Skip to main content
CVE-2024-50498 CRITICAL POC THREAT Emergency

Remote code execution in the WP Query Console WordPress plugin (versions up to and including 1.0) by Ajit Bohra allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, and publicly available exploit code combined with an EPSS of 91.90% (100th percentile) indicates very high likelihood of opportunistic exploitation, though the vulnerability is not yet listed in CISA KEV.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
91.9%
Threat
6.3
CVE-2024-50477 CRITICAL POC THREAT Emergency

Authentication bypass in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) allows unauthenticated remote attackers to circumvent login controls via an alternate path or channel, leading to full compromise of confidentiality, integrity, and availability. Publicly available exploit code exists, and EPSS scores this at 81.93% (99th percentile), indicating significant exploitation likelihood, though it is not currently listed in CISA KEV. The flaw is reported through Patchstack's audit program and affects WordPress installations using this plugin.

Authentication Bypass
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
81.9%
Threat
5.9
CVE-2024-50483 CRITICAL Emergency

Privilege escalation in Tareq Hasan's Meetup WordPress plugin (versions through 0.1) allows remote unauthenticated attackers to bypass authorization checks via user-controlled key manipulation. With EPSS at 65.62% (98th percentile), exploitation probability is high, though no public exploit identified at time of analysis. Patchstack reported this CVSS 9.8 issue affecting a WordPress ecosystem plugin.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
65.6%
CVE-2024-50492 HIGH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart scottcart allows Code Injection.1. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 56.8% and no vendor patch available.

Code Injection RCE
NVD VulDB
CVSS 3.1
8.3
EPSS
56.8%
CVE-2024-50478 CRITICAL Emergency

Remote authentication bypass in the 1-Click Login: Passwordless Authentication WordPress plugin (swoop-password-free-authentication) through version 1.4.5 allows unauthenticated attackers to bypass the primary authentication mechanism and gain access to protected accounts. With a CVSS score of 9.8 and an EPSS of 41.02% (97th percentile), this represents elevated exploitation probability although no public exploit identified at time of analysis. The flaw stems from CWE-305 (Authentication Bypass by Primary Weakness), meaning the core auth check itself can be circumvented rather than merely weakened.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
41.0%
CVE-2024-50450 HIGH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Code Injection.3.3.4. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 52.5% and no vendor patch available.

Code Injection RCE
NVD VulDB
CVSS 3.1
7.3
EPSS
52.5%
CVE-2024-50491 CRITICAL Emergency

SQL injection in the MicahBlu RSVP ME WordPress plugin (versions up to and including 1.9.9) allows remote unauthenticated attackers to inject crafted SQL statements that read sensitive database contents and partially impact integrity of backend systems. The CVSS 9.3 score reflects a network-reachable, no-privilege, no-interaction attack with scope change, and an EPSS of 37.74% (97th percentile) indicates substantially elevated exploitation probability relative to the broader CVE population, though no public exploit identified at time of analysis. The flaw was reported through Patchstack's WordPress plugin audit program.

SQLi
NVD VulDB
CVSS 3.1
9.3
EPSS
37.7%
CVE-2024-39205 CRITICAL POC THREAT Emergency

An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
16.5%
CVE-2024-50488 HIGH Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in yespbs Token Login token-login allows Authentication Bypass.0.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 38.5% and no vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
38.5%
CVE-2024-48594 HIGH POC Act Now

File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Prison Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
3.3%
CVE-2024-48356 CRITICAL POC Act Now

LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Lylme Spage
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-48357 CRITICAL POC Act Now

LyLme Spage 1.2.0 through 1.6.0 is vulnerable to SQL Injection via /admin/apply.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Lylme Spage
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-50623 CRITICAL POC KEV THREAT Act Now

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Harmony Lexicom Vltrader
NVD
CVSS 3.1
9.8
EPSS
98.5%
CVE-2024-48177 HIGH POC This Week

MRCMS 3.1.2 contains a SQL injection vulnerability via the RID parameter in /admin/article/delete.do. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Mrcms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-48826 HIGH POC This Week

Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Tenda Command Injection Ac7 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-48825 HIGH POC This Week

Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Tenda Command Injection Ac7 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-10434 HIGH POC This Week

A vulnerability was found in Tenda AC1206 up to 20241027. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Tenda Stack Overflow Ac1206 Firmware
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
1.2%
CVE-2024-48178 HIGH POC This Week

newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Newbee Mall
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-48074 HIGH POC This Week

An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Vigor2960 Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.7%
CVE-2024-10455 HIGH POC This Week

Reachable Assertion in BPv7 parser in µD3TN v0.14.0 allows attacker to disrupt service via malformed Extension Block. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ud3Tn
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-10449 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Codezips Hospital Appointment System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Hospital Appointment System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
1.4%
CVE-2024-10448 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in code-projects Blood Bank Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Blood Bank Management System
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2024-10432 MEDIUM POC This Month

A vulnerability has been found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as critical. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Simple Web Based Chat Application
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.6%
CVE-2024-48291 MEDIUM POC This Month

dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/doAdminAction.php?act=editAdmin&id=17. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dingfanzu Cms
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2024-48191 MEDIUM POC This Month

dingfanzu CMS 1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/doAdminAction.php?act=delAdmin&id=17. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF Dingfanzu Cms
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2024-50496 CRITICAL Act Now

Unauthenticated arbitrary file upload in the AR For WordPress plugin (versions up to and including 6.6) allows remote attackers to upload web shells and achieve full site compromise. With a maximum CVSS score of 10.0 and CWE-434 (Unrestricted Upload of File with Dangerous Type), the flaw is critical, though no public exploit identified at time of analysis and EPSS sits at 1.31% (80th percentile) indicating moderate predicted exploitation activity. Reported via Patchstack, the issue affects all known versions of the plugin from webandprint.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
1.3%
CVE-2024-50495 CRITICAL Act Now

Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.3%
CVE-2024-50489 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.0.45. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-50487 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-50486 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-48465 CRITICAL Act Now

The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-10440 CRITICAL Act Now

The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Ehrd Ctms
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-40867 CRITICAL Act Now

A custom URL scheme handling issue was addressed with improved input validation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Ipados Iphone Os
NVD
CVSS 3.1
9.6
EPSS
0.7%
CVE-2024-50479 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2024-10450 MEDIUM POC This Month

A vulnerability has been found in SourceCodester Kortex Lite Advocate Office Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Microsoft Advocate Office Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10447 MEDIUM POC This Month

A vulnerability classified as critical was found in Project Worlds Online Time Table Generator 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Time Table Generator
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10446 MEDIUM POC This Month

A vulnerability classified as critical has been found in Project Worlds Online Time Table Generator 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Time Table Generator
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10433 MEDIUM POC This Month

A vulnerability was found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as problematic. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Simple Web Based Chat Application
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2024-44217 CRITICAL Act Now

A permissions issue was addressed by removing vulnerable code and adding additional checks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Ipados Iphone Os
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2024-38821 CRITICAL PATCH Act Now

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service
NVD
CVSS 3.1
9.1
EPSS
1.7%
CVE-2024-50408 HIGH This Week

Deserialization of Untrusted Data vulnerability in Bob Namaste!. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-50416 HIGH This Week

Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce wpc-shop-as-customer allows Object Injection.2.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-34537 MEDIUM POC PATCH This Month

TYPO3 before 13.3.1 allows denial of service (interface error) in the Bookmark Toolbar (ext:backend), exploitable by an administrator-level backend user account via manipulated data saved in the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Typo3
NVD GitHub
CVSS 3.1
4.9
EPSS
0.7%
CVE-2024-44122 HIGH This Week

A logic issue was addressed with improved checks. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure macOS
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-42028 HIGH This Week

A Local privilege escalation vulnerability found in a Self-Hosted UniFi Network Server with UniFi Network Application (Version 8.4.62 and earlier) allows a malicious actor with a local operational. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ubiquiti
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-44270 HIGH This Week

A logic issue was addressed with improved validation. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Authentication Bypass macOS
NVD VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2024-44256 HIGH This Week

The issue was addressed with improved input sanitization. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure macOS
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2024-50465 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP SEO - Calin Vingan Premium SEO Pack premium-seo-pack allows SQL Injection.6.001. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2024-50497 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wdesco Advanced Online Ordering and Delivery Platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
8.1
EPSS
2.1%
CVE-2024-50457 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Qode Qode Essential Addons qode-essential-addons.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
3.1%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy