CVSS: 9.9EPSS: 35%CPEs: 1EXPL: 1CVE-2024-8672 – Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-8672
27 Nov 2024 — The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. ... El complemento Widget Options – The #1 WordPress Widget & Block Control Plugin de WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 4.0.7 incluida, a través de la funcionalidad de lógica ... • https://github.com/Chocapikk/CVE-2024-8672 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2024-8066 – File Manager Pro – Filester <= 1.8.6- Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8066
27 Nov 2024 — The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible. This m... • https://plugins.trac.wordpress.org/browser/filester/trunk/includes/File_manager/FileManager.php#L269 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-9461 – Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings
https://notcve.org/view.php?id=CVE-2024-9461
26 Nov 2024 — The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. • https://plugins.trac.wordpress.org/browser/boldgrid-backup/tags/1.16.5/admin/class-boldgrid-backup-admin-settings.php#L748 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 56%CPEs: 1EXPL: 3CVE-2024-10542 – Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2024-10542
25 Nov 2024 — The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. El complemento Spam... • https://github.com/FoKiiin/CVE-2024-10542 • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 2%CPEs: 1EXPL: 0CVE-2024-10781 – Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2024-10781
25 Nov 2024 — The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. El complemento Spam protec... • https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L95 • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-9942 – WPGYM <= 67.1.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9942
22 Nov 2024 — The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11620 – WordPress Rank Math SEO plugin <= 1.0.231 - Arbitrary .htaccess Overwrite to Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-11620
22 Nov 2024 — The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.231. • https://patchstack.com/database/wordpress/plugin/seo-by-rank-math/vulnerability/wordpress-rank-math-seo-plugin-1-0-231-arbitrary-htaccess-overwrite-to-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 1CVE-2024-9659 – School Management <= 91.5.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9659
22 Nov 2024 — The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_user_avatar_image_upload() function in all versions up to, and including, 91.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/school-management-system-for-wordpress/11470032 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-9660 – School Management <= 91.5.0 - Authenticated (Student+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9660
22 Nov 2024 — The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_load_documets_new() and mj_smgt_load_documets() functions in all versions up to, and including, 91.5.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/school-management-system-for-wordpress/11470032 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52490 – WordPress Pathomation plugin <= 2.5.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-52490
20 Nov 2024 — The Pathomation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.5.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/pathomation/vulnerability/wordpress-pathomation-plugin-2-5-1-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •