Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-10284 — Ce21 Ce21_suite: The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up
The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50808 — Seacms Seacms: 13.1 is vulnerable to code injection in the notification module of the member
SeaCms 13.1 is vulnerable to code injection in the notification module of the member message notification module in the backend user module, due to unsafe handling of the "notify" variable in admin_notify.php. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile
CVE-2024-9307 — Themelooks Mfolio: The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a
The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run CVSSv3.1 9.9 (CRITICAL)
CVE-2024-51626 — Mansurahamed Woocommerce_quote_calculator: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through <= 1.1. CVSSv3.1 8.5 (HIGH)
CVE-2024-50531 — Carrcommunications Rsvpmaker: Unrestricted Upload of File with Dangerous Type vulnerability in davidfcarr RSVPMaker for Toastmasters rsvpmaker-for-toastmasters
Unrestricted Upload of File with Dangerous Type vulnerability in davidfcarr RSVPMaker for Toastmasters rsvpmaker-for-toastmasters allows Upload a Web Shell to a Web Server.This issue affects RSVPMaker for Toastmasters: from n/a through <= 6.2.4. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50530 — Myriadsolutionz Stars_smtp_mailer: Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer
Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.This issue affects Stars SMTP Mailer: from n/a through <= 2.2.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-50529 — Rudrainnovative Training_-_courses: Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training – Courses training
Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training – Courses training allows Upload a Web Shell to a Web Server.This issue affects Training – Courses: from n/a through <= 2.0.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-50527 — Stacksmarket Stacks_mobile_app_builder: Unrestricted Upload of File with Dangerous Type vulnerability in Stacks Stacks Mobile App Builder
Unrestricted Upload of File with Dangerous Type vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Upload a Web Shell to a Web Server.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50526 — Lindeni Multi_purpose_mail_form: Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail
Unrestricted Upload of File with Dangerous Type vulnerability in Lindeni Mahlalela Multi Purpose Mail Form multi-purpose-mail-form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through <= 1.0.2. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50525 — Helloprint Helloprint: Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in helloprint Helloprint helloprint allows Upload a Web Shell to a Web Server.This issue affects Helloprint: from n/a through <= 2.0.4. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50523 — Rainbow-link All_post_contact_form: All Post Contact Form allpost-contactform allows Upload a Web Shell to a Web Server.This
Unrestricted Upload of File with Dangerous Type vulnerability in RainbowLink Inc. All Post Contact Form allpost-contactform allows Upload a Web Shell to a Web Server.This issue affects All Post Contact Form: from n/a through <= 1.8.2. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-10035 — Bg-tek Coslat: Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection, Privilege Escalation. This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not suppo CVSSv3.1 9.8 (CRITICAL) · EPSS 78th percentile
CVE-2024-51661 — Davidlingren Media_library_assistant: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Command Injection.This issue affects Media LIbrary Assistant: from n/a through <= 3.19. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-51065 — Phpgurukul Beauty_parlour_management_system: Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 40th percentile
CVE-2024-51064 — Phpgurukul Teachers_record_management_system: Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 43th percentile
CVE-2024-51063 — Phpgurukul Teachers_record_management_system: Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter. CVSSv3.1 9.1 (CRITICAL) · EPSS 39th percentile
CVE-2024-51060 — Projectworlds Online_admission_system: Online Admission System v1 is vulnerable to SQL Injection in index.php via the
Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter. CVSSv3.1 9.1 (CRITICAL) · EPSS 37th percentile
CVE-2024-49674 — Site: Cross-Site Request Forgery (CSRF) vulnerability in lukashuser EKC Tournament Manager ekc-tournament-manager allows Upload a
Cross-Site Request Forgery (CSRF) vulnerability in lukashuser EKC Tournament Manager ekc-tournament-manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through <= 2.2.1. CVSSv3.1 9.6 (CRITICAL)
CVE-2024-48734 — Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload
Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized users. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile
CVE-2024-48733 — SQL: injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute
SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users. CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile
CVE-2024-50511 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel
Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through <= 1.0.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-50510 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in webandprint AR For Woocommerce ar-for-woocommerce
Unrestricted Upload of File with Dangerous Type vulnerability in webandprint AR For Woocommerce ar-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through <= 6.3. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50509 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design woo-product-design allows Path Traversal.This issue affects Woocommerce Product Design: from n/a through <= 1.0.0. CVSSv3.1 8.6 (HIGH)
CVE-2024-50507 — Deserialization: of Untrusted Data vulnerability in Daschmi DS.DownloadList dsdownloadlist allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in Daschmi DS.DownloadList dsdownloadlist allows Object Injection.This issue affects DS.DownloadList: from n/a through <= 1.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50506 — Incorrect: Privilege Assignment vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Privilege Escalation.This
Incorrect Privilege Assignment vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Privilege Escalation.This issue affects Marketing Automation by AZEXO: from n/a through <= 1.27.80. CVSSv3.1 8.8 (HIGH)