Skip to main content
CVE-2024-6365 CRITICAL Emergency

The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 30.3% and no vendor patch available.

WordPress PHP RCE Code Injection
NVD
CVSS 3.1
9.8
EPSS
30.3%
CVE-2024-3596 CRITICAL CISA Emergency

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 19.0% and no vendor patch available.

Information Disclosure Freeradius Brocade Sannav Fabric Operating System Sonicos
NVD
CVSS 3.1
9.0
EPSS
19.0%
Threat
4.4
CVE-2024-6313 CRITICAL Act Now

The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' function in versions up to, and including, 2.2.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 23.2% and no vendor patch available.

RCE WordPress File Upload
NVD
CVSS 3.1
9.8
EPSS
23.2%
CVE-2024-39171 CRITICAL POC Act Now

Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Phpvibe
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-48194 CRITICAL POC Act Now

Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Tenda Ac8 Firmware
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-37873 CRITICAL POC Act Now

SQL injection vulnerability in view_payslip.php in Itsourcecode Payroll Management System Project In PHP With Source Code 1.0 allows remote attackers to execute arbitrary SQL commands via the id. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Payroll Management System Project In Php With Source Code
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-37870 CRITICAL POC Act Now

SQL injection vulnerability in processscore.php in Learning Management System Project In PHP With Source Code 1.0 allows attackers to execute arbitrary SQL commands via the id parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Learning Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-36526 CRITICAL POC Act Now

ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Zkbio Cvsecurity
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-5488 CRITICAL POC Act Now

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress Seopress
NVD WPScan
CVSS 3.1
9.8
EPSS
3.7%
CVE-2024-6314 CRITICAL Act Now

The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process_image_upload' function in versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.3% and no vendor patch available.

PHP RCE WordPress File Upload
NVD
CVSS 3.1
9.8
EPSS
13.3%
CVE-2024-37418 CRITICAL PATCH Act Now

Remote code execution in the Church Admin WordPress plugin (versions up to and including 4.4.6) allows authenticated low-privilege users to upload files of dangerous types, leading to full compromise of the underlying WordPress site. The CVSS 9.9 score reflects scope change and complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 1.58% (82nd percentile).

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.6%
CVE-2024-3604 CRITICAL Act Now

The OSM - OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.3 due to. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress Openstreetmap
NVD
CVSS 3.1
9.9
EPSS
0.7%
CVE-2024-38089 CRITICAL PATCH Act Now

Microsoft Defender for IoT Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Microsoft Defender For Iot
NVD
CVSS 3.1
9.9
EPSS
1.2%
CVE-2024-37424 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Automattic Newspack Blocks allows Upload a Web Shell to a Web Server.0.8. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2024-37420 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in WPZita Zita Elementor Site Library allows Upload a Web Shell to a Web Server.6.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2024-39071 CRITICAL Act Now

Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE SQLi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-38077 CRITICAL PATCH Act Now

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow Buffer Overflow RCE Microsoft Windows Server 2008 +5
NVD
CVSS 3.1
9.8
EPSS
75.4%
CVE-2024-38076 CRITICAL PATCH Act Now

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow Buffer Overflow RCE Microsoft Windows Server 2016 +3
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2024-38074 CRITICAL PATCH Act Now

Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow RCE Microsoft Windows Server 2008 Windows Server 2012 +4
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2024-27782 CRITICAL Act Now

Multiple insufficient session expiration weaknesses [CWE-613] vulnerability in Fortinet FortiAIOps 2.0.0 may allow an attacker to re-use stolen old session tokens to perform unauthorized operations. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Fortinet Fortiaiops
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-6611 CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-6602 CRITICAL Act Now

A mismatch between allocator and deallocator could have led to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow Mozilla Firefox +1
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-37934 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.8.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Ninja Forms
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-37112 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Membership Software WishList Member X.26.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Wishlist Member
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-28747 CRITICAL Act Now

An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-6527 CRITICAL Act Now

SQL Injection vulnerability in parameter "w" in file "druk.php" in MegaBIP software allows unauthorized attacker to disclose the contents of the database and obtain administrator's token to modify. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2024-39872 CRITICAL PATCH Act Now

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Sinema Remote Connect Server
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2024-37555 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7 generate-pdf-using-contact-form-7.1.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-28751 CRITICAL Act Now

An high privileged remote attacker can enable telnet access that accepts hardcoded credentials. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.6%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy