CVE-2024-9772 – Uix Shortcodes – Compatible with Gutenberg <= 1.9.9 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-9772
The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/uix-shortcodes/trunk/shortcodes/templates/default/frontpage-init.php#L9 https://wordpress.org/plugins/uix-shortcodes/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/3000758d-68e0-46a6-aef0-e2407a828168?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-49380 – Plenti arbitrary file write vulnerability
https://notcve.org/view.php?id=CVE-2024-49380
Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. • https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti https://github.com/plentico/plenti/blob/01825e0dcd3505fac57adc2edf29f772d585c008/cmd/serve.go#L205 https://github.com/plentico/plenti/releases/tag/v0.7.2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-49378 – smartUp Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-49378
The vulnerability allows another extension to execute arbitrary code in the context of the user’s tab. • https://github.com/zimocode/smartup/blob/2144ec161697751b1a6702f1af866726ea689e4e/js/background.js#L3800 https://securitylab.github.com/advisories/GHSL-2024-011_smartup • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-37845
https://notcve.org/view.php?id=CVE-2024-37845
MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature. • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37845%20RCE.pdf https://github.com/herombey/Disclosures/tree/main • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-50480 – WordPress Marketing Automation by AZEXO plugin <= 1.27.80 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-50480
The Marketing Automation by AZEXO plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.27.80. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/marketing-automation-by-azexo/wordpress-marketing-automation-by-azexo-plugin-1-27-80-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •