CVE-2024-9108 – Wechat Social login <= 1.3.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9108
The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Wechat Social login para WordPress es vulnerable a la carga de archivos arbitrarios debido a una validación insuficiente del tipo de archivo en la función 'convert_remoteimage_to_local' en versiones hasta la 1.3.0 incluida. • https://plugins.trac.wordpress.org/browser/wechat-social-login/trunk/includes/social/class-xh-social-wp-api.php?rev=2111074#L39 https://www.wordfence.com/threat-intel/vulnerabilities/id/06881386-3c92-426b-948d-58e8a8bee624?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-8353 – GiveWP – Donation Plugin and Fundraising Platform <= 3.16.1 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-8353
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. ... The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. • source=cve https://github.com/EQSTLab/CVE-2024-5932 https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932 https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/give/givewp-donation-plugin-and-fundraising-platform-3161-unauthenticated-php-object-injection • CWE-502: Deserialization of Untrusted Data •
CVE-2024-47319 – WordPress Bit Form plugin <= 2.13.10 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-47319
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.13.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/bit-form/wordpress-bit-form-plugin-2-13-10-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-8126 – Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8126
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/801d6cde-f9c6-4e68-8bfc-ff8c0593372d?source=cve https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_connector.php?rev=3004748 https://plugins.trac.wordpress.org/changeset/3157713 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-44014 – WordPress Vmax Project Manager plugin <= 1.0 - Local File Inclusion to RCE vulnerability
https://notcve.org/view.php?id=CVE-2024-44014
The Vmax Project Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. • https://patchstack.com/database/vulnerability/vmax-project-manager/wordpress-vmax-project-manager-plugin-1-0-local-file-inclusion-to-rce-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •