CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34411 – WordPress canvasio3D Light plugin <= 2.5.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-34411
Unrestricted Upload of File with Dangerous Type vulnerability in Thomas Scholl canvasio3D Light.This issue affects canvasio3D Light: from n/a through 2.5.0. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Thomas Scholl canvasio3D Light. Este problema afecta a canvasio3D Light: desde n/a hasta 2.5.0. The canvasio3D Light plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/canvasio3d-light/wordpress-canvasio3d-light-plugin-2-5-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48776 – Download canvasio3D Light <= 2.5.0 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-48776
The Download canvasio3D Light plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the caARConnect() function in versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data from the plugin and save/delete entries. • CWE-862: Missing Authorization •