Skip to main content
CVE-2024-8522 CRITICAL POC PATCH THREAT Act Now

SQL injection in LearnPress LMS plugin for WordPress (versions ≤ 4.2.7) allows unauthenticated remote attackers to inject arbitrary SQL via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST endpoint, enabling extraction of sensitive database contents including user credentials and PII. Publicly available exploit code exists, and the EPSS score of 88.05% (99th percentile) indicates very high real-world exploitation likelihood, though the issue is not currently listed in CISA KEV.

SQLi WordPress Learnpress
NVD Exploit-DB
CVSS 3.1
10.0
EPSS
88.1%
Threat
6.1
CVE-2024-8529 CRITICAL POC PATCH THREAT Act Now

The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.0%.

SQLi WordPress Learnpress
NVD
CVSS 3.1
10.0
EPSS
71.0%
Threat
5.6
CVE-2024-40457 CRITICAL POC Act Now

No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-29847 CRITICAL Act Now

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ivanti Endpoint Manager
NVD
CVSS 3.1
9.8
EPSS
52.9%
CVE-2024-45823 CRITICAL Act Now

CVE-2024-45823 IMPACT An authentication bypass vulnerability exists in the affected product. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Factorytalk Batch View
NVD
CVSS 4.0
9.2
EPSS
0.5%
CVE-2024-45824 CRITICAL Act Now

CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal XSS Command Injection Factorytalk View
NVD
CVSS 4.0
9.2
EPSS
1.3%
CVE-2024-2743 CRITICAL Act Now

An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2024-8695 CRITICAL Act Now

A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE XSS Docker Desktop
NVD
CVSS 4.0
9.0
EPSS
1.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy