CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4434 – LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Unauthenticated Time-Based SQL Injection
https://notcve.org/view.php?id=CVE-2024-4434
09 May 2024 — The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘term_id’ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... El complemento LearnPress – WordPress LMS Plugin para WordPress es vulnerable a la inyección SQL basada en tiempo a través del parámetro 'term_id' en versiones hasta la 4.2.6.5 incluida d... • https://inky-knuckle-2c2.notion.site/Unauthenticated-SQLI-in-Learnpress-plugin-Latest-Version-4-2-6-5-a86fe63bcc7b4c9988802688211817fd?pvs=25 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-3806 – Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts
https://notcve.org/view.php?id=CVE-2024-3806
08 May 2024 — The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. ... El tema Porto para WordPress es vulnerable a la inclusión de archivos locales en todas las versiones hasta la 7.1.0 incluida a través de la función 'porto_ajax_posts'. • https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31377 – WordPress WP Photo Album Plus plugin <= 8.7.01.001 - Unauth.
https://notcve.org/view.php?id=CVE-2024-31377
07 May 2024 — The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the import functionality and no capability check in all versions up to, and including, 8.7.01.001. • https://patchstack.com/database/vulnerability/wp-photo-album-plus/wordpress-wp-photo-album-plus-plugin-8-7-01-001-unauthenticated-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4393 – Social Connect <= 1.2 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-4393
07 May 2024 — The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. ... El complemento Social Connect para WordPress es vulnerable a la omisión de autenticación en versiones hasta la 1.2 incluida. • https://plugins.trac.wordpress.org/browser/social-connect/tags/1.2/openid/openid.php#L575 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34551 – WordPress Stockholm theme <= 9.6 - Unauthenticated Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-34551
07 May 2024 — The Stockholm theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.6. • https://patchstack.com/database/vulnerability/stockholm/wordpress-stockholm-theme-9-6-unauthenticated-local-file-inclusion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4186 – Edwiser Bridge <= 3.0.5 - Authentication Bypass due to Missing Empty Value Check
https://notcve.org/view.php?id=CVE-2024-4186
06 May 2024 — The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. ... El complemento Build App Online para WordPress es vulnerable a la omisión de autenticación en versiones hasta la 3.0.5 incluida. ... The Edwiser Bridge plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. • https://plugins.trac.wordpress.org/browser/edwiser-bridge/tags/3.0.4/includes/class-eb-user-manager.php#L1571 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3070 – Last Viewed Posts by WPBeginner <= 1.0.0 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-3070
02 May 2024 — The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. ... El complemento The Last Viewed Posts by WPBeginner para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 1.0.0 incluida a través de la deserialización de entradas no confiables de la cookie LastViewedPosts. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3062246%40last-viewed-posts&new=3062246%40last-viewed-posts&sfp_email=&sfph_mail= • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33566 – WordPress OrderConvo plugin <= 12.4 - Unauthenticated API Access to Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-33566
25 Apr 2024 — The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on a REST API endpoint in all versions up to, and including, 12.4. • https://patchstack.com/database/vulnerability/admin-and-client-message-after-order-for-woocommerce/wordpress-orderconvo-plugin-12-4-unauthenticated-api-access-to-arbitrary-file-upload-vulnerability? • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-33644 – WordPress Customify Site Library plugin <= 0.0.9 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-33644
25 Apr 2024 — The Customify Site Library plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.0.9. • https://patchstack.com/database/vulnerability/customify-sites/wordpress-customify-site-library-plugin-0-0-9-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-33544 – WordPress WZone plugin <= 14.0.10 - Unauthenticated SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-33544
25 Apr 2024 — The WZone plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 14.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/woozone/wordpress-wzone-plugin-14-0-10-unauthenticated-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •