Skip to main content
CVE-2021-4449 CRITICAL POC THREAT Emergency

Unauthenticated arbitrary file upload in the ZoomSounds WordPress plugin (versions ≤5.96) allows remote attackers to upload malicious PHP files via the 'savepng.php' endpoint, enabling remote code execution on the underlying webserver. Publicly available exploit code exists, and the EPSS score of 81.62% (99th percentile) indicates a very high likelihood of opportunistic exploitation, particularly against the large WordPress install base where this plugin is deployed.

File Upload RCE WordPress PHP Zoomsounds
NVD GitHub WPScan
CVSS 3.1
9.8
EPSS
81.6%
Threat
5.9
CVE-2024-9061 CRITICAL POC PATCH THREAT Act Now

The The WP Popup Builder - Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Authentication Bypass Code Injection WordPress RCE Wp Popup Builder
NVD
CVSS 3.1
9.8
EPSS
51.3%
CVE-2024-45216 CRITICAL POC PATCH THREAT Act Now

Improper Authentication vulnerability in Apache Solr. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Solr
NVD
CVSS 3.1
9.8
EPSS
90.7%
CVE-2024-49242 CRITICAL Act Now

Unrestricted file upload in the Shafiq Digital Lottery WordPress plugin (versions up to and including 3.0.5) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope-change reflects that successful exploitation extends impact beyond the plugin to the entire hosting environment, and no public exploit identified at time of analysis though Patchstack disclosure typically accompanies plugin-level POCs.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-49216 CRITICAL Act Now

Unrestricted file upload in the Feed Comments Number WordPress plugin (jclay06, versions through 0.2.1) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. The maximum CVSS 10.0 score with scope-changed impact reflects complete confidentiality, integrity, and availability loss, though no public exploit identified at time of analysis and EPSS sits at 0.97% indicating modest near-term exploitation likelihood.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-49257 CRITICAL Act Now

Unrestricted file upload in the Azz Anonim Posting WordPress plugin (versions up to and including 0.9) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS score of 10.0 and a changed scope, successful exploitation yields full server compromise. No public exploit identified at time of analysis, though the EPSS score of 0.82% (74th percentile) suggests moderate but non-trivial exploitation likelihood.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-49254 CRITICAL Act Now

Unauthenticated remote code execution in the sunjianle ajax-extend WordPress plugin (versions up to and including 1.0) allows attackers to inject and execute arbitrary code on the underlying server with a changed security scope. CVSS 10.0 reflects network-reachable, no-privilege, no-interaction exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS sits at a modest 0.70%.

Code Injection RCE
NVD VulDB
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-49260 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Limbcode WordPress Gallery Plugin - Limb Image Gallery limb-gallery allows Code Injection.5.7. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress
NVD VulDB
CVSS 3.1
9.9
EPSS
1.2%
CVE-2024-48035 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in takayukii ACF Images Search And Insert acf-images-search-and-insert allows Upload a Web Shell to a Web Server.1.4. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-48027 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from bing external-featured-image-from-bing allows Upload a Web Shell to a Web Server.0.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-48034 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in fliperrr Creates 3D Flipbook, PDF Flipbook create-flipbook-from-pdf allows Upload a Web Shell to a Web Server.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
0.8%
CVE-2024-49227 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in foter Free Stock Photos Foter free-stock-photos-foter allows Object Injection.5.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-49218 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently recently-viewed-most-viewed-and-sold-products-for-woocommerce allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48030 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Webextends Telecash Ricaricaweb telecash-ricaricaweb allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48028 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-48026 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-49247 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in SK BuddyPress Better Registration better-bp-registration allows Authentication Bypass.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-48180 CRITICAL Act Now

ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP File Upload Classcms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-9893 CRITICAL Act Now

The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-10018 CRITICAL Act Now

Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-9634 CRITICAL PATCH Act Now

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE WordPress PHP Givewp
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-9305 CRITICAL PATCH Act Now

The AppPresser - Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Apppresser
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-9105 CRITICAL Act Now

The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-49271 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization Elementor
NVD VulDB
CVSS 3.1
9.1
EPSS
2.8%
CVE-2024-48042 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.7.28. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Deserialization
NVD VulDB
CVSS 3.1
9.1
EPSS
1.9%
CVE-2024-47649 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize iconize.2.4. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy