CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35634 – Woocommerce – Recent Purchases plugin <= 1.0.1 - File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-35634
This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/woo-recent-purchases/woocommerce-recent-purchases-plugin-1-0-1-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35629 – WordPress Easy Digital Downloads – Recent Purchases plugin <= 1.0.2 - Remote File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-35629
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through 1.0.2. ... The Easy Digital Downloads – Recent Purchases plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external server,s allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. • https://patchstack.com/database/vulnerability/edd-recent-purchases/wordpress-easy-digital-downloads-recent-purchases-plugin-1-0-2-remote-file-inclusion-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-35374
https://notcve.org/view.php?id=CVE-2024-35374
Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary commands and potentially command injection, leading to remote code execution (RCE) under certain conditions. Mocodo Mocodo Online 4.2.6 y versiones anteriores no desinfecta adecuadamente el campo de entrada sql_case en /web/generate.php, lo que permite a atacantes remotos ejecutar comandos SQL arbitrarios y potencialmente inyección de comandos, lo que lleva a la ejecución remota de código (RCE) bajo ciertas condiciones. • https://chocapikk.com/posts/2024/mocodo-vulnerabilities https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/generate.php#L104-L158 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-35373
https://notcve.org/view.php?id=CVE-2024-35373
Mocodo Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php. • https://chocapikk.com/posts/2024/mocodo-vulnerabilities https://github.com/laowantong/mocodo/blob/11ca879060a68e06844058cd969c6379214cc2a8/web/rewrite.php#L45 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 7.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-28736 – Debezium UI 2.5 Credential Disclosure
https://notcve.org/view.php?id=CVE-2024-28736
An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function. • https://packetstormsecurity.com/files/178794/Debezium-UI-2.5-Credential-Disclosure.html • CWE-256: Plaintext Storage of a Password •