Skip to main content
CVE-2024-28000 CRITICAL POC THREAT Emergency

Privilege escalation in LiteSpeed Cache plugin for WordPress (versions up to and including 6.3.0.1) allows unauthenticated remote attackers to forge user identities and gain administrator-level access by exploiting a weak hash check in the plugin's user simulation feature. Publicly available exploit code exists, and the EPSS score of 88.85% (100th percentile) indicates extremely high likelihood of exploitation activity. The vulnerability stems from predictable security hash values that can be brute-forced to impersonate any logged-in user, including administrators.

Information Disclosure
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
88.8%
Threat
6.1
CVE-2024-6386 CRITICAL POC THREAT Emergency

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor-level authenticated users to execute arbitrary code on the underlying server via Twig Server-Side Template Injection in the shortcode render function. Publicly available exploit code exists and EPSS rates the exploitation probability at 73.91% (99th percentile), making this a high-priority issue for any WordPress site running WPML.

Ssti RCE WordPress Wpml
NVD
CVSS 3.1
9.9
EPSS
73.9%
Threat
5.7
CVE-2024-42784 CRITICAL POC Act Now

A SQL injection vulnerability in "/music/controller.php?page=view_music" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "id" parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Music Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-42783 CRITICAL POC Act Now

Kashipara Music Management System v1.0 is vulnerable to SQL Injection via /music/manage_playlist_items.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Music Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-42782 CRITICAL POC Act Now

A SQL injection vulnerability in "/music/ajax.php?action=find_music" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "search" parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Music Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-42781 CRITICAL POC Act Now

A SQL injection vulnerability in "/music/ajax.php?action=login" of Kashipara Music Management System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the email. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Music Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-42777 CRITICAL POC Act Now

An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=signup" of Kashipara Music Management System v1.0, which allows attackers to execute arbitrary code via uploading a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Music Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-40453 CRITICAL POC PATCH Act Now

squirrellyjs squirrelly v9.0.0 and fixed in v.9.0.1 was discovered to contain a code injection vulnerability via the component options.varName. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Squirrelly
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-7854 CRITICAL POC Act Now

The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter 'dbid' and lack of sufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Woo Inquiry
NVD
CVSS 3.1
9.8
EPSS
4.3%
CVE-2024-28987 CRITICAL POC KEV THREAT Act Now

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Web Help Desk
NVD GitHub
CVSS 3.1
9.1
EPSS
93.3%
CVE-2024-5335 CRITICAL PATCH Act Now

The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Ultimate Store Kit
NVD
CVSS 3.1
9.8
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy