CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-3383 – Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select
https://notcve.org/view.php?id=CVE-2022-3383
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. El complemento Ultimate Member para WordPress es vulnerable a la ejecución remota de código en versiones hasta la 2.5.0 incluida a través de la función get_option_value_from_callback que acepta la entrada proporcionada por el usuario y la pasa a través de call_user_func(). Esto hace posible que atacantes autenticados, con capacidades administrativas, ejecuten código en el servidor. • https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3383%20%26%26%20CVE-2022-3384.md https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3383 https://www.yuque.com/docs/share/8796eef9-ac4c-4339-96b4-6c21313ecf3e • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42497 – WordPress Api2Cart Bridge Connector plugin <= 1.1.0 - Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2022-42497
Arbitrary Code Execution vulnerability in Api2Cart Bridge Connector plugin <= 1.1.0 on WordPress. • https://patchstack.com/database/vulnerability/api2cart-bridge-connector/wordpress-api2cart-bridge-connector-plugin-1-1-0-arbitrary-code-execution-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-3384 – Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Limited Remote Code Execution via um_populate_dropdown_options
https://notcve.org/view.php?id=CVE-2022-3384
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. El complemento Ultimate Member para WordPress es vulnerable a la ejecución remota de código en versiones hasta la 2.5.0 incluida a través de la función populate_dropdown_options que acepta la entrada proporcionada por el usuario y la pasa a través de call_user_func(). Esto está restringido a funciones PHP sin parámetros como phpinfo(); ya que los parámetros proporcionados por el usuario no se pasan a través de la función. • https://github.com/H4de5-7/vulnerabilities/blob/main/CVE-2022-3383%20%26%26%20CVE-2022-3384.md https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2805393%40ultimate-member&new=2805393%40ultimate-member&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3384 https://www.yuque.com/docs/share/8796eef9-ac4c-4339-96b4-6c21313ecf3e • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2022-39365 – RCE vulnerability in Pimcore/Mail & Dynamic Text Layout
https://notcve.org/view.php?id=CVE-2022-39365
Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates rendering in `Pimcore/Mail` & `ClassDefinition\Layout\Text` is vulnerable to server-side template injection, which could lead to remote code execution. Version 10.5.9 contains a patch for this issue. As a workaround, one may apply the patch manually. Pimcore es una plataforma de gestión de experiencias y datos de código abierto. • https://github.com/pimcore/pimcore/commit/43aa34e018f5cd447bceb864358285ba92f68372 https://github.com/pimcore/pimcore/pull/13347 https://github.com/pimcore/pimcore/pull/13347.patch https://github.com/pimcore/pimcore/security/advisories/GHSA-5qxq-vgmm-q39m • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40238 – A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5
https://notcve.org/view.php?id=CVE-2022-40238
A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. • https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity • CWE-502: Deserialization of Untrusted Data •