CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10625 – WooCommerce Support Ticket System <= 17.7 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-10625
This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf1cecd-c630-498d-9aa0-3d0adeb73033?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10627 – WooCommerce Support Ticket System <= 17.7 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10627
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 https://www.wordfence.com/threat-intel/vulnerabilities/id/1ac218f6-0bfa-480c-9159-d75a027022ba?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10673 – Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10673
This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution. • https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247826%40top-store&new=247826%40top-store&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/80510ade-cb58-45b3-89f2-2cbbc5640cae?source=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10674 – Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10674
This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation. • https://themes.svn.wordpress.org/th-shop-mania/1.4.9/lib/notification/notify.php https://themes.trac.wordpress.org/browser/th-shop-mania/1.4.9/lib/notification/notify.php https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247810%40th-shop-mania&new=247810%40th-shop-mania&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/b7832d37-19a9-491b-879e-4a22f2ba46ec?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10801 – WordPress User Extra Fields <= 16.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10801
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/user-extra-fields/12949844 https://www.wordfence.com/threat-intel/vulnerabilities/id/6a60e2c3-4597-4b21-ad20-6a00e483fcf1?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •