CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10820 – WooCommerce Upload Files <= 84.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10820
The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/woocommerce-upload-files/11442983 https://www.wordfence.com/threat-intel/vulnerabilities/id/b9371b37-53c5-4a4f-a500-c6d58d4d3c5a?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7982 – Registrations for The Events Calendar < 2.12.4 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2024-7982
The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks. • https://wpscan.com/vulnerability/d79e1e9c-980d-4974-bfbd-d87d6e28d9a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8378 – Safe SVG < 2.2.6 - Author+ SVG Sanitisation Bypass
https://notcve.org/view.php?id=CVE-2024-8378
The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data. • https://wpscan.com/vulnerability/17be4bf2-486d-43ab-b87a-2117c8d77ca8 •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10027 – WP Booking Calendar < 10.6.3 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10027
The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). • https://wpscan.com/vulnerability/a94c7b64-720a-47f1-a74a-691c3a9ed3a1 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9934 – Wp-ImageZoom <= 1.1.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-9934
The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin • https://wpscan.com/vulnerability/53e640a7-833e-40de-93d4-acea28aff5a5 •