Page 31 of 774 results (0.075 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Wechat Social login para WordPress es vulnerable a la carga de archivos arbitrarios debido a una validación insuficiente del tipo de archivo en la función 'convert_remoteimage_to_local' en versiones hasta la 1.3.0 incluida. • https://plugins.trac.wordpress.org/browser/wechat-social-login/trunk/includes/social/class-xh-social-wp-api.php?rev=2111074#L39 https://www.wordfence.com/threat-intel/vulnerabilities/id/06881386-3c92-426b-948d-58e8a8bee624?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. ... The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. • source=cve https://github.com/EQSTLab/CVE-2024-5932 https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932 https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3161-unauthenticated-php-object-injection • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0

The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.13.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/bit-form/wordpress-bit-form-plugin-2-13-10-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/801d6cde-f9c6-4e68-8bfc-ff8c0593372d?source=cve https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_connector.php?rev=3004748 https://plugins.trac.wordpress.org/changeset/3157713 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The Vmax Project Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. • https://patchstack.com/database/vulnerability/vmax-project-manager/wordpress-vmax-project-manager-plugin-1-0-local-file-inclusion-to-rce-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •