CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11600 – Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.9 - Authenticated (Administrator+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-11600
30 Jan 2025 — The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.9 via the 'write_config' function. ... The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.6.0 via the 'write_config' function. • https://plugins.trac.wordpress.org/browser/borderless/tags/1.5.7/includes/icon-manager/icon-manager.php#L249 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13720 – WP Image Uploader <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-13720
29 Jan 2025 — The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/wp-image-uploader/trunk/index.php#L85 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13448 – ThemeREX Addons <= 2.32.3 - Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data
https://notcve.org/view.php?id=CVE-2024-13448
27 Jan 2025 — The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://themeforest.net/item/qwery-multipurpose-business-wordpress-theme/29678687 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11641 – VikBooking Hotel Booking Engine & PMS <= 1.7.2 - Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11641
25 Jan 2025 — The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. ... Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3225861/vikbooking • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0357 – WPBookit <= 1.6.9 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-0357
24 Jan 2025 — The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://documentation.iqonic.design/wpbookit/versions/change-log • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24650 – WordPress Tourfic plugin <= 2.15.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-24650
24 Jan 2025 — The Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.15.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/tourfic/vulnerability/wordpress-tourfic-plugin-2-15-3-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13545 – Bootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-13545
23 Jan 2025 — The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. ... If php://filter is enabled on the server, this issue may directly lead to Remote Code Execution. • https://themes.trac.wordpress.org/browser/bootstrap-ultimate/1.4.9/docs/index.php#L8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13091 – WPBot Pro Wordpress Chatbot <= 13.5.4 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13091
21 Jan 2025 — The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9b6979-2662-4d2f-9656-b880dd80832c?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13544 – Zarinpal Paid Downloads <= 2.3 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13544
21 Jan 2025 — The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) The Zarinpal Paid Download plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Administrator-leve... • https://wpscan.com/vulnerability/91884263-62a7-436e-b19f-682b1aeb37d6 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24677 – WordPress Post/Page Copying Tool to Export and Import post/page for Cross site Migration Plugin <= 2.0.3 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-24677
20 Jan 2025 — The Post/Page Copying Tool to Export and Import post/page for Cross site Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/postpage-import-export-with-custom-fields-taxonomies/vulnerability/wordpress-post-page-copying-tool-to-export-and-import-post-page-for-cross-site-migration-plugin-2-0-3-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •