CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10436 – WPC Smart Messages for WooCommerce <= 4.2.1 - Authenticated (Subscriber+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-10436
This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://plugins.trac.wordpress.org/browser/wpc-smart-messages/tags/4.2.1/includes/class-backend.php#L418 https://plugins.trac.wordpress.org/changeset/3177426/wpc-smart-messages/trunk/includes/class-backend.php?contextall=1 https://wordpress.org/plugins/wpc-smart-messages https://www.wordfence.com/threat-intel/vulnerabilities/id/0fd87512-def0-4e59-aa2d-b166919474f3?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48594
https://notcve.org/view.php?id=CVE-2024-48594
File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. • https://github.com/Aa1b/mycve/blob/main/Readme.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-48825
https://notcve.org/view.php?id=CVE-2024-48825
Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. • https://github.com/ixout/iotVuls/blob/main/Tenda/ac7_005/report.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-48826
https://notcve.org/view.php?id=CVE-2024-48826
Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. • https://github.com/ixout/iotVuls/blob/main/Tenda/ac7_006/report.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-48074
https://notcve.org/view.php?id=CVE-2024-48074
An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the cgi-bin/mainfunction.cgi route, and finally the command is executed by the system function. • https://github.com/Giles-one/Vigor2960Crack https://gist.github.com/Giles-one/6425e97dcd1ec97a722a1e20da25fad7 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •