Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-50482 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Chetan Khandla Woocommerce Product Design
Unrestricted Upload of File with Dangerous Type vulnerability in Chetan Khandla Woocommerce Product Design woo-product-design allows Upload a Web Shell to a Web Server.This issue affects Woocommerce Product Design: from n/a through <= 1.0.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50480 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO
Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Upload a Web Shell to a Web Server.This issue affects Marketing Automation by AZEXO: from n/a through <= 1.27.80. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-50496 — Webandprint Ar: Unrestricted Upload of File with Dangerous Type vulnerability in webandprint AR For WordPress ar-for-wordpress
Unrestricted Upload of File with Dangerous Type vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 6.6. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50495 — Widgilabs Plugin_propagator: Unrestricted Upload of File with Dangerous Type vulnerability in nunomorgadinho Plugin Propagator wp-propagator allows
Unrestricted Upload of File with Dangerous Type vulnerability in nunomorgadinho Plugin Propagator wp-propagator allows Upload a Web Shell to a Web Server.This issue affects Plugin Propagator: from n/a through <= 0.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50497 — Buynowdepot Advanced_online_ordering_and_delivery_platform: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wdesco Advanced Online Ordering and Delivery Platform advanced-online-ordering-and-delivery-platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through <= 2.0.0. CVSSv3.1 8.1 (HIGH)
CVE-2024-50491 — Micahblu Rsvp_me: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MicahBlu RSVP ME rsvp-me allows SQL Injection.This issue affects RSVP ME: from n/a through <= 1.9.9. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-50488 — Priyabratasarkar Token_login: Authentication Bypass Using an Alternate Path or Channel vulnerability in yespbs Token Login token-login
Authentication Bypass Using an Alternate Path or Channel vulnerability in yespbs Token Login token-login allows Authentication Bypass.This issue affects Token Login: from n/a through <= 1.0.3. CVSSv3.1 8.8 (HIGH)
CVE-2024-50483 — Tareqhasan Meetup: Authorization Bypass Through User-Controlled Key vulnerability in Tareq Hasan Meetup meetup allows Privilege Escalation.This
Authorization Bypass Through User-Controlled Key vulnerability in Tareq Hasan Meetup meetup allows Privilege Escalation.This issue affects Meetup: from n/a through <= 0.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50479 — Mansurahamed Woocommerce_quote_calculator: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.This issue affects Woocommerce Quote Calculator: from n/a through <= 1.1. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-50478 — Swoopnow 1-click_login\: Authentication Bypass by Primary Weakness vulnerability in swoopbrandon 1-Click Login: Passwordless Authentication swoop-password-free-authentication allows
Authentication Bypass by Primary Weakness vulnerability in swoopbrandon 1-Click Login: Passwordless Authentication swoop-password-free-authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: from n/a through 1.4.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50465 — Squirrly Premium_seo_pack: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP SEO – Calin Vingan Premium SEO Pack premium-seo-pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through <= 1.6.001. CVSSv3.1 8.5 (HIGH)
CVE-2024-50498 — Lubus Wp_query_console: Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query
Improper Control of Generation of Code ('Code Injection') vulnerability in Ajit Bohra WP Query Console wp-query-console allows Code Injection.This issue affects WP Query Console: from n/a through <= 1.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-50492 — Scottpaterson Scottcart: Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart scottcart
Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart scottcart allows Code Injection.This issue affects ScottCart: from n/a through <= 1.1. CVSSv3.1 8.3 (HIGH)
CVE-2024-50489 — Realtyworkstation Realty_workstation: Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation
Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through <= 1.0.45. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50487 — Maantheme Maanstore_api: Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.This issue affects MaanStore API: from n/a through <= 1.0.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50486 — Acnoo Flutter_api: Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through <= 1.0.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50477 — Stacksmarket Stacks_mobile_app_builder: Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-50416 — Wpclever Wpc_shop_as_a_customer_for_woocommerce: Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce
Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce wpc-shop-as-customer allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through <= 1.2.6. CVSSv3.1 8.8 (HIGH)
CVE-2024-50408 — Kibokolabs Namaste\!_lms: Deserialization of Untrusted Data vulnerability in Bob Namaste!
Deserialization of Untrusted Data vulnerability in Bob Namaste! LMS namaste-lms allows Object Injection.This issue affects Namaste! LMS: from n/a through <= 2.6.3. CVSSv3.1 8.8 (HIGH)
CVE-2024-9637 — Igexsolutions Wpschoolpress: The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with teacher-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's CVSSv3.1 8.8 (HIGH)
CVE-2024-9933 — WatchTowerHQ: The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.10.1. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-9890 — User: The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up
The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. CVE-2024-50503 may be a duplicate. CVSSv3.1 8.8 (HIGH)
CVE-2024-10011 — Buddypress Buddypress: The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up
The BuddyPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 14.1.0 via the id parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory and enables file uploads to directories outside of the web root. Depending on server configuration it may be possible to upload files with double extensions. CVSSv3.1 8.1 (HIGH)
CVE-2024-48544 — Incorrect: access control in the firmware update and download processes of Sylvania Smart Home
Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file. CVSSv3.1 8.4 (HIGH) · EPSS 10th percentile
CVE-2024-48539 — Neye3C: v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update
Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism. CVSSv3.1 9.8 (CRITICAL) · EPSS 26th percentile