CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12035 – CS Framework <= 7.0 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-12035
06 Mar 2025 — The CS Framework plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12036 – CS Framework <= 7.1 - Authenticated (Subscriber+) Arbitrary File Read
https://notcve.org/view.php?id=CVE-2024-12036
06 Mar 2025 — The CS Framework plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.9 via the get_widget_settings_json() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. • https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 • CWE-73: External Control of File Name or Path •