CVE-2024-6310 – Advanced AJAX Page Loader <= 2.7.7 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6310
The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.7.7. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Advanced AJAX Page Loader para WordPress es vulnerable a Cross-Site Request Forgery para la carga arbitraria de archivos en versiones hasta la 2.7.7 incluida. • https://plugins.trac.wordpress.org/browser/advanced-ajax-page-loader/tags/2.7.7/advanced-ajax-page-loader.php#L131 https://plugins.trac.wordpress.org/browser/advanced-ajax-page-loader/tags/2.7.7/advanced-ajax-page-loader.php#L41 https://www.wordfence.com/threat-intel/vulnerabilities/id/ccc75dee-1cf8-4fda-b2a1-f5d68e6c7887?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-6316 – Generate PDF using Contact Form 7 <= 4.0.6 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6316
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Generate PDF using Contact Form 7 para WordPress es vulnerable a Cross-Site Request Forgery para la carga arbitraria de archivos en versiones hasta la 4.0.6 incluida. ... The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/generate-pdf-using-contact-form-7/tags/4.0.6/inc/templates/cf7-pdf-generation.admin.html.php#L72 https://www.wordfence.com/threat-intel/vulnerabilities/id/52cce49b-49b3-49b0-9f18-4829f07a420f?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-6317 – Generate PDF using Contact Form 7 <= 4.0.6 - Cross-Site Request Forgery to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-6317
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. ... This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Generate PDF using Contact Form 7 para WordPress es vulnerable a Cross-Site Request Forgery para la carga arbitraria de archivos en versiones hasta la 4.0.6 incluida. ... The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.1.2. ... This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/generate-pdf-using-contact-form-7/tags/4.0.6/inc/templates/cf7-pdf-generation.admin.html.php#L74 https://www.wordfence.com/threat-intel/vulnerabilities/id/455b9695-e140-4bdb-b626-5c1695518563?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-37418 – WordPress Church Admin plugin <= 4.4.6 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37418
The Church Admin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-6-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-37497 – WordPress JetThemeCore plugin < 2.2.1 - Subscriber+ Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-37497
The JetThemeCore for Elementor plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the write file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/jet-theme-core/wordpress-jetthemecore-plugin-2-2-1-subscriber-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •