CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3022 – BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin <= 1.0.87 - Authenticated (Admin+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-3022
This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution. • https://plugins.trac.wordpress.org/changeset/3061435/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress_fileupload_class.php https://r0ot.notion.site/BookingPress-1-0-84-Authenticated-Administrator-Arbitrary-File-Upload-lead-to-RCE-e2603371c0c14d828144e26f2fdc1d01?pvs=4 https://www.wordfence.com/threat-intel/vulnerabilities/id/049ec264-3ed1-4741-937d-8a633ef0a627? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.7EPSS: 0%CPEs: -EXPL: 1CVE-2024-28589
https://notcve.org/view.php?id=CVE-2024-28589
An issue was discovered in Axigen Mail Server for Windows versions 10.5.18 and before, allows local low-privileged attackers to execute arbitrary code and escalate privileges via insecure DLL loading from a world-writable directory during service initialization. • https://github.com/Alaatk/CVE-2024-28589 https://www.axigen.com/knowledgebase/Local-Privilege-Escalation-Vulnerability-on-Axigen-for-Windows-CVE-2024-28589-_402.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-31008
https://notcve.org/view.php?id=CVE-2024-31008
An issue was discovered in WUZHICMS version 4.1.0, allows an attacker to execute arbitrary code and obtain sensitive information via the index.php file. • https://github.com/majic-banana/vulnerability/blob/main/POC/WUZHICMS4.1.0-Captcha%20bypass%20%28logic%20vulnerability%29.md • CWE-290: Authentication Bypass by Spoofing •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-31013
https://notcve.org/view.php?id=CVE-2024-31013
Cross Site Scripting (XSS) vulnerability in emlog version Pro 2.3, allow remote attackers to execute arbitrary code via a crafted payload to the bottom of the homepage in footer_info parameter. • https://github.com/emlog/emlog/issues/291 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31232 – WordPress Rehub theme <= 19.6.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-31232
This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/rehub-theme/wordpress-rehub-theme-19-6-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •