CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48782
https://notcve.org/view.php?id=CVE-2024-48782
File Upload vulnerability in DYCMS Open-Source Version v2.0.9.41 allows a remote attacker to execute arbitrary code via the application only detecting the extension of image files in the front-end. • https://gist.github.com/zty-1995/7750a2ea1231971f973f02dc4c893b46 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48781
https://notcve.org/view.php?id=CVE-2024-48781
An issue in Wanxing Technology Yitu Project Management Kirin Edition 2.3.6 allows a remote attacker to execute arbitrary code via a specially constructed so file/opt/EdrawProj-2/plugins/imageformat. • https://gist.github.com/zty-1995/a7948be24b3411759a6afa3cc616dc12 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49286 – WordPress SSV Events plugin <= 3.2.7 - Local File Inclusion to RCE vulnerability
https://notcve.org/view.php?id=CVE-2024-49286
This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/ssv-events/wordpress-ssv-events-plugin-3-2-7-local-file-inclusion-to-rce-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.3EPSS: 1%CPEs: 1EXPL: 1CVE-2024-9061 – WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add
https://notcve.org/view.php?id=CVE-2024-9061
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. ... This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://github.com/RandomRobbieBF/CVE-2024-9061 https://plugins.trac.wordpress.org/changeset/3166506/wp-popup-builder https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9837 – AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-9837
The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. ... This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/auto-date-year-month/trunk/auto-date-year-month.php#L218 https://plugins.trac.wordpress.org/changeset/3167908 https://wordpress.org/plugins/auto-date-year-month/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/fb165cba-34a9-42d9-bfd5-31a290d02311?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •