CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7772 – Jupiter X Core <= 4.6.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7772
23 Aug 2024 — The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in all versions up to, and including, 4.6.5. • https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-43918 – WordPress WBW Product Table PRO plugin <= 1.9.4 - Unauthenticated Arbitrary SQL Query Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-43918
22 Aug 2024 — The WBW Product Table Pro plugin for WordPress is vulnerable to unauthorized arbitrary SQL Execution due to a missing capability check on a function in all versions up to, and including, 1.9.4. • https://patchstack.com/database/vulnerability/woo-producttables-pro/wordpress-wbw-product-table-pro-plugin-1-9-4-unauthenticated-arbitrary-sql-query-execution-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 9%CPEs: 1EXPL: 1CVE-2024-43917 – WordPress TI WooCommerce Wishlist plugin <= 2.8.2 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-43917
22 Aug 2024 — The TI WooCommerce Wishlist plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-8-2-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7854 – Woo Inquiry <= 0.1 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-7854
20 Aug 2024 — The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter 'dbid' and lack of sufficient preparation on the existing SQL query. • https://github.com/RandomRobbieBF/CVE-2024-7854 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37099 – WordPress GiveWP plugin <= 3.14.1 - Unauthenticated PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37099
19 Aug 2024 — Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1. • https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-3-14-1-unauthenticated-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 4CVE-2024-5932 – GiveWP – Donation Plugin and Fundraising Platform <= 3.14.1 - Unauthenticated PHP Object Injection to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5932
19 Aug 2024 — The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. ... The GiveWP Donation plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP object injection (POI) flaw granting an unauthenticated attacker arbitrary code execution. • https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6500 – InPost for WooCommerce <= 1.4.0 and InPost PL <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary File Read and Delete
https://notcve.org/view.php?id=CVE-2024-6500
16 Aug 2024 — The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). ... On Linux servers, only files within the WordPress install will be deleted, but all files can be read. • https://www.wordfence.com/threat-intel/vulnerabilities/id/7b57e750-71ec-4c52-999b-6c14a78c3bff?source=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43287 – WordPress Brevo plugin <= 3.1.82 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43287
16 Aug 2024 — The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.82. • https://patchstack.com/database/vulnerability/mailin/wordpress-brevo-plugin-3-1-82-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43323 – WordPress ReviewX plugin <= 1.6.28 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43323
16 Aug 2024 — The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to invalid rating in all versions up to, and including, 1.6.28. • https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-28-broken-access-control-vulnerability? • CWE-20: Improper Input Validation CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43325 – WordPress Dark Mode for WP Dashboard plugin <= 1.2.3 - Cross Site Request Forgery vulnerability
https://notcve.org/view.php?id=CVE-2024-43325
16 Aug 2024 — The Dark Mode for WP Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. • https://patchstack.com/database/vulnerability/dark-mode-for-wp-dashboard/wordpress-dark-mode-for-wp-dashboard-plugin-1-2-3-cross-site-request-forgery-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •