Skip to main content
CVE-2023-6933 HIGH POC PATCH THREAT Act Now

PHP Object Injection in the Better Search Replace WordPress plugin (versions up to and including 1.4.4) allows remote unauthenticated attackers to inject arbitrary PHP objects through deserialization of untrusted input. While the plugin itself contains no POP chain, the presence of any additional plugin or theme on the same WordPress instance that introduces a usable POP gadget can escalate the bug to arbitrary file deletion, sensitive data disclosure, or remote code execution. Publicly available exploit code exists and the EPSS score of 93.40% (100th percentile) signals very high real-world exploitation probability.

PHP Deserialization WordPress Information Disclosure Better Search Replace
NVD VulDB
CVSS 3.1
8.8
EPSS
93.4%
Threat
6.1
CVE-2024-0324 HIGH PATCH Act Now

The User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 37.3%.

WordPress Authentication Bypass Profile Builder
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
37.3%
CVE-2023-6846 HIGH POC THREAT Act Now

Remote code execution in the WordPress File Manager Pro plugin (versions up to and including 8.3.4) allows authenticated attackers with subscriber-level access to upload arbitrary files via the mk_check_filemanager_php_syntax AJAX endpoint, leading to full server compromise. Publicly available exploit code exists, and the high EPSS score of 13.31% (94th percentile) indicates significant real-world exploitation likelihood. The flaw is patched in version 8.3.5, which introduces a missing capability check.

Code Injection RCE WordPress File Upload File Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
13.3%
CVE-2023-6700 HIGH PATCH Act Now

The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 29.2%.

Authentication Bypass WordPress Wp Gdpr Compliance
NVD VulDB
CVSS 3.1
8.8
EPSS
29.2%
CVE-2024-22567 HIGH POC THREAT This Week

File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Mcms
NVD GitHub
CVSS 3.1
8.8
EPSS
17.8%
CVE-2024-24469 HIGH POC This Week

Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP CSRF Flusity
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-24468 HIGH POC This Week

Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_customblock.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP CSRF Flusity
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-22667 HIGH POC PATCH This Week

Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Memory Corruption Vim Fedora
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2024-24267 HIGH POC PATCH This Week

gpac v2.2.1 (fixed in v2.4.0) was discovered to contain a memory leak via the gfio_blob variable in the gf_fileio_from_blob function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-24266 HIGH POC This Week

gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the dasher_configure_pid function at /src/filters/dasher.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-24265 HIGH POC This Week

gpac v2.2.1 was discovered to contain a memory leak via the dst_props variable in the gf_filter_pid_merge_properties_internal function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gpac
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-24263 HIGH POC This Week

Lotos WebServer v0.1.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the response_append_status_line function at /lotos/src/response.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Lotos Webserver
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-24262 HIGH POC This Week

media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_uac_stop_timer function at /uac/sip-uac-transaction.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Media Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-24260 HIGH POC This Week

media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_subscribe_remove function at /uac/sip-uac-subscribe.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Media Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-24259 HIGH POC This Week

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mupdf
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-24258 HIGH POC This Week

freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mupdf
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-24762 HIGH POC PATCH This Week

`python-multipart` is a streaming multipart parser for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Python Multipart
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-6996 HIGH PATCH This Week

The Display custom fields in the frontend - Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress RCE Code Injection Display Custom Fields In The Frontend Post And User Profile Fields
NVD VulDB
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-0869 HIGH PATCH This Week

The Instant Images - One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Instant Images One Click Unsplash Uploads
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-20009 HIGH This Week

In alac decoder, there is a possible out of bounds write due to an incorrect error handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Buffer Overflow Memory Corruption Android
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-6635 HIGH PATCH This Week

The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress File Upload RCE Editorskit
NVD VulDB
CVSS 3.1
7.2
EPSS
7.6%
CVE-2024-1072 HIGH PATCH This Week

The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Website Builder By Seedprod
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2024-0761 HIGH PATCH This Week

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

WordPress Information Disclosure File Manager
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-1052 HIGH PATCH This Week

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Boundary
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2024-20015 HIGH This Week

In telephony, there is a possible escalation of privilege due to a permissions bypass. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2023-6925 HIGH This Week

The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload Unlimited Addons For Wpbakery Page Builder WPBakery Page Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
3.0%
CVE-2023-50782 HIGH PATCH This Week

A flaw was found in the python-cryptography package. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Python Ansible Automation Platform Enterprise Linux Update Infrastructure +2
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-50781 HIGH This Week

A flaw was found in m2crypto. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-0709 HIGH PATCH This Week

The Cryptocurrency Widgets - Price Ticker & Coins List plugin for WordPress is vulnerable to SQL Injection via the 'coinslist' parameter in versions 2.0 to 2.6.5 due to insufficient escaping on the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi WordPress Cryptocurrency Widgets
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-24768 HIGH PATCH This Week

1Panel is an open source Linux server operation and maintenance management panel. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure 1panel
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-20007 HIGH This Week

In mp3 decoder, there is a possible out of bounds write due to a race condition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Privilege Escalation Buffer Overflow Race Condition Android
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-20004 HIGH This Week

In Modem NL1, there is a possible system crash due to an improper input validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nr15
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-20003 HIGH This Week

In Modem NL1, there is a possible system crash due to an improper input validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Nr15
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-24866 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Biteship Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo allows Reflected XSS.2.24. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Biteship
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-24848 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MJS Software PT Sign Ups - Beautiful volunteer sign ups and management made easy allows Stored. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Sign Ups
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-24846 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MightyThemes Mighty Addons for Elementor allows Reflected XSS.9.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mighty Addons
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-24847 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgadbois CalculatorPro Calculators allows Reflected XSS.1.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Calculatorpro Calculators
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-0428 HIGH PATCH This Week

The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Index Now
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2024-24595 HIGH This Week

Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Clearml
NVD
CVSS 3.1
7.1
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy