CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49285 – WordPress SSV MailChimp plugin <= 3.1.5 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-49285
This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/ssv-mailchimp/wordpress-ssv-mailchimp-plugin-3-1-5-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49318 – WordPress My Reading Library plugin <= 1.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-49318
If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/vulnerability/my-reading-library/wordpress-my-reading-library-plugin-1-0-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9634 – GiveWP – Donation Plugin and Fundraising Platform <= 3.16.3 - Unauthenticated PHP Object Injection to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-9634
The additional presence of a POP chain allows attackers to achieve remote code execution. • https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829 https://plugins.trac.wordpress.org/changeset/3166836/give/tags/3.16.4/includes/process-donation.php https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48782
https://notcve.org/view.php?id=CVE-2024-48782
File Upload vulnerability in DYCMS Open-Source Version v2.0.9.41 allows a remote attacker to execute arbitrary code via the application only detecting the extension of image files in the front-end. • https://gist.github.com/zty-1995/7750a2ea1231971f973f02dc4c893b46 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48781
https://notcve.org/view.php?id=CVE-2024-48781
An issue in Wanxing Technology Yitu Project Management Kirin Edition 2.3.6 allows a remote attacker to execute arbitrary code via a specially constructed so file/opt/EdrawProj-2/plugins/imageformat. • https://gist.github.com/zty-1995/a7948be24b3411759a6afa3cc616dc12 • CWE-434: Unrestricted Upload of File with Dangerous Type •