CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49604 – WordPress Simple User Registration plugin <= 5.5 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2024-49604
17 Oct 2024 — The Simple User Registration plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on a function in all versions up to, and including, 6.1. • https://patchstack.com/database/vulnerability/wp-registration/wordpress-simple-user-registration-plugin-5-5-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-49607 – WordPress WP Dropbox Dropins plugin <= 1.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49607
17 Oct 2024 — The WP Dropbox Dropins plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0. • https://patchstack.com/database/vulnerability/wp-dropbox-dropins/wordpress-wp-dropbox-dropins-plugin-1-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9263 – WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover
https://notcve.org/view.php?id=CVE-2024-9263
16 Oct 2024 — The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. ... El complemento WP Timetics - AI-powered Appointment Booking Calendar and Online Scheduling Plugin para WordPress es vulnerable a la apropiación de cuentas/escalada de privilegios a tr... • https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.25/core/customers/customer.php#L299 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9862 – Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change
https://notcve.org/view.php?id=CVE-2024-9862
16 Oct 2024 — The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. ... El complemento Miniorange OTP Verification con Firebase para WordPress es vulnerable a cambios arbitrarios de contraseñas de usuario en versiones hasta la 3.6.0 incluida. • https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L236 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9863 – Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value
https://notcve.org/view.php?id=CVE-2024-9863
16 Oct 2024 — The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. ... El complemento UserPro para WordPress es vulnerable a la escalada de privilegios en versiones hasta la 3.6.0 incluida debido al valor predeterminado inseguro "administrador" para la opción "default_user_role". ... The Miniorange OTP Verification with Firebase plugin for WordPress is vulner... • https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194 • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49286 – WordPress SSV Events plugin <= 3.2.7 - Local File Inclusion to RCE vulnerability
https://notcve.org/view.php?id=CVE-2024-49286
15 Oct 2024 — The SSV Events plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.2.7. • https://patchstack.com/database/vulnerability/ssv-events/wordpress-ssv-events-plugin-3-2-7-local-file-inclusion-to-rce-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49290 – WordPress Cooked Pro plugin < 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-49290
15 Oct 2024 — The Cooked Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.8.0. • https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49291 – WordPress Cooked Pro plugin < 1.8.0 - Unauthenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49291
15 Oct 2024 — The Cooked Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.8.0 (exclusive). • https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-unauthenticated-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49306 – WordPress WP Content Copy Protection & No Right Click plugin <= 3.5.9 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-49306
15 Oct 2024 — The WP Content Copy Protection & No Right Click plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. • https://patchstack.com/database/vulnerability/wp-content-copy-protector/wordpress-wp-content-copy-protection-no-right-click-plugin-3-5-9-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49314 – WordPress JiangQie Free Mini Program plugin <= 2.5.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49314
15 Oct 2024 — The JiangQie Free Mini Program plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.5.2. • https://patchstack.com/database/vulnerability/jiangqie-free-mini-program/wordpress-jiangqie-free-mini-program-plugin-2-5-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •