Skip to main content
CVE-2024-44000 CRITICAL POC THREAT Emergency

Authentication bypass in the LiteSpeed Cache WordPress plugin (versions prior to 6.5.0.1) allows unauthenticated remote attackers to hijack logged-in sessions, including administrator accounts, by recovering weakly protected session credentials. With a 93.13% EPSS score (100th percentile) and publicly available exploit code, this is among the most likely-to-be-exploited vulnerabilities currently tracked. Successful exploitation yields full WordPress site takeover.

Authentication Bypass
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
93.1%
Threat
6.3
CVE-2024-49328 CRITICAL Emergency

Authentication bypass in the WP REST API FNS WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to access protected functionality by leveraging an alternate path or channel that circumvents authentication checks. With a CVSS of 9.8 and EPSS at 54.50% (98th percentile), this vulnerability presents substantial exploitation risk, though no public exploit identified at time of analysis. The flaw maps to CWE-288 and was reported by Patchstack.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
54.5%
CVE-2024-49607 CRITICAL Act Now

Unrestricted file upload in the redhopit WP Dropbox Dropins WordPress plugin (versions through 1.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS score of 23.46% (96th percentile) signals elevated likelihood of exploitation, though no public exploit is identified at time of analysis and the issue is not on the CISA KEV list.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
23.5%
CVE-2024-49329 CRITICAL Act Now

Unrestricted file upload in the WP REST API FNS WordPress plugin (vivek2tamrakar) through version 1.0.0 allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-authentication exploitation with scope change and complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS sits at 0.80% (74th percentile) indicating moderate but not yet high exploitation likelihood.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-49611 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in paxmanpwnz Product Website Showcase product-websites-showcase allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2024-49610 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in photokiteditor photokit photokit allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2024-49326 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Vasileios Kerasiotis Affiliator affiliator-lite allows Upload a Web Shell to a Web Server.1.3. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2024-49324 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in sovratecdev Sovratec Case Management sovratec-case-management allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2024-49330 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in brx8r Nice Backgrounds nicebackgrounds allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2024-49327 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in bepitulaz Woostagram Connect woostagram-connect allows Upload a Web Shell to a Web Server.0.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2024-49331 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Property Lot Management System plms allows Upload a Web Shell to a Web Server.2.38. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
0.6%
CVE-2024-49625 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in sphoid SiteBuilder Dynamic Components sitebuilder-dynamic-components allows Object Injection.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-49624 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in smartdevth Advanced Advertising System advanced-advertising-system allows Object Injection.3.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-49626 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Piyush Patel Shipyaari Shipping Management shipyaari-shipping-managment allows Object Injection.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-49332 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in giveawayboost Giveaway Boost giveaway-boost allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-49604 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in N-Media Simple User Registration wp-registration allows Authentication Bypass.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-49286 CRITICAL Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Jeroen Berkvens SSV Events ssv-events allows PHP Local File Inclusion.2.7. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal PHP
NVD VulDB
CVSS 3.1
9.6
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy