Skip to main content
CVE-2023-6933 HIGH POC PATCH THREAT Act Now

PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote unauthenticated attackers to inject arbitrary PHP objects through deserialization of untrusted input. While the plugin itself contains no POP chain, the presence of any additional plugin or theme on the same WordPress instance that introduces a usable POP gadget can escalate the bug to arbitrary file deletion, sensitive data disclosure, or remote code execution. Publicly available exploit code exists and the EPSS score of 93.40% (100th percentile) signals very high real-world exploitation probability.

PHP Deserialization WordPress Information Disclosure Better Search Replace
NVD VulDB
CVSS 3.1
8.8
EPSS
93.4%
Threat
6.1
CVE-2024-1208 MEDIUM POC THREAT This Month

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 86.5%.

Information Disclosure WordPress Learndash
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
86.5%
Threat
5.2
CVE-2023-6989 CRITICAL POC PATCH THREAT Act Now

The Shield Security - Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.9%.

LFI WordPress Information Disclosure PHP Shield Security
NVD VulDB
CVSS 3.1
9.8
EPSS
61.9%
Threat
5.3
CVE-2024-1209 MEDIUM POC THREAT This Month

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 47.1%.

Information Disclosure WordPress Learndash
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
47.1%
Threat
4.0
CVE-2024-0324 HIGH PATCH Act Now

The User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 37.3%.

WordPress Authentication Bypass Profile Builder
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
37.3%
CVE-2023-6846 HIGH POC THREAT Act Now

Remote code execution in the WordPress File Manager Pro plugin (versions up to and including 8.3.4) allows authenticated attackers with subscriber-level access to upload arbitrary files via the mk_check_filemanager_php_syntax AJAX endpoint, leading to full server compromise. Publicly available exploit code exists, and the high EPSS score of 13.31% (94th percentile) indicates significant real-world exploitation likelihood. The flaw is patched in version 8.3.5, which introduces a missing capability check.

Code Injection RCE WordPress File Upload File Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
13.3%
CVE-2023-6700 HIGH PATCH Act Now

The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 29.2%.

Authentication Bypass WordPress Wp Gdpr Compliance
NVD VulDB
CVSS 3.1
8.8
EPSS
29.2%
CVE-2024-23054 CRITICAL POC Act Now

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Docker Plone Docker Official Image
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.7%
CVE-2024-23049 CRITICAL POC Act Now

An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Symphony
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-24543 CRITICAL POC Act Now

Buffer Overflow vulnerability in the function setSchedWifi in Tenda AC9 v.3.0, firmware version v.15.03.06.42_multi allows a remote attacker to cause a denial of service or run arbitrary code via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Tenda Denial Of Service +1
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-23108 CRITICAL POC THREAT Act Now

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortisiem
NVD GitHub
CVSS 3.1
9.8
EPSS
78.4%
CVE-2024-1210 MEDIUM POC THREAT This Month

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 21.0%.

Information Disclosure WordPress Learndash
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
21.0%
CVE-2024-0964 CRITICAL POC PATCH Act Now

A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Gradio
NVD GitHub
CVSS 3.1
9.4
EPSS
1.0%
CVE-2024-0509 MEDIUM PATCH This Month

The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘request’ parameter in all versions up to, and including, 1.0.3 due to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.7%.

XSS WordPress Wp 404 Auto Redirect To Similar Post
NVD VulDB
CVSS 3.1
6.1
EPSS
33.7%
CVE-2024-22567 HIGH POC THREAT This Week

File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Mcms
NVD GitHub
CVSS 3.1
8.8
EPSS
17.8%
CVE-2024-24469 HIGH POC This Week

Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP CSRF Flusity
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-24468 HIGH POC This Week

Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_customblock.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP CSRF Flusity
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-22667 HIGH POC PATCH This Week

Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Memory Corruption Vim Fedora
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2024-24267 HIGH POC PATCH This Week

gpac v2.2.1 (fixed in v2.4.0) was discovered to contain a memory leak via the gfio_blob variable in the gf_fileio_from_blob function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-24266 HIGH POC This Week

gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the dasher_configure_pid function at /src/filters/dasher.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-24265 HIGH POC This Week

gpac v2.2.1 was discovered to contain a memory leak via the dst_props variable in the gf_filter_pid_merge_properties_internal function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-24263 HIGH POC This Week

Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the response_append_status_line function at /lotos/src/response.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Lotos Webserver
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-24262 HIGH POC This Week

media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_uac_stop_timer function at /uac/sip-uac-transaction.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Media Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-24260 HIGH POC This Week

media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_subscribe_remove function at /uac/sip-uac-subscribe.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Media Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-24259 HIGH POC This Week

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mupdf
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-24258 HIGH POC This Week

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mupdf
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-24762 HIGH POC PATCH This Week

`python-multipart` is a streaming multipart parser for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Python Multipart
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-22208 MEDIUM POC PATCH This Month

phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass PHP PostgreSQL Phpmyfaq
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-22202 MEDIUM POC PATCH This Month

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass PHP PostgreSQL Phpmyfaq
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-6884 MEDIUM POC PATCH This Month

This plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Plugin For Google Reviews
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-24396 MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS RCE Dashboard Js
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2024-24574 MEDIUM POC PATCH This Month

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS PostgreSQL Phpmyfaq
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2024-0953 MEDIUM POC This Month

When a user scans a QR Code with the QR Code Scanner feature, the user is not prompted before being navigated to the page specified in the code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apple Open Redirect Mozilla Firefox
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-0323 CRITICAL Act Now

The FTP server used on the B&R Automation Runtime supports unsecure encryption mechanisms, such as SSLv3, TLSv1.0 and TLS1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Automation Runtime
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-23109 CRITICAL Act Now

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortisiem
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2024-1225 CRITICAL Act Now

A vulnerability classified as critical was found in QiboSoft QiboCMS X1 up to 1.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Qibocms X1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-20011 CRITICAL Act Now

In alac decoder, there is a possible information disclosure due to an incorrect bounds check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure RCE Android
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-24397 MEDIUM POC PATCH This Month

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the ReportName field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS RCE Dashboards Js
NVD VulDB
CVSS 3.1
5.4
EPSS
1.0%
CVE-2024-0221 CRITICAL PATCH Act Now

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

WordPress PHP Path Traversal Photo Gallery
NVD VulDB
CVSS 3.1
9.1
EPSS
1.2%
CVE-2024-24559 MEDIUM POC PATCH This Month

Vyper is a Pythonic Smart Contract Language for the EVM. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vyper
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2023-6996 HIGH PATCH This Week

The Display custom fields in the frontend - Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress RCE Code Injection Display Custom Fields In The Frontend Post And User Profile Fields
NVD VulDB
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-0869 HIGH PATCH This Week

The Instant Images - One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Instant Images One Click Unsplash Uploads
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-20009 HIGH This Week

In alac decoder, there is a possible out of bounds write due to an incorrect error handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Buffer Overflow Memory Corruption Android
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-6635 HIGH PATCH This Week

The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress File Upload RCE Editorskit
NVD VulDB
CVSS 3.1
7.2
EPSS
7.6%
CVE-2024-1072 HIGH PATCH This Week

The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Website Builder By Seedprod
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2024-0761 HIGH PATCH This Week

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

WordPress Information Disclosure File Manager
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2023-6985 MEDIUM PATCH This Month

The 10Web AI Assistant - AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Ai Assistant
NVD VulDB
CVSS 3.1
6.5
EPSS
7.8%
CVE-2024-0699 MEDIUM PATCH This Month

The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more!. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload RCE WordPress Ai Engine
NVD VulDB
CVSS 3.1
6.6
EPSS
7.1%
CVE-2024-1052 HIGH PATCH This Week

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Boundary
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2024-20015 HIGH This Week

In telephony, there is a possible escalation of privilege due to a permissions bypass. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy