CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9707 – Hunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-9707
10 Oct 2024 — The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. • https://github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.php#L46 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9201 – SQL injection vulnerability in SEUR plugin
https://notcve.org/view.php?id=CVE-2024-9201
10 Oct 2024 — The SEUR Oficial plugin for WordPress is vulnerable to SQL Injection via the 'id_order' parameter of the '/modules/seur/ajax/saveCodFee.php' file in all versions up to, and including, 2.2.10.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-seur-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 4CVE-2024-9234 – GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9234
10 Oct 2024 — The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. ... WordPress GutenKit plugin versions 2.1.0 and below suffers from an arbitrary file upload vulnerability. • https://github.com/WordPressBugBounty/plugins-gutenkit-blocks-addon/blob/dc3738bb821cf1d93a11379b8695793fa5e1b9e6/gutenkit-blocks-addon/includes/Admin/Api/ActivePluginData.php#L76 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9822 – Pedalo Connector <= 2.0.5 - Authentication Bypass to Administrator
https://notcve.org/view.php?id=CVE-2024-9822
10 Oct 2024 — The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. • https://github.com/RandomRobbieBF/CVE-2024-9822 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48026 – WordPress Disc Golf Manager plugin <= 1.0.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-48026
09 Oct 2024 — The Disc Golf Manager plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0.0 via deserialization of untrusted input. • https://patchstack.com/database/vulnerability/disc-golf-manager/wordpress-disc-golf-manager-plugin-1-0-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48028 – WordPress IP Loc8 plugin <= 1.1 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-48028
09 Oct 2024 — The IP Loc8 plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.1 via deserialization of untrusted input. • https://patchstack.com/database/vulnerability/ip-loc8/wordpress-ip-loc8-plugin-1-1-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48030 – WordPress Telecash Ricaricaweb plugin <= 2.2 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-48030
09 Oct 2024 — The Telecash Ricaricaweb plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2 via deserialization of untrusted input. • https://patchstack.com/database/vulnerability/telecash-ricaricaweb/wordpress-telecash-ricaricaweb-plugin-2-2-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48033 – WordPress Talkback plugin <= 1.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-48033
09 Oct 2024 — The Talkback plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0 via deserialization of untrusted input. • https://patchstack.com/database/vulnerability/talkback-secure-linkback-protocol/wordpress-talkback-plugin-1-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9518 – UserPlus <= 2.0 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-9518
09 Oct 2024 — The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. • https://plugins.trac.wordpress.org/browser/userplus/trunk/functions/user-functions.php?rev=1604604#L47 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47636 – WordPress WP JobSearch plugin <= 2.5.9 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-47636
30 Sep 2024 — The JobSearch WP Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.9 via deserialization of untrusted input. • https://patchstack.com/database/vulnerability/wp-jobsearch/wordpress-wp-jobsearch-plugin-2-5-9-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •