Skip to main content
CVE-2021-4449 CRITICAL POC THREAT Emergency

Unauthenticated arbitrary file upload in the ZoomSounds WordPress plugin (versions ≤5.96) allows remote attackers to upload malicious PHP files via the 'savepng.php' endpoint, enabling remote code execution on the underlying webserver. Publicly available exploit code exists, and the EPSS score of 81.62% (99th percentile) indicates a very high likelihood of opportunistic exploitation, particularly against the large WordPress install base where this plugin is deployed.

File Upload RCE WordPress PHP Zoomsounds
NVD GitHub WPScan
CVSS 3.1
9.8
EPSS
81.6%
Threat
5.9
CVE-2020-36836 HIGH POC PATCH THREAT Act Now

Arbitrary file deletion in the WP Fastest Cache WordPress plugin (versions up to and including 0.9.0.2) allows authenticated low-privileged users to remove arbitrary files from the underlying server due to missing capability checks and inadequate path validation. Publicly available exploit code exists, and the EPSS score of 43.15% (97th percentile) indicates a notably elevated exploitation probability relative to the broader CVE population. The flaw is tagged as CSRF (CWE-352), meaning the deletion action can also be triggered via a forged request against an authenticated victim.

WordPress CSRF Wp Fastest Cache
NVD
CVSS 3.1
8.0
EPSS
43.1%
Threat
4.4
CVE-2024-9061 CRITICAL POC PATCH THREAT Act Now

The The WP Popup Builder - Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Authentication Bypass Code Injection WordPress RCE Wp Popup Builder
NVD
CVSS 3.1
9.8
EPSS
51.3%
CVE-2024-45216 CRITICAL POC PATCH THREAT Act Now

Improper Authentication vulnerability in Apache Solr. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Solr
NVD
CVSS 3.1
9.8
EPSS
90.7%
CVE-2024-45844 HIGH POC THREAT This Week

BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lockdown settings. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall Big Ip Analytics +17
NVD
CVSS 4.0
8.6
EPSS
10.6%
CVE-2024-46213 HIGH POC This Week

REDAXO CMS v2.11.0 was discovered to contain a remote code execution (RCE) vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Redaxo
NVD GitHub
CVSS 3.1
7.2
EPSS
1.0%
CVE-2024-49242 CRITICAL Act Now

Unrestricted file upload in the Shafiq Digital Lottery WordPress plugin (versions up to and including 3.0.5) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope-change reflects that successful exploitation extends impact beyond the plugin to the entire hosting environment, and no public exploit identified at time of analysis though Patchstack disclosure typically accompanies plugin-level POCs.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-49216 CRITICAL Act Now

Unrestricted file upload in the Feed Comments Number WordPress plugin (jclay06, versions through 0.2.1) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The maximum CVSS 10.0 score with scope-changed impact reflects complete confidentiality, integrity, and availability loss, though no public exploit identified at time of analysis and EPSS sits at 0.97% indicating modest near-term exploitation likelihood.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-46605 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Piwigo
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-49257 CRITICAL Act Now

Unrestricted file upload in the Azz Anonim Posting WordPress plugin (versions up to and including 0.9) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS score of 10.0 and a changed scope, successful exploitation yields full server compromise. No public exploit identified at time of analysis, though the EPSS score of 0.82% (74th percentile) suggests moderate but non-trivial exploitation likelihood.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-49254 CRITICAL Act Now

Unauthenticated remote code execution in the sunjianle ajax-extend WordPress plugin (versions up to and including 1.0) allows attackers to inject and execute arbitrary code on the underlying server with a changed security scope. CVSS 10.0 reflects network-reachable, no-privilege, no-interaction exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS sits at a modest 0.70%.

Code Injection RCE
NVD VulDB
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-49260 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Limbcode WordPress Gallery Plugin - Limb Image Gallery limb-gallery allows Code Injection.5.7. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress
NVD VulDB
CVSS 3.1
9.9
EPSS
1.2%
CVE-2024-48758 MEDIUM POC This Month

dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the addPro parameter of the component doAdminAction.php which allows a remote attacker to execute arbitrary code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP CSRF Dingfanzu Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-48744 MEDIUM POC This Month

A Reflected Cross Site Scripting (XSS) vulnerability was found in /trms/listed- teachers.php in PHPGurukul Teachers Record Management System v2.1, which allows remote attackers to execute arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP XSS RCE Teachers Record Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-48035 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in takayukii ACF Images Search And Insert acf-images-search-and-insert allows Upload a Web Shell to a Web Server.1.4. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-48027 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from bing external-featured-image-from-bing allows Upload a Web Shell to a Web Server.0.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-48034 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in fliperrr Creates 3D Flipbook, PDF Flipbook create-flipbook-from-pdf allows Upload a Web Shell to a Web Server.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
0.8%
CVE-2024-49227 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in foter Free Stock Photos Foter free-stock-photos-foter allows Object Injection.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-49218 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently recently-viewed-most-viewed-and-sold-products-for-woocommerce allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48030 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Webextends Telecash Ricaricaweb telecash-ricaricaweb allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48028 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-48026 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-49247 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in SK BuddyPress Better Registration better-bp-registration allows Authentication Bypass.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-48180 CRITICAL Act Now

ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP File Upload Classcms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-9893 CRITICAL Act Now

The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-10018 CRITICAL Act Now

Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-9634 CRITICAL PATCH Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE WordPress PHP Givewp
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-9305 CRITICAL PATCH Act Now

The AppPresser - Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Apppresser
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-9105 CRITICAL Act Now

The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-49271 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization Elementor
NVD VulDB
CVSS 3.1
9.1
EPSS
2.8%
CVE-2024-48042 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.7.28. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD VulDB
CVSS 3.1
9.1
EPSS
1.9%
CVE-2024-46606 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Piwigo
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-44762 MEDIUM POC This Month

A discrepancy in error messages for invalid login attempts in Webmin Usermin v2.100 allows attackers to enumerate valid user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Usermin
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
2.6%
CVE-2024-10024 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in code-projects Pharmacy Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Pharmacy Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.6%
CVE-2024-10023 MEDIUM POC This Month

A vulnerability classified as critical was found in code-projects Pharmacy Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Pharmacy Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10022 MEDIUM POC This Month

A vulnerability classified as critical has been found in code-projects Pharmacy Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Pharmacy Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10021 MEDIUM POC This Month

A vulnerability was found in code-projects Pharmacy Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Pharmacy Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-47649 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize iconize.2.4. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2024-47637 HIGH This Week

Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Path Traversal.4.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-49226 HIGH This Week

Deserialization of Untrusted Data vulnerability in taketin TAKETIN To WP Membership taketin-to-wp-membership allows Object Injection.8.17. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-46212 MEDIUM POC This Month

An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Redaxo
NVD GitHub
CVSS 3.1
4.9
EPSS
0.9%
CVE-2024-9348 HIGH This Week

Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Docker
NVD
CVSS 4.0
8.9
EPSS
0.5%
CVE-2024-38814 HIGH This Week

An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi VMware RCE Vmware Hcx
NVD
CVSS 3.1
8.8
EPSS
14.7%
CVE-2024-20420 HIGH This Week

A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an authenticated, remote attacker with low privileges to run commands as an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Cisco Ata 191 Firmware Ata 192 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-45711 HIGH This Week

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Serv U
NVD
CVSS 3.1
8.8
EPSS
6.3%
CVE-2024-45693 HIGH This Week

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache CSRF Information Disclosure Cloudstack
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-8746 HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload File Manager
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-8507 HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Manager
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-49340 HIGH This Week

IBM Watson Studio Local 1.2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM CSRF Watson Studio Local
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-49253 HIGH This Week

Relative Path Traversal vulnerability in JamesPark.ninja Analyse Uploads analyse-uploads allows Relative Path Traversal.5. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
NVD VulDB
CVSS 3.1
8.6
EPSS
0.4%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy