CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6313 – Gutenberg Forms <= 2.2.9 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6313
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/forms-gutenberg/tags/2.2.9/Utils/Bucket.php#L19 https://plugins.trac.wordpress.org/browser/forms-gutenberg/tags/2.2.9/triggers/email.php#L268 https://www.wordfence.com/threat-intel/vulnerabilities/id/b0315b53-46a1-46b4-a53e-0d914866ca50?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5441 – Modern Events Calendar <= 7.11.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-5441
This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://webnus.net/modern-events-calendar https://www.wordfence.com/threat-intel/vulnerabilities/id/0c007090-9d9b-4ee7-8f77-91abd4373051?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6161 – Default Thumbnail Plus <= 1.0.2.3 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6161
This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/default-thumbnail-plus/trunk/default-thumbnail-plus.php?rev=597280#L337 https://www.wordfence.com/threat-intel/vulnerabilities/id/046f11b6-7d1a-4bd3-8250-4c5a50fab3ff?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6317 – Generate PDF using Contact Form 7 <= 4.0.6 - Cross-Site Request Forgery to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-6317
This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. ... This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/generate-pdf-using-contact-form-7/tags/4.0.6/inc/templates/cf7-pdf-generation.admin.html.php#L74 https://www.wordfence.com/threat-intel/vulnerabilities/id/455b9695-e140-4bdb-b626-5c1695518563?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6309 – Attachment File Icons (AF Icons) <= 1.3 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-6309
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/attachment-file-icons/tags/1.3/attachment-file-icons.php#L130 https://plugins.trac.wordpress.org/browser/attachment-file-icons/tags/1.3/attachment-file-icons.php#L337 https://www.wordfence.com/threat-intel/vulnerabilities/id/7e3fd472-c8ea-42dc-93df-872361ec97f3?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •