CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27964 – WordPress Zippy plugin <= 1.6.9 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-27964
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Gesundheit Bewegt GmbH Zippy. Este problema afecta a Zippy: desde n/a hasta 1.6.9. The Zippy plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ZippyCore.php file in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-9-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34381 – Zippy <= 1.6.2 - Missing Authorization via adminInit
https://notcve.org/view.php?id=CVE-2023-34381
The Zippy plugin for WordPress is vulnerable to unauthorized archiving and unarchiving of pages due to a missing capability check on the adminInit function in versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to archive and unarchive pages. • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24648
https://notcve.org/view.php?id=CVE-2023-24648
Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php. • https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.6.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •