2025-01-07
2025-01-07 16:15Z
HIGH

CVE-2024-53345 — An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53345

An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file. CVSSv3.1 8.8 (HIGH) · EPSS 66th percentile

CWECWE 434TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2025-22348 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22348

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in rtowebsites DynamicTags dynamictags allows Blind SQL Injection.This issue affects DynamicTags: from n/a through <= 1.4.0. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2025-22347 — Site: Cross-Site Request Forgery (CSRF) vulnerability in bannersky BSK Forms Blacklist bsk-gravityforms-blacklist allows Blind SQL

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22347

Cross-Site Request Forgery (CSRF) vulnerability in bannersky BSK Forms Blacklist bsk-gravityforms-blacklist allows Blind SQL Injection.This issue affects BSK Forms Blacklist: from n/a through <= 3.9. CVSSv3.1 8.2 (HIGH)

CWECWE 352TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2024-56291 — Deserialization: of Untrusted Data vulnerability in plainware PlainInventory z-inventory-manager allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56291

Deserialization of Untrusted Data vulnerability in plainware PlainInventory z-inventory-manager allows Object Injection.This issue affects PlainInventory: from n/a through <= 3.1.6. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-01-07
2025-01-07 11:15Z
CRIT

CVE-2024-56290 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56290

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-01-07
2025-01-07 11:15Z
CRIT

CVE-2024-56284 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56284

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sslplugins SSL Wireless SMS Notification ssl-wireless-sms-notification allows SQL Injection.This issue affects SSL Wireless SMS Notification: from n/a through <= 3.5.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2024-56283 — Deserialization: of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56283

Deserialization of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.50. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2024-56280 — Incorrect: Privilege Assignment vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56280

Incorrect Privilege Assignment vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Privilege Escalation.This issue affects WPGuppy: from n/a through <= 1.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-07
2025-01-07 11:15Z
CRIT

CVE-2024-56278 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56278

Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 94TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2024-51715 — Flowdee Clickwhale: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51715

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickWhale ClickWhale clickwhale allows Blind SQL Injection.This issue affects ClickWhale: from n/a through <= 2.4.1. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDFlowdeeTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-01-07
2025-01-07 11:15Z
CRIT

CVE-2024-49649 — Buildapp Build_app_online: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-49649

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23. CVSSv3.1 9.8 (CRITICAL)

CWECWE 98CWECWE 829VNDBuildappTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2024-49644 — Incorrect: Privilege Assignment vulnerability in AllAccessible Accessibility by AllAccessible allaccessible allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-49644

Incorrect Privilege Assignment vulnerability in AllAccessible Accessibility by AllAccessible allaccessible allows Privilege Escalation.This issue affects Accessibility by AllAccessible: from n/a through <= 1.3.4. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-07
2025-01-07 11:15Z
HIGH

CVE-2024-49249 — Path: Traversal: '.../...//' vulnerability in SMSA Express SMSA Shipping smsa-shipping-official allows Path Traversal.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-49249

Path Traversal: '.../...//' vulnerability in SMSA Express SMSA Shipping smsa-shipping-official allows Path Traversal.This issue affects SMSA Shipping: from n/a through <= 2.3. CVSSv3.1 8.6 (HIGH)

CWECWE 35TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-01-07
2025-01-07 11:15Z
CRIT

CVE-2024-49222 — Deserialization: of Untrusted Data vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-49222

Deserialization of Untrusted Data vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Object Injection.This issue affects WPGuppy: from n/a through <= 1.1.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-07
2025-01-07 11:15Z
CRIT

CVE-2024-43243 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in themeglow JobBoard Job listing job-board-light

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43243

Unrestricted Upload of File with Dangerous Type vulnerability in themeglow JobBoard Job listing job-board-light allows Upload a Web Shell to a Web Server.This issue affects JobBoard Job listing: from n/a through <= 1.2.6. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-01-07
2025-01-07 05:15Z
HIGH

CVE-2024-12322 — ThePerfectWedding: The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12322

The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers to update the 'tpwKey' option with stored cross-site scripting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDTheperfectweddingTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-07
2025-01-07 05:15Z
HIGH

CVE-2024-12313 — Compare: The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12313

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete CVSSv3.1 8.1 (HIGH)

CWECWE 502VNDCompareTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-01-07
2025-01-07 05:15Z
CRIT

CVE-2024-12264 — PayU: The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12264

The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts. CVSSv3.1 9.8 (CRITICAL)

CWECWE 287VNDPayuTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-07
2025-01-07 04:15Z
CRIT

CVE-2024-12402 — Themes: The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12402

The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to g CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-06
2025-01-06 18:15Z
CRIT

CVE-2024-54879 — Seacms Seacms: V13.1 is vulnerable to Incorrect Access Control.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-54879

SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely. CVSSv3.1 9.1 (CRITICAL) · EPSS 55th percentile

CWECWE 281VNDSeacmsTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-01-02
2025-01-02 13:15Z
HIGH

CVE-2024-39623 — Cridio Listingpro: Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro listingpro allows Authentication Bypass.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-39623

Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro listingpro allows Authentication Bypass.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDCridioTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-02
2025-01-02 12:15Z
CRIT

CVE-2024-56249 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56249

Unrestricted Upload of File with Dangerous Type vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Upload a Web Shell to a Web Server.This issue affects WPMasterToolKit: from n/a through <= 1.13.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 434TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-01-02
2025-01-02 12:15Z
CRIT

CVE-2023-47188 — Presstigers Simple_job_board: Missing Authorization vulnerability in PressTigers Simple Job Board simple-job-board allows Exploiting Incorrectly Configured Access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47188

Missing Authorization vulnerability in PressTigers Simple Job Board simple-job-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Job Board: from n/a through <= 2.10.5. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDPresstigersTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-02
2025-01-02 12:15Z
CRIT

CVE-2023-47183 — Givewp Givewp: Missing Authorization vulnerability in StellarWP GiveWP give allows Exploiting Incorrectly Configured Access Control Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47183

Missing Authorization vulnerability in StellarWP GiveWP give allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through <= 2.33.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDGivewpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-02
2025-01-02 12:15Z
HIGH

CVE-2023-47179 — Byconsole Wooodt_lite: Missing Authorization vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Exploiting Incorrectly Configured Access Control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47179

Missing Authorization vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through <= 2.4.6. CVSSv3.1 8.8 (HIGH) · EPSS 93th percentile

CWECWE 862VNDByconsoleTYPVulnerability
8.8
CVSS v3.1
97
Edit Score