CVSS: 6.5EPSS: %CPEs: 1EXPL: 0CVE-2024-13557 – Shortcodes by United Themes <= 5.1.6 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-13557
28 Mar 2025 — The Shortcodes by United Themes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.3EPSS: %CPEs: 1EXPL: 0CVE-2025-2803 – So-Called Air Quotes <= 0.1 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2025-2803
28 Mar 2025 — The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-2006 – Inline Image Upload for BBPress <= 1.1.19 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2006
28 Mar 2025 — The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-2249 – SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-2249
28 Mar 2025 — The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2024-24292
https://notcve.org/view.php?id=CVE-2024-24292
28 Mar 2025 — A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function in the aim.js component. • https://gist.github.com/tariqhawis/a8b2c936622c885558173c37df0a77d9 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2024-38985
https://notcve.org/view.php?id=CVE-2024-38985
28 Mar 2025 — This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://gist.github.com/mestrtee/32c0a48023036e51918f6a098f21953d •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2024-38988
https://notcve.org/view.php?id=CVE-2024-38988
28 Mar 2025 — This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. • https://gist.github.com/mestrtee/4c5dfb66bea377889c44dd6c8af28713 •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2024-56975
https://notcve.org/view.php?id=CVE-2024-56975
28 Mar 2025 — InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller. • https://github.com/InvoicePlane/InvoicePlane/pull/1127 •
CVSS: -EPSS: %CPEs: -EXPL: 1CVE-2025-22953
https://notcve.org/view.php?id=CVE-2025-22953
28 Mar 2025 — A SQL injection vulnerability exists in the Epicor HCM 2021 1.9, specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution. • https://tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904? •
CVSS: -EPSS: %CPEs: -EXPL: 0CVE-2025-28254
https://notcve.org/view.php?id=CVE-2025-28254
28 Mar 2025 — Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions(). • https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128 •