CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50495 – WordPress Plugin Propagator plugin <= 0.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-50495
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/wp-propagator/wordpress-plugin-propagator-plugin-0-1-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50496 – WordPress AR For WordPress plugin <= 6.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-50496
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/ar-for-wordpress/wordpress-ar-for-wordpress-plugin-6-2-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47883 – Butterfly has path/URL confusion in resource handling leading to multiple weaknesses
https://notcve.org/view.php?id=CVE-2024-47883
However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote machine if indicated, and uses it as if it was a trusted part of the app's codebase. ... If an app is written in such a way that an attacker can influence the resource name used for a template, that attacker could cause the app to fetch and execute an attacker-controlled template (remote code execution). • https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8 • CWE-36: Absolute Path Traversal CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47881 – OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
https://notcve.org/view.php?id=CVE-2024-47881
Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. • https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50442 – WordPress Royal Elementor Addons and Templates plugin <= 1.3.980 - XML External Entity (XXE) vulnerability
https://notcve.org/view.php?id=CVE-2024-50442
This makes it possible for authenticated attackers, with author-level access and above, to inject external entities and perform other attacks like SSRF and remote code execution in the proper configuration. • https://patchstack.com/database/vulnerability/royal-elementor-addons/wordpress-royal-elementor-addons-and-templates-plugin-1-3-980-xml-external-entity-xxe-vulnerability?_s_id=cve • CWE-611: Improper Restriction of XML External Entity Reference •