Page 19 of 774 results (0.045 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

The All Post Contact Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.7.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/allpost-contactform/wordpress-all-post-contact-form-plugin-1-6-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

The Plug your WooCommerce into the largest catalog of customized print products from Helloprint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/helloprint/wordpress-helloprint-plugin-2-0-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/main/ajax.php#L13 https://plugins.trac.wordpress.org/changeset/3149878 https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. ... El complemento W3SPEEDSTER para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 7.26 incluida a través del parámetro 'script' de la función hookBeforeStartOptimization(). • https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740 https://plugins.trac.wordpress.org/changeset/3175640 https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The Woocommerce Product Design plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/woo-product-design/wordpress-woocommerce-product-design-plugin-1-0-0-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •