CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8669 – Backuply – Backup, Restore, Migrate and Clone <= 1.3.4 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-8669
The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://plugins.trac.wordpress.org/browser/backuply/trunk/functions.php#L1477 https://plugins.trac.wordpress.org/changeset/3151205 https://www.wordfence.com/threat-intel/vulnerabilities/id/6a061553-c988-4a31-a0a2-7a2608faa33f?source=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24622 – Softaculous Webuzo Password Reset Command Injection
https://notcve.org/view.php?id=CVE-2024-24622
Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system. • https://blog.exodusintel.com/2024/07/24/softaculous-webuzo-password-reset-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24623 – Softaculous Webuzo FTP Management Command Injection
https://notcve.org/view.php?id=CVE-2024-24623
Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system. • https://blog.exodusintel.com/2024/07/25/softaculous-webuzo-ftp-management-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24621 – Softaculous Webuzo Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-24621
Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user. • https://blog.exodusintel.com/2024/07/25/softaculous-webuzo-authentication-bypass • CWE-697: Incorrect Comparison •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2324 – FileOrganizer and FileOrganizer Pro <= 1.0.6 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2324
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. For the free version, this is limited to administrators. The pro version is also vulnerable and exploitable by administrators, but also offers the functionality to lower level users (as low as subscribers) if enabled. El complemento FileOrganizer – Manage WordPress and Website Files para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la carga de archivos svg en todas las versiones hasta la 1.0.6 incluida debido a una sanitización de entrada y un escape de salida insuficientes. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3069064%40fileorganizer%2Ftrunk&old=3010587%40fileorganizer%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/ffaefd79-57a7-43b8-af1c-e108567eba67?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •