Skip to main content
CVE-2024-2876 CRITICAL POC THREAT Emergency

The Email Subscribers by Icegram Express - Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 91.3%.

SQLi WordPress
NVD GitHub
CVSS 3.1
9.8
EPSS
91.3%
Threat
6.2
CVE-2024-2667 CRITICAL POC PATCH THREAT Act Now

The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.7%.

WordPress File Upload Instawp Connect
NVD
CVSS 3.1
9.8
EPSS
90.7%
Threat
6.2
CVE-2024-34392 CRITICAL POC Act Now

libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes _wrap__xmlNode_nsDef_get()) on a grand-child of a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Memory Corruption Libxmljs
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-34391 CRITICAL POC Act Now

libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Denial Of Service Memory Corruption Libxmljs
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-32114 HIGH POC PATCH This Week

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Activemq
NVD
CVSS 3.1
8.8
EPSS
6.9%
CVE-2024-3476 HIGH POC This Week

The Side Menu Lite WordPress plugin before 4.2.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Side Menu Lite
NVD WPScan
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-3474 HIGH POC This Week

The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wow Skype Buttons
NVD WPScan
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-33303 HIGH POC This Week

SourceCodester Product Show Room 1.0 is vulnerable to Cross Site Scripting (XSS) via "First Name" under Add Users. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Product Show Room Site
NVD GitHub
CVSS 3.1
8.2
EPSS
0.5%
CVE-2024-3475 HIGH POC This Week

The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Sticky Buttons
NVD WPScan
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-32359 MEDIUM POC This Month

An RBAC authorization risk in Carina v0.13.0 and earlier allows local attackers to execute arbitrary code through designed commands to obtain the secrets of the entire cluster and further take over. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass RCE
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.2%
CVE-2024-4033 HIGH This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
CVSS 3.1
8.8
EPSS
9.2%
CVE-2024-33305 MEDIUM POC This Month

SourceCodester Laboratory Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via "Middle Name" parameter in Create User. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Laboratory Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-3478 MEDIUM POC This Month

The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Herd Effects
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-32962 CRITICAL PATCH Act Now

xml-crypto is an xml digital signature and encryption library for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Jwt Attack Information Disclosure
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-3729 CRITICAL PATCH Act Now

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation PHP WordPress Authentication Bypass OpenSSL +1
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-3472 MEDIUM POC This Month

The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Modal Window
NVD WPScan
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-34144 CRITICAL PATCH Act Now

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Jenkins Script Security
NVD
CVSS 3.1
9.8
EPSS
48.1%
CVE-2024-23459 CRITICAL Act Now

An Improper Link Resolution Before File Access ('Link Following') vulnerability in Zscaler Client Connector on Mac allows a system file to be overwritten.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Client Connector
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-3955 CRITICAL PATCH Act Now

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-33913 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary File Upload in Xserver Migrator.6.1. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload CSRF
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2024-4406 CRITICAL Act Now

Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Xiaomi 13 Pro Firmware
NVD
CVSS 3.1
9.6
EPSS
2.2%
CVE-2024-4405 CRITICAL Act Now

Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS Xiaomi 13 Pro Firmware
NVD
CVSS 3.1
9.6
EPSS
1.2%
CVE-2024-4216 MEDIUM POC PATCH This Month

pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pgadmin 4 Fedora
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-33302 MEDIUM POC This Month

SourceCodester Product Show Room 1.0 and before is vulnerable to Cross Site Scripting (XSS) via "Middle Name" under Add Users. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Product Show Room Site
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-3481 MEDIUM POC This Month

The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Counter Box
NVD WPScan
CVSS 3.1
5.2
EPSS
0.3%
CVE-2024-33911 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Weblizar School Management Pro.3.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi School Management
NVD
CVSS 3.1
7.6
EPSS
7.9%
CVE-2024-3499 HIGH PATCH This Week

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the generate_navigation_markup function of the Onepage. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress PHP RCE LFI Information Disclosure +2
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-31967 CRITICAL Act Now

A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-3500 HIGH This Week

The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE WordPress LFI +1
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-32971 CRITICAL PATCH Act Now

Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Redis Information Disclosure
NVD GitHub
CVSS 3.1
9.0
EPSS
0.7%
CVE-2024-1567 HIGH PATCH This Week

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to limited file uploads due to missing file type validation in the 'file_validity' function in all versions up to, and. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress XSS File Upload RCE Royal Elementor Addons +1
NVD
CVSS 3.1
8.2
EPSS
3.7%
CVE-2024-2661 HIGH This Week

The Barcode Scanner and Inventory manager. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-3849 HIGH This Week

The Click to Chat - HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE WordPress LFI
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-1797 HIGH PATCH This Week

The WP ULike - Most Advanced WordPress Marketing Toolkit plugin for WordPress is vulnerable to SQL Injection via the 'status' and 'id' attributes of the 'wp_ulike_counter' and 'wp_ulike' shortcodes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Wp Ulike
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-2831 HIGH This Week

The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-2417 HIGH This Week

The User Registration - Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation WordPress Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-3895 HIGH PATCH This Week

The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Privilege Escalation WordPress Wp Datepicker
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-4215 HIGH PATCH This Week

pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass SQLi Pgadmin 4 Fedora
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-34145 HIGH PATCH This Week

A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass RCE Jenkins Script Security
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-25047 HIGH PATCH This Week

IBM Cognos Analytics 11.2.0 through 11.2.4 and 12.0.0 through 12.0.2 is vulnerable to injection attacks in application logging by not sanitizing user provided data. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Code Injection Cognos Analytics Oncommand Insight
NVD
CVSS 3.1
8.6
EPSS
0.6%
CVE-2024-2405 MEDIUM POC This Month

The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Float Menu
NVD WPScan
CVSS 3.1
4.5
EPSS
0.3%
CVE-2024-33396 HIGH This Week

An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass RCE
NVD GitHub
CVSS 3.1
8.4
EPSS
0.2%
CVE-2024-34061 MEDIUM POC PATCH This Month

changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS
NVD GitHub
CVSS 3.1
4.3
EPSS
1.3%
CVE-2024-3477 MEDIUM POC This Month

The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Popup Box
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-34394 HIGH This Week

libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the namespaces() function (which invokes XmlNode::get_local_namespaces()) on a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Denial Of Service Memory Corruption
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
CVE-2024-34393 HIGH This Week

libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Denial Of Service Memory Corruption
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
CVE-2024-25290 HIGH This Week

An issue in Casa Systems NL1901ACV R6B032 allows a remote attacker to execute arbitrary code via the userName parameter of the add function. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE
NVD
CVSS 3.1
8.0
EPSS
0.7%
CVE-2024-3715 HIGH This Week

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
3.3%
CVE-2024-30306 HIGH This Week

Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Adobe Information Disclosure Acrobat Acrobat Dc +2
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2024-30305 HIGH This Week

Acrobat Reader versions 20.005.30539, 23.008.20470 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Use After Free Memory Corruption RCE Denial Of Service +4
NVD
CVSS 3.1
7.8
EPSS
0.6%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy