CVSS: 9.1EPSS: 26%CPEs: 1EXPL: 1CVE-2024-56278 – WordPress WP Ultimate Exporter plugin <= 2.9.1 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-56278
03 Jan 2025 — The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.9.1. • https://patchstack.com/database/wordpress/plugin/wp-ultimate-exporter/vulnerability/wordpress-wp-ultimate-exporter-plugin-2-9-1-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43243 – WordPress JobBoard Job listing plugin <= 1.2.6 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-43243
03 Jan 2025 — The JobBoard Job listing plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/job-board-light/vulnerability/wordpress-jobboard-job-listing-plugin-1-2-6-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 25%CPEs: 1EXPL: 2CVE-2024-56249 – WordPress WPMasterToolKit plugin <= 1.13.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-56249
30 Dec 2024 — The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.13.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-1-13-1-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 23%CPEs: 1EXPL: 3CVE-2024-56264 – WordPress ACF City Selector plugin <= 1.14.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-56264
30 Dec 2024 — The ACF City Selector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.14.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress ACF City Selector plugin versions 1.14.0 and below suffer from a remote shell upload vulnerability. • https://patchstack.com/database/wordpress/plugin/acf-city-selector/vulnerability/wordpress-acf-city-selector-plugin-1-14-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12066 – SMSA Shipping(official) <= 2.2 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-12066
20 Dec 2024 — The SMSA Shipping(official) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsa_delete_label() function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This makes it possible for authenticated attackers, ... • https://plugins.trac.wordpress.org/browser/smsa-shipping-official/trunk/smsa-express-shipping.php#L235 • CWE-73: External Control of File Name or Path •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12626 – AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value
https://notcve.org/view.php?id=CVE-2024-12626
18 Dec 2024 — The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. ... When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code. • https://plugins.trac.wordpress.org/changeset/3209794/automatorwp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 2CVE-2024-56064 – WordPress WP SuperBackup plugin <= 2.3.3 - Unauthenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-56064
18 Dec 2024 — The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress SuperBackup plugin versions 2.3.3 and below suffer from a remote shell upload vulnerability. • https://patchstack.com/database/wordpress/plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-unauthenticated-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56046 – WordPress WPLMS plugin <= 1.9.9 - Unauthenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-56046
17 Dec 2024 — The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56049 – WordPress WPLMS plugin < 1.9.9.5.2 - Subscriber+ Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-56049
17 Dec 2024 — The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in in all versions up to 1.9.9.5.2 (exclusive). This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-subscriber-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-35: Path Traversal: '.../ •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56050 – WordPress WPLMS plugin < 1.9.9.5.3 - Subscriber+ Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-56050
17 Dec 2024 — The WPLMS plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.9.9.5.3 (exclusive). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •