CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6123 – Bit Form <= 2.13.3 - Authenticated (Administrator+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6123
The Bit Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'iconUpload' function in all versions up to, and including, 2.12.2. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Bit Form para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validación del tipo de archivo en la función 'iconUpload' en todas las versiones hasta la 2.12.2 incluida. ... The Bit Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'iconUpload' function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/bit-form/tags/2.12.2/includes/Admin/AdminAjax.php#L1176 https://www.wordfence.com/threat-intel/vulnerabilities/id/6d1b255f-d775-4bd5-892e-42bf82dd5632?source=cve https://plugins.trac.wordpress.org/changeset/3114814/bit-form/trunk/includes/Admin/AdminAjax.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5441 – Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-5441
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. ... El complemento Modern Events Calendar para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función set_featured_image en todas las versiones hasta la 7.11.0 incluida. • https://webnus.net/modern-events-calendar https://www.wordfence.com/threat-intel/vulnerabilities/id/0c007090-9d9b-4ee7-8f77-91abd4373051?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6309 – Attachment File Icons (AF Icons) <= 1.3 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6309
The Attachment File Icons (AF Icons) plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.3. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Attachment File Icons (AF Icons) para WordPress es vulnerable a Cross-Site Request Forgery para la carga arbitraria de archivos en versiones hasta la 1.3 incluida. • https://plugins.trac.wordpress.org/browser/attachment-file-icons/tags/1.3/attachment-file-icons.php#L130 https://plugins.trac.wordpress.org/browser/attachment-file-icons/tags/1.3/attachment-file-icons.php#L337 https://www.wordfence.com/threat-intel/vulnerabilities/id/7e3fd472-c8ea-42dc-93df-872361ec97f3?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6313 – Gutenberg Forms <= 2.2.9 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6313
The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' function in versions up to, and including, 2.2.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Gutenberg Forms para WordPress es vulnerable a cargas de archivos arbitrarias debido a que los usuarios pueden especificar los tipos de archivos permitidos en la función 'upload' en versiones hasta la 2.2.9 incluida. • https://plugins.trac.wordpress.org/browser/forms-gutenberg/tags/2.2.9/Utils/Bucket.php#L19 https://plugins.trac.wordpress.org/browser/forms-gutenberg/tags/2.2.9/triggers/email.php#L268 https://www.wordfence.com/threat-intel/vulnerabilities/id/b0315b53-46a1-46b4-a53e-0d914866ca50?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6161 – Default Thumbnail Plus <= 1.0.2.3 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6161
The Default Thumbnail Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'get_cache_image' function in all versions up to, and including, 1.0.2.3. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Default Thumbnail Plus para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función 'get_cache_image' en todas las versiones hasta la 1.0.2.3 incluida. • https://plugins.trac.wordpress.org/browser/default-thumbnail-plus/trunk/default-thumbnail-plus.php?rev=597280#L337 https://www.wordfence.com/threat-intel/vulnerabilities/id/046f11b6-7d1a-4bd3-8250-4c5a50fab3ff?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •