CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9461 – Total Upkeep <= 1.16.6 - Authenticated (Administrator+) Remote Code Execution via Backup Settings
https://notcve.org/view.php?id=CVE-2024-9461
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.6 via the cron_interval parameter. • https://plugins.trac.wordpress.org/browser/boldgrid-backup/tags/1.16.5/admin/class-boldgrid-backup-admin-settings.php#L748 https://www.wordfence.com/threat-intel/vulnerabilities/id/804b42a0-1cea-4f68-bd4a-d292a9f23fbe?source=cve • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-10542 – Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2024-10542
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. El complemento Spam protection, Anti-Spam, FireWall by CleanTalk para WordPress es vulnerable a la instalación no autorizada de complementos arbitrarios debido a una omisión de autorización mediante suplantación de DNS inversa en la función checkWithoutToken en todas las versiones hasta la 6.43.2 incluida. • https://github.com/FoKiiin/CVE-2024-10542 https://github.com/ubaii/CVE-2024-10542 https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.43.2/lib/Cleantalk/ApbctWP/RemoteCalls.php#L41 https://plugins.trac.wordpress.org/changeset/3179819/cleantalk-spam-protect#file631 https://www.wordfence.com/threat-intel/vulnerabilities/id/d7eb5fad-bb62-4f0b-ad52-b16c3e442b62?source=cve • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10781 – Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2024-10781
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. El complemento Spam protection, Anti-Spam, FireWall by CleanTalk para WordPress es vulnerable a la instalación arbitraria de complementos debido a la falta de una comprobación de valor vacío en el valor 'api_key' en la función 'perform' en todas las versiones hasta la 6.44 incluida. • https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L95 https://plugins.trac.wordpress.org/browser/cleantalk-spam-protect/tags/6.44/lib/Cleantalk/ApbctWP/RemoteCalls.php#L96 https://plugins.trac.wordpress.org/changeset/3188546/cleantalk-spam-protect#file653 https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae062c-b084-4045-9407-2d94919993af?source=cve • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9942 – WPGYM <= 67.1.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9942
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964 https://www.wordfence.com/threat-intel/vulnerabilities/id/bae5f22d-5085-4230-a7fc-5db85aa6fbdb? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11620 – WordPress Rank Math SEO plugin <= 1.0.231 - Arbitrary .htaccess Overwrite to Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-11620
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.231. • https://patchstack.com/database/wordpress/plugin/seo-by-rank-math/vulnerability/wordpress-rank-math-seo-plugin-1-0-231-arbitrary-htaccess-overwrite-to-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •