CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49676 – WordPress Custom Icons for Elementor plugin <= 0.3.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49676
21 Oct 2024 — This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/custom-icons-for-elementor/wordpress-custom-icons-for-elementor-plugin-0-3-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49690 – WordPress Qi Blocks plugin <= 1.3.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-49690
21 Oct 2024 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Interactive Qi Blocks.This issue affects Qi Blocks: from n/a through 1.3.2. ... This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achiev... • https://patchstack.com/database/vulnerability/qi-blocks/wordpress-qi-blocks-plugin-1-3-2-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49701 – WordPress Mags theme <= 1.1.6 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-49701
21 Oct 2024 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Theme Horse Mags.This issue affects Mags: from n/a through 1.1.6. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other... • https://patchstack.com/database/vulnerability/mags/wordpress-mags-theme-1-1-6-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49652 – WordPress 3D Work In Progress plugin <= 1.0.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49652
21 Oct 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/renee-work-in-progress/wordpress-3d-work-in-progress-plugin-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49653 – WordPress Portfolleo plugin <= 1.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49653
21 Oct 2024 — This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/portfolleo/wordpress-portfolleo-plugin-1-2-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49658 – WordPress Woocommerce Custom Profile Picture plugin <= 1.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49658
21 Oct 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/woo-custom-profile-picture/wordpress-woocommerce-custom-profile-picture-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49668 – WordPress Verbalize WP plugin <= 1.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49668
21 Oct 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/verbalize-wp/wordpress-verbalize-wp-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49669 – WordPress INK Official plugin <= 4.1.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49669
21 Oct 2024 — This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/ink-official/wordpress-ink-official-plugin-4-1-2-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49671 – WordPress AI Postpix plugin <= 1.1.8 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49671
21 Oct 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/ai-postpix/wordpress-ai-postpix-plugin-1-1-8-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10131 – Remote Code Execution in infiniflow/ragflow
https://notcve.org/view.php?id=CVE-2024-10131
19 Oct 2024 — The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input `req['llm_factory']` and `req['llm_name']` to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to potentially execute arbitrary code due to the lack of comprehensive input validation or sanitization. An attacker could provide a mali... • https://huntr.com/bounties/42ae0b27-e851-4b58-a991-f691a437fbaa • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •