CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8254 – Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-8254
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. • https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4ae4a7-aec1-4cc1-bea0-61dde44027fc?source=cve https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.7.29/lite/includes/class-es-common.php#L244 https://plugins.trac.wordpress.org/changeset/3157336 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.7EPSS: 0%CPEs: -EXPL: 1CVE-2024-31835
https://notcve.org/view.php?id=CVE-2024-31835
Cross Site Scripting vulnerability in flatpress CMS Flatpress v1.3 allows a remote attacker to execute arbitrary code via a crafted payload to the file name parameter. • https://github.com/paragbagul111/CVE-2024-31835 https://drive.google.com/file/d/1OthtP87MduNTYur_p0RZv3moY8CrBcaM/view • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7855 – WP Hotel Booking <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7855
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-comments.php#L150 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3157905%40wp-hotel-booking&new=3157905%40wp-hotel-booking&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/784593ec-b635-4f59-9afb-ab506f786d21?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-46082
https://notcve.org/view.php?id=CVE-2024-46082
Scriptcase v.9.10.023 and before is vulnerable to Cross Site Scripting (XSS) in nm_cor.php via the form and field parameters. • https://blog.hawktesters.com/zero-day-alert-scriptcase-vulnerabilities-rce https://blog.hawktesters.com/zero-day-alert-scriptcase-vulnerabilities-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-7675 – Use After Free Vulnerability in Autodesk Desktop Software
https://notcve.org/view.php?id=CVE-2024-7675
A malicious actor can leverage this vulnerability to cause a crash or execute arbitrary code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://autodesk.com/trust/security-advisories/adsk-sa-2024-0015 • CWE-416: Use After Free •