CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37497 – WordPress JetThemeCore plugin < 2.2.1 - Subscriber+ Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-37497
This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the write file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/jet-theme-core/wordpress-jetthemecore-plugin-2-2-1-subscriber-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-39165
https://notcve.org/view.php?id=CVE-2024-39165
QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. • https://www.synacktiv.com/advisories/jpgraph-professional-version-pre-authenticated-remote-code-execution • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6319 – IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload'
https://notcve.org/view.php?id=CVE-2024-6319
This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/imgspider/tags/2.3.10/classes/post.class.php#L189 https://plugins.trac.wordpress.org/changeset/3107741/imgspider https://www.wordfence.com/threat-intel/vulnerabilities/id/63a4a077-c99e-4742-9fa1-f323fd24b950?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6318 – IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload_img_file'
https://notcve.org/view.php?id=CVE-2024-6318
This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/imgspider/tags/2.3.10/classes/post.class.php#L122 https://plugins.trac.wordpress.org/changeset/3107741/imgspider https://www.wordfence.com/threat-intel/vulnerabilities/id/306f00e4-9a70-48be-a91e-e396643a8129?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-39844
https://notcve.org/view.php?id=CVE-2024-39844
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. • https://github.com/ph1ns/CVE-2024-39844 http://www.openwall.com/lists/oss-security/2024/07/03/9 https://github.com/znc/znc/releases/tag/znc-1.9.1 https://wiki.znc.in/Category:ChangeLog https://wiki.znc.in/ChangeLog/1.9.1 https://www.openwall.com/lists/oss-security/2024/07/03/9 • CWE-94: Improper Control of Generation of Code ('Code Injection') •