CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52447 – WordPress Contact Page With Google Map plugin <= 1.6.1 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-52447
The Contact Page With Google Map plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.6.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/contact-page-with-google-map/wordpress-contact-page-with-google-map-plugin-1-6-1-arbitrary-file-deletion-vulnerability? • CWE-35: Path Traversal: '.../...//' CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-52416 – WordPress Debug Tool plugin <= 2.2 - Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-52416
Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through 2.2. • https://patchstack.com/database/vulnerability/debug-tool/wordpress-debug-tool-plugin-2-2-remote-code-execution-vulnerability? • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9849 – 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin <= 4.6 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9849
The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/real3d-flipbook-lite/tags/4.6/includes/plugin-admin.php#L77 https://www.wordfence.com/threat-intel/vulnerabilities/id/1f99b366-1a94-41ed-813a-bb13893604d0?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10728 – PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10728
The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the 'install_required_plugin_callback' function in all versions up to, and including, 4.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://github.com/RandomRobbieBF/CVE-2024-10728 https://plugins.trac.wordpress.org/browser/ultimate-post/tags/4.1.16/classes/Importer.php#L94 https://plugins.trac.wordpress.org/browser/ultimate-post/tags/4.1.16/classes/Initialization.php#L330 https://plugins.trac.wordpress.org/changeset/3188636/ultimate-post/trunk/classes/Importer.php https://wordpress.org/plugins/ultimate-post https://www.wordfence.com/threat-intel/vulnerabilities/id/076f36fb-c2fb-43e0-a027-1351d3995489? • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52427 – WordPress Event Tickets with Ticket Scanner plugin <= 2.3.11 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-52427
The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.3.11. • https://patchstack.com/database/vulnerability/event-tickets-with-ticket-scanner/wordpress-event-tickets-with-ticket-scanner-plugin-2-3-11-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •