CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50660
https://notcve.org/view.php?id=CVE-2024-50660
07 Jan 2025 — File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality • http://adportal.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22504 – WordPress 4ECPS Web Forms Plugin <= 0.2.18 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-22504
07 Jan 2025 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/4ecps-webforms/vulnerability/wordpress-4ecps-web-forms-plugin-0-2-18-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-55555
https://notcve.org/view.php?id=CVE-2024-55555
07 Jan 2025 — Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. ... (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) • https://www.synacktiv.com/advisories/invoiceninja-unauthenticated-remote-command-execution-when-appkey-known • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11613 – WordPress File Upload <= 4.24.15 - Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-11613
07 Jan 2025 — The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. ... This makes it possible for unauthenticated attackers to execute code on the server. • https://github.com/Sachinart/CVE-2024-11613-wp-file-upload • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11270 – WordPress Webinar Plugin – WebinarPress <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation
https://notcve.org/view.php?id=CVE-2024-11270
07 Jan 2025 — This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files that can lead to remote code execution. • https://plugins.trac.wordpress.org/changeset/3216237/wp-webinarsystem/trunk/includes/class-webinarsysteem-ajax.php • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-55556
https://notcve.org/view.php?id=CVE-2024-55556
07 Jan 2025 — A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. ... By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerabi... • https://www.synacktiv.com/advisories/crater-invoice-unauthenticated-remote-command-execution-when-appkey-known • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2022-41573
https://notcve.org/view.php?id=CVE-2022-41573
07 Jan 2025 — A user can upload a .png file containing PHP code and then rename it to have the .php extension. It will then be accessible at an images/common/ URI for remote code execution. • https://bitbucket.org/cantico/ovidentia/branches • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11816 – The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-11816
07 Jan 2025 — The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. ... This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server providing an admin has created at least one code snippet. • https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_snippets/wpext_snippets.php#L705 • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46981 – Redis' Lua library commands may lead to remote code execution
https://notcve.org/view.php?id=CVE-2024-46981
06 Jan 2025 — An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. ... This flaw allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, potentially leading to remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. ... An attacker can lev... • https://github.com/redis/redis/releases/tag/6.2.17 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-12252 – SEO LAT Auto Post <= 2.2.1 - Missing Authorization to File Overwrite/Upload (Remote Code Execution)
https://notcve.org/view.php?id=CVE-2024-12252
06 Jan 2025 — This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution. • https://github.com/RandomRobbieBF/CVE-2024-12252 • CWE-94: Improper Control of Generation of Code ('Code Injection') •