Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-48020 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows SQL Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.21. CVSSv3.1 8.5 (HIGH)
CVE-2024-47331 — Ninjateam Multi_step_for_contact_form_7: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ninja Team Multi Step for Contact Form cf7-multi-step allows SQL Injection.This issue affects Multi Step for Contact Form: from n/a through <= 2.7.7. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-46532 — SQL: Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via
SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component. CVSSv3.1 9.8 (CRITICAL) · EPSS 62th percentile
CVE-2024-46088 — An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer
An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary code via uploading a crafted file. CVSSv3.1 9.8 (CRITICAL) · EPSS 47th percentile
CVE-2024-47636 — Eyecix Jobsearch_wp_job_board: Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch allows Object Injection.This issue affects JobSearch: from n/a through <= 2.5.9. CVSSv3.1 9.8 (CRITICAL)
Volatility 3 2.8.0
Volatility 3 2.8.0 released with 13 new plugins for memory forensics including linux.netfilter, windows.hollowprocesses, windows.processghosting, and windows.psxview. Updates include improvements to existing plugins, smear protection on Windows, and minimum Python 3.7.3 requirement.
CVE-2024-45874 — DLL: A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code
A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. CVSSv3.1 9.8 (CRITICAL) · EPSS 49th percentile
CVE-2024-45873 — DLL: A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code
A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. CVSSv3.1 9.8 (CRITICAL) · EPSS 49th percentile
CVE-2024-46446 — Mecha-cms Mecha: CMS 3.0.0 is vulnerable to Directory Traversal.
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover. CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile
CVE-2024-47350 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.This issue affects YITH WooCommerce Ajax Search: from n/a through <= 2.8.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-47338 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal WPExperts Square For GiveWP wpexperts-square-for-give allows SQL Injection.This issue affects WPExperts Square For GiveWP: from n/a through <= 1.3. CVSSv3.1 8.5 (HIGH)
CVE-2024-47323 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ex-Themes WP Timeline – Vertical and Horizontal timeline plugin wp-timelines.This issue affects WP Timeline – Vertical and Horizontal timeline plugin: from n/a through <= 3.6.7. CVSSv3.1 8.1 (HIGH)
CVE-2024-47319 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form bit-form.This
Unrestricted Upload of File with Dangerous Type vulnerability in Bit Apps Bit Form bit-form.This issue affects Bit Form: from n/a through <= 2.13.10. CVSSv3.1 8.0 (HIGH)
CVE-2024-44023 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in abcapp ABCApp Creator abcapp-creator.This issue affects ABCApp Creator: from n/a through <= 1.1.2. CVSSv3.1 8.1 (HIGH)
CVE-2024-44014 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Vmax
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Vmax Studio Vmax Project Manager vmax-project-manager allows PHP Local File Inclusion.This issue affects Vmax Project Manager: from n/a through <= 1.0. CVSSv3.1 9.6 (CRITICAL)
CVE-2023-37822 — Eufy Homebase_2_firmware: This vulnerability allows an attacker in proximity to the dedicated wireless network to gain
The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. The WPA2-PSK generation of this dedicated network is flawed and solely based on the serial number. Due to the flawed generation process, the WPA2-PSK can be brute forced offline within seconds. This vulnerability allows an attacker in proximity to the dedicated wireless network to gain unauthorized access to th CVSSv3.1 8.2 (HIGH) · EPSS 20th percentile
CVE-2024-46084 — Scriptcase Scriptcase: 9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_unzip
Scriptcase 9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_unzip function. CVSSv3.1 8.0 (HIGH) · EPSS 51th percentile
CVE-2024-8548 — Logon Kb_support: The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is
The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the /includes/ajax-functions.php file all versions up to, and including, 1.6.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple administrative actions, such as replying to arbitrary tickets, updating the status of any pos CVSSv3.1 8.1 (HIGH)
CVE-2024-7434 — Ultrapress Ultrapress: The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions
The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, r CVSSv3.1 8.8 (HIGH)
CVE-2024-8353 — Givewp Givewp: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same CVSSv3.1 9.8 (CRITICAL)
CVE-2024-8643 — Oceanicsoft Valeapp: Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.
Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2024-8607 — Oceanicsoft Valeapp: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oceanic Software ValeApp allows SQL Injection. This issue affects ValeApp: before v2.0.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile
CVE-2024-7108 — Nationalkeep Cybermath: Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not
Incorrect Authorization vulnerability in National Keep Cyber Security Services CyberMath allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CyberMath: before CYBM.240816253. CVSSv3.1 9.8 (CRITICAL) · EPSS 27th percentile
CVE-2024-8485 — Jianbo Rest_api_to_miniprogram: The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's CVSSv3.1 9.8 (CRITICAL)
CVE-2024-9142 — External: Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource
External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls. This issue affects e-Belediye: before 2.0.642. CVSSv3.1 9.8 (CRITICAL) · EPSS 25th percentile