CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-6297 – Several WordPress.org Plugins <= Various Versions - Injected Backdoor
https://notcve.org/view.php?id=CVE-2024-6297
Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. ... Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. • sfp_email=&sfph_mail=&reponame=&old=3106042%40social-warfare&new=3106042%40social-warfare&sfp_email=&sfph_mail= https://wordpress.org/support/topic/a-security-message-from-the-plugin-review-team https://www.wordfence.com/threat-intel/vulnerabilities/id/56d24bc8-4a1a-4e60-aec5-960703a6058a? • CWE-506: Embedded Malicious Code •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37228 – WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37228
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.1.0.38. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37112 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Arbitrary SQL Query Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-37112
The WishList Member X plugin for WordPress is vulnerable SQL Injection in versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3605 – WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-3605
The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... El complemento WP Hotel Booking para WordPress es vulnerable a la inyección SQL a través del parámetro 'room_type' del endpoint de la API REST /wphb/v1/rooms/search-rooms en todas las versiones hasta la 2.1.0 incluida debido a un escape insuficiente en el parámetro proporcionado por el usuario y la falta de preparación suficiente en la consulta SQL existente. • https://wordpress.org/plugins/wp-hotel-booking https://www.wordfence.com/threat-intel/vulnerabilities/id/5931ad4e-7de3-41ac-b783-f7e58aaef569? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3922 – Dokan Pro <= 3.10.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-3922
The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... El complemento Dokan Pro para WordPress es vulnerable a la inyección SQL a través del parámetro 'código' en todas las versiones hasta la 3.10.3 incluida debido a un escape insuficiente en el parámetro proporcionado por el usuario y a la falta de preparación suficiente en la consulta SQL existente. • https://github.com/truonghuuphuc/CVE-2024-3922-Poc https://dokan.co/docs/wordpress/changelog https://www.wordfence.com/threat-intel/vulnerabilities/id/d9de41de-f2f7-4b16-8ec9-d30bbd3d8786? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •