Skip to main content
CVE-2024-50498 CRITICAL POC THREAT Emergency

Remote code execution in the WP Query Console WordPress plugin (versions up to and including 1.0) by Ajit Bohra allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, and publicly available exploit code combined with an EPSS of 91.90% (100th percentile) indicates very high likelihood of opportunistic exploitation, though the vulnerability is not yet listed in CISA KEV.

Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
91.9%
Threat
6.3
CVE-2024-50477 CRITICAL POC THREAT Emergency

Authentication bypass in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) allows unauthenticated remote attackers to circumvent login controls via an alternate path or channel, leading to full compromise of confidentiality, integrity, and availability. Publicly available exploit code exists, and EPSS scores this at 81.93% (99th percentile), indicating significant exploitation likelihood, though it is not currently listed in CISA KEV. The flaw is reported through Patchstack's audit program and affects WordPress installations using this plugin.

Authentication Bypass
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
81.9%
Threat
5.9
CVE-2024-50483 CRITICAL Emergency

Privilege escalation in Tareq Hasan's Meetup WordPress plugin (versions through 0.1) allows remote unauthenticated attackers to bypass authorization checks via user-controlled key manipulation. With EPSS at 65.62% (98th percentile), exploitation probability is high, though no public exploit identified at time of analysis. Patchstack reported this CVSS 9.8 issue affecting a WordPress ecosystem plugin.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
65.6%
CVE-2024-50478 CRITICAL Emergency

Remote authentication bypass in the 1-Click Login: Passwordless Authentication WordPress plugin (swoop-password-free-authentication) through version 1.4.5 allows unauthenticated attackers to bypass the primary authentication mechanism and gain access to protected accounts. With a CVSS score of 9.8 and an EPSS of 41.02% (97th percentile), this represents elevated exploitation probability although no public exploit identified at time of analysis. The flaw stems from CWE-305 (Authentication Bypass by Primary Weakness), meaning the core auth check itself can be circumvented rather than merely weakened.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
41.0%
CVE-2024-50491 CRITICAL Emergency

SQL injection in the MicahBlu RSVP ME WordPress plugin (versions up to and including 1.9.9) allows remote unauthenticated attackers to inject crafted SQL statements that read sensitive database contents and partially impact integrity of backend systems. The CVSS 9.3 score reflects a network-reachable, no-privilege, no-interaction attack with scope change, and an EPSS of 37.74% (97th percentile) indicates substantially elevated exploitation probability relative to the broader CVE population, though no public exploit identified at time of analysis. The flaw was reported through Patchstack's WordPress plugin audit program.

SQLi
NVD VulDB
CVSS 3.1
9.3
EPSS
37.7%
CVE-2024-39205 CRITICAL POC THREAT Emergency

An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
16.5%
CVE-2024-48356 CRITICAL POC Act Now

LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Lylme Spage
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-48357 CRITICAL POC Act Now

LyLme Spage 1.2.0 through 1.6.0 is vulnerable to SQL Injection via /admin/apply.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Lylme Spage
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-50623 CRITICAL POC KEV THREAT Act Now

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Harmony Lexicom Vltrader
NVD
CVSS 3.1
9.8
EPSS
98.5%
CVE-2024-50496 CRITICAL Act Now

Unauthenticated arbitrary file upload in the AR For WordPress plugin (versions up to and including 6.6) allows remote attackers to upload web shells and achieve full site compromise. With a maximum CVSS score of 10.0 and CWE-434 (Unrestricted Upload of File with Dangerous Type), the flaw is critical, though no public exploit identified at time of analysis and EPSS sits at 1.31% (80th percentile) indicating moderate predicted exploitation activity. Reported via Patchstack, the issue affects all known versions of the plugin from webandprint.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
1.3%
CVE-2024-50495 CRITICAL Act Now

Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.3%
CVE-2024-50489 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.0.45. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-50487 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-50486 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-48465 CRITICAL Act Now

The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-10440 CRITICAL Act Now

The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Ehrd Ctms
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-40867 CRITICAL Act Now

A custom URL scheme handling issue was addressed with improved input validation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Ipados Iphone Os
NVD
CVSS 3.1
9.6
EPSS
0.7%
CVE-2024-50479 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2024-44217 CRITICAL Act Now

A permissions issue was addressed by removing vulnerable code and adding additional checks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Ipados Iphone Os
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2024-38821 CRITICAL PATCH Act Now

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service
NVD
CVSS 3.1
9.1
EPSS
1.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy