CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43957 – WordPress Animated Number Counters plugin <= 1.9 - Editor+ Limited Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-43957
This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/animated-number-counters/wordpress-animated-number-counters-plugin-1-9-editor-limited-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-45256 – BYOB Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-45256
An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py. • https://github.com/malwaredllc/byob https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob https://github.com/chebuya/exploits/tree/main/BYOB-RCE • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43955 – WordPress Droip plugin <= 1.1.1 - Unauthenticated Arbitrary File Download/Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-43955
This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/droip/wordpress-droip-plugin-1-1-1-unauthenticated-arbitrary-file-download-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-42788
https://notcve.org/view.php?id=CVE-2024-42788
This vulnerability allows remote attackers to execute arbitrary code via "title" & "artist" parameter fields. • https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Stored%20XSS%20-%20Add%20New%20Music%20List.pdf https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-42787
https://notcve.org/view.php?id=CVE-2024-42787
This vulnerability allows remote attackers to execute arbitrary code via "title" & "description" parameter fields. • https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Stored%20XSS%20-%20Add%20Playlist.pdf https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •