CVSS: 10.0EPSS: 87%CPEs: 1EXPL: 5CVE-2024-8856 – Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8856
15 Nov 2024 — The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://packetstorm.news/files/id/183146 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25035 – Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25035
21 Dec 2021 — The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting El plugin Backup and Staging by WP Time Capsule de WordPress versiones anteriores a 1.22.7, no comprueba ni escapa del parámetro error antes de devolverlo a una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2641264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •