Skip to main content
CVE-2024-33559 CRITICAL POC Act Now

SQL injection in 8theme XStore WordPress theme versions up to and including 9.3.5 allows remote unauthenticated attackers to manipulate backend database queries by injecting crafted SQL syntax through user-controllable input. The flaw carries a CVSS 9.3 rating with scope change, and publicly available exploit code exists, while EPSS places exploitation probability at 5.82% (91st percentile), indicating elevated but not yet confirmed widespread abuse. No CISA KEV listing has been recorded for this issue at time of analysis.

SQLi
NVD Exploit-DB
CVSS 3.1
9.3
EPSS
5.8%
CVE-2024-33350 CRITICAL POC Act Now

Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal PHP Taocms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2024-31822 CRITICAL POC PATCH Act Now

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE Ecommerce Codeigniter Bootstrap
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-31820 CRITICAL POC PATCH Act Now

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP RCE Ecommerce Codeigniter Bootstrap
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-31705 CRITICAL POC Act Now

An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2024-33445 CRITICAL POC Act Now

An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Hisiphp
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-33444 CRITICAL POC Act Now

SQL injection vulnerability in onethink v.1.1 allows a remote attacker to escalate privileges via a crafted script to the ModelModel.class.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Onethink
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-3191 CRITICAL POC Act Now

A vulnerability, which was classified as critical, has been found in MailCleaner up to 2023.03.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Mailcleaner
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
5.2%
CVE-2024-3192 CRITICAL POC Act Now

A vulnerability, which was classified as problematic, was found in MailCleaner up to 2023.03.14. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mailcleaner
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
1.0%
CVE-2024-33566 CRITICAL Act Now

Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.4. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Authentication Bypass
NVD
CVSS 3.1
10.0
EPSS
1.2%
CVE-2024-33435 CRITICAL Act Now

Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-33276 CRITICAL Act Now

SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-33269 CRITICAL Act Now

SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-33268 CRITICAL Act Now

SQL Injection vulnerability in Digincube mdgiftproduct before 1.4.1 allows an attacker to run arbitrary SQL commands via the MdGiftRule::addGiftToCart method. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-33266 CRITICAL Act Now

SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-33449 CRITICAL Act Now

An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF RCE CSRF
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-32491 CRITICAL Act Now

An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Znuny
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-4300 CRITICAL Act Now

E-WEBInformationCo. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-33546 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone allows SQL Injection.0.10. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2024-3375 CRITICAL Act Now

Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD VulDB
CVSS 3.1
9.4
EPSS
0.2%
CVE-2024-33551 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 8theme XStore Core allows SQL Injection.3.5. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Xstore Core
NVD
CVSS 3.1
9.3
EPSS
0.6%
CVE-2024-33544 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone allows SQL Injection.0.10. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2024-33553 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in 8theme XStore Core.3.5. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Xstore Core
NVD
CVSS 3.1
9.0
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy