffic that should have been rejected by the device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-asyncoss695s195s395Cisco Secure Web Appliance
CWE ID-CWE-20
Improper Input Validation
CVE-2023-35944
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.01% / 0.90%
||
7 Day CHG~0.00%
Published-25 Jul, 2023 | 18:35
Updated-23 Oct, 2024 | 20:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Envoy vulnerable to incorrect handling of HTTP requests and responses with mixed case schemes

Envoy is an open source edge and service proxy designed for cloud-native applications. Envoy allows mixed-case schemes in HTTP/2, however, some internal scheme checks are case-sensitive. Prior to versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, this can lead to the rejection of requests with mixed-case schemes such as `htTp` or `htTps`, or the bypassing of some requests such as `https` in unencrypted connections. With a fix in versions 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12, Envoy will now lowercase scheme values by default, and change the internal scheme checks that were case-sensitive to be case-insensitive. There are no known workarounds for this issue.

Action-Not Available
Vendor-envoyproxyenvoyproxy
Product-envoyenvoy
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2021-38910
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.25% / 47.76%
||
7 Day CHG~0.00%
Published-10 Mar, 2022 | 19:50
Updated-16 Sep, 2024 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM DataPower Gateway V10CD, 10.0.1, and 2108.4.1 could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. By sending a specially crafted JSON message, an attacker could exploit this vulnerability to modify structure and fields. IBM X-Force ID: 209824.

Action-Not Available
Vendor-IBM Corporation
Product-datapower_gatewayDataPower Gateway
CWE ID-CWE-20
Improper Input Validation
CVE-2021-28170
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 30.16%
||
7 Day CHG~0.00%
Published-26 May, 2021 | 21:55
Updated-03 Aug, 2024 | 21:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

Action-Not Available
Vendor-quarkusOracle CorporationEclipse Foundation AISBL
Product-jakarta_expression_languagecommunications_cloud_native_core_policyweblogic_serverquarkusJakarta Expression Language Implementation
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2020-14338
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.41% / 60.99%
||
7 Day CHG~0.00%
Published-17 Sep, 2020 | 14:06
Updated-04 Aug, 2024 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-xercesWildfly
CWE ID-CWE-20
Improper Input Validation
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found