CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13846 – Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter
https://notcve.org/view.php?id=CVE-2024-13846
20 Feb 2025 — The Indeed Ultimate Learning Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the databas... • https://codecanyon.net/item/ultimate-learning-pro-wordpress-plugin/21772657 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 40%CPEs: 1EXPL: 2CVE-2024-9290 – Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9290
12 Dec 2024 — The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/RandomRobbieBF/CVE-2024-9290 • CWE-434: Unrestricted Upload of File with Dangerous Type •