2024-07-10
2024-07-10 02:15Z
HIGH

CVE-2023-7061 — Advancedfilemanager File_manager_advanced_shortcode: The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to arbitrary file uploads

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-7061

The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers with contributor access or above to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDAdvancedfilemanagerVNDAdvancedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 18:15Z
CRIT

CVE-2023-48194 — Tenda Ac8_firmware: Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-48194

Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. After executing set_client_qos, control over the gp register can be obtained. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile

CWECWE 787VNDTendaVNDVulnerabilityTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-09
2024-07-09 17:15Z
CRIT

CVE-2024-39171 — Phpvibe Phpvibe: Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-39171

Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix. CVSSv3.1 9.8 (CRITICAL) · EPSS 66th percentile

CWECWE 22CWECWE 35VNDPhpvibeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-09
2024-07-09 12:15Z
CRIT

CVE-2024-3596 — Freeradius Freeradius: RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3596

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature. CVSSv3.1 9.0 (CRITICAL) · EPSS 95th percentile

CWECWE 354CWECWE 924VNDBroadcomVNDSonicwallVNDFreeradiusTYPVulnerability
9.0
CVSS v3.1
100
Edit Score
2024-07-09
2024-07-09 11:15Z
CRIT

CVE-2024-37418 — Church_admin_project Church_admin: Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37418

Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.4.6. CVSSv3.1 9.9 (CRITICAL) · EPSS 52th percentile

CWECWE 434VNDChurch Admin ProjectTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-07-09
2024-07-09 09:15Z
HIGH

CVE-2024-6069 — Registration: The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6069

The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pieregister_install_addon function in all versions up to, and including, 3.8.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins. As a result att CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDRegistrationTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 09:15Z
HIGH

CVE-2024-5456 — Panda: The Panda Video plugin for WordPress is vulnerable to Local File Inclusion in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5456

The Panda Video plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.0 via the 'selected_button' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and oth CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDPandaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-07-09
2024-07-09 09:15Z
CRIT

CVE-2024-3604 — Hyumika Openstreetmap: The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3604

The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used CVSSv3.1 9.9 (CRITICAL)

CWECWE 89VNDHyumikaVNDOsmTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6321 — ScrollTo: The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6321

The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.1.1. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDScrolltoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6320 — ScrollTo: The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6320

The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.2.2. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into pe CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDScrolltoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6317 — Zealousweb Generate_pdf_using_contact_form_7: The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6317

The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDZealouswebVNDGenerateTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6316 — Zealousweb Generate_pdf_using_contact_form_7: The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6316

The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. This is due to missing nonce validation and missing file type validation in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDZealouswebVNDGenerateTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
CRIT

CVE-2024-6314 — Testimonials: The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6314

The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process_image_upload' function in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can only be exploited if the 'gd' php extension is not loaded on the server. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDTestimonialsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-09
2024-07-09 08:15Z
CRIT

CVE-2024-6313 — Gutenberg: The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6313

The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' function in versions up to, and including, 2.2.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDGutenbergTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6310 — Advanced: The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6310

The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.7.7. This is due to missing nonce validation in the 'admin_init_AAPL' function and missing file type validation in the 'AAPL_options_validate' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged req CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDAdvancedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6309 — Attachment: The Attachment File Icons (AF Icons) plugin for WordPress is vulnerable to Cross-Site Request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6309

The Attachment File Icons (AF Icons) plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.3. This is due to missing nonce validation in the 'afi_overview' function and missing file type validation in the 'upload_icons' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request gr CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDAttachmentTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
HIGH

CVE-2024-6161 — Default: The Default Thumbnail Plus plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6161

The Default Thumbnail Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'get_cache_image' function in all versions up to, and including, 1.0.2.3. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 08:15Z
CRIT

CVE-2024-37555 — Zealousweb Generate_pdf_using_contact_form_7: Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37555

Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7 generate-pdf-using-contact-form-7.This issue affects Generate PDF using Contact Form 7: from n/a through <= 4.1.2. CVSSv3.1 9.1 (CRITICAL)

CWECWE 434VNDZealouswebTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-07-09
2024-07-09 06:15Z
HIGH

CVE-2024-5441 — Webnus Modern_events_calendar: The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5441

The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit ev CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDWebnusVNDModernTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 05:15Z
HIGH

CVE-2024-6166 — Unlimited-elements Unlimited_elements_for_elementor_\(free_widgets\,_addons\,_templ: The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vuln

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6166

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘addons_order’ parameter in all versions up to, and including, 1.5.112 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above and granted plugin setting edit permissions by an ad CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDUnlimited ElementsVNDUnlimitedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-09
2024-07-09 04:15Z
CRIT

CVE-2024-6365 — Product: The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6365

The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' function. This is due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. This makes it possible for unauthenticated attackers to execute code on the server. CVSSv3.1 9.8 (CRITICAL)

CWECWE 94TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-09
2024-07-09 02:15Z
HIGH

CVE-2024-5793 — Houzez: The Houzez Theme - Functionality plugin for WordPress is vulnerable to SQL Injection via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5793

The Houzez Theme - Functionality plugin for WordPress is vulnerable to SQL Injection via the ‘currency_code’ parameter in all versions up to, and including, 3.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensiti CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDHouzezTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-04
2024-07-04 12:15Z
HIGH

CVE-2024-5943 — Kylephillips Nested_pages: The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5943

The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDKylephillipsVNDNestedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-04
2024-07-04 09:15Z
HIGH

CVE-2024-6319 — Wbolt Imgspider: The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6319

The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDWboltVNDImgspiderTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-04
2024-07-04 09:15Z
HIGH

CVE-2024-6318 — Wbolt Imgspider: The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6318

The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDWboltVNDImgspiderTYPVulnerability
8.8
CVSS v3.1
94
Edit Score