THREAT ALERT

EMERGENCY CVE-2024-50498 10.0 Remote code execution in the WP Query Console WordPress plugin (versions up to and including 1.0) by Ajit Bohra allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, and publicly available exploit code combined with an EPSS of 91.90% (100th percentile) indicates very high likelihood of opportunistic exploitation, though the vulnerability is not yet listed in CISA KEV. | EMERGENCY CVE-2024-50477 9.8 Authentication bypass in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) allows unauthenticated remote attackers to circumvent login controls via an alternate path or channel, leading to full compromise of confidentiality, integrity, and availability. Publicly available exploit code exists, and EPSS scores this at 81.93% (99th percentile), indicating significant exploitation likelihood, though it is not currently listed in CISA KEV. The flaw is reported through Patchstack's audit program and affects WordPress installations using this plugin. | EMERGENCY CVE-2024-44000 9.8 Authentication bypass in the LiteSpeed Cache WordPress plugin (versions prior to 6.5.0.1) allows unauthenticated remote attackers to hijack logged-in sessions, including administrator accounts, by recovering weakly protected session credentials. With a 93.13% EPSS score (100th percentile) and publicly available exploit code, this is among the most likely-to-be-exploited vulnerabilities currently tracked. Successful exploitation yields full WordPress site takeover. | EMERGENCY CVE-2021-4449 9.8 Unauthenticated arbitrary file upload in the ZoomSounds WordPress plugin (versions ≤5.96) allows remote attackers to upload malicious PHP files via the 'savepng.php' endpoint, enabling remote code execution on the underlying webserver. Publicly available exploit code exists, and the EPSS score of 81.62% (99th percentile) indicates a very high likelihood of opportunistic exploitation, particularly against the large WordPress install base where this plugin is deployed. | ACT NOW CVE-2020-36836 8.0 Arbitrary file deletion in the WP Fastest Cache WordPress plugin (versions up to and including 0.9.0.2) allows authenticated low-privileged users to remove arbitrary files from the underlying server due to missing capability checks and inadequate path validation. Publicly available exploit code exists, and the EPSS score of 43.15% (97th percentile) indicates a notably elevated exploitation probability relative to the broader CVE population. The flaw is tagged as CSRF (CWE-352), meaning the deletion action can also be triggered via a forged request against an authenticated victim. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 29, 2024

11 CVEs tracked today. 11 Critical, 0 High, 0 Medium, 0 Low.

CVE-2024-50493 CRITICAL CVSS 10.0
Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

File Upload
CVE-2024-50490 CRITICAL CVSS 9.8
Authorization bypass in the PegaPoll WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to invoke plugin functionality that should be restricted by ACLs. The flaw was reported by Patchstack and carries a critical CVSS of 9.8 alongside an unusually high EPSS of 52.44% (98th percentile), indicating elevated exploitation likelihood relative to typical CVEs, though no public exploit identified at time of analysis and not present in CISA KEV.

Authentication Bypass
CVE-2024-50482 CRITICAL CVSS 10.0
Unrestricted file upload in the Chetan Khandla 'Woocommerce Product Design' WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, achieving full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and EPSS places it in the 98th percentile (55.5% probability of exploitation), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

WordPress File Upload
CVE-2024-50475 CRITICAL CVSS 9.8
Privilege escalation in Scott Gamon's Signup Page WordPress plugin (versions up to and including 1.0) allows remote unauthenticated attackers to elevate privileges due to a missing authorization check (CWE-862). With a CVSS score of 9.8 and an EPSS score of 31.97% (97th percentile), this represents an elevated exploitation likelihood, though no public exploit is identified at time of analysis.

Authentication Bypass Privilege Escalation
CVE-2024-50473 CRITICAL CVSS 10.0
Unrestricted file upload in the Ajar in5 Embed WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS of 61.50% (98th percentile) indicates a very high probability of near-term exploitation, though no public exploit or KEV listing was identified at time of analysis.

File Upload
CVE-2024-50427 CRITICAL CVSS 9.9
Unrestricted file upload in SurveyJS versions up to and including 1.9.136 allows authenticated remote attackers to upload files of dangerous types, enabling code execution or content takeover with scope change to other components. EPSS scores this at the 99th percentile (69.65%) indicating very high exploitation probability, though no public exploit identified at time of analysis and not listed in CISA KEV.

File Upload
CVE-2024-50494 CRITICAL CVSS 10.0
Unrestricted file upload in the Sudan Payment Gateway for WooCommerce WordPress plugin (versions up to and including 1.2.2) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS 10.0 score reflecting network attack vector, no privileges, and changed scope, exploitation yields full server compromise; no public exploit identified at time of analysis, though EPSS places it at the 77th percentile indicating moderate predicted exploitation likelihood.

WordPress File Upload
CVE-2024-50485 CRITICAL CVSS 9.8
Privilege escalation in the Udit Rawat Exam Matrix WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to gain elevated privileges due to incorrect privilege assignment (CWE-266). The CVSS 9.8 rating combined with an EPSS score of 21.91% (96th percentile) signals significant attacker interest, though there is no public exploit identified at time of analysis. The flaw permits full compromise of confidentiality, integrity, and availability of the affected WordPress site.

Privilege Escalation
CVE-2024-50484 CRITICAL CVSS 10.0
Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

File Upload
CVE-2024-50476 CRITICAL CVSS 9.8
Privilege escalation in GRÜN spendino Spendenformular plugin versions through 1.0.1 allows remote unauthenticated attackers to gain elevated privileges due to missing authorization checks. With a CVSS of 9.8 and EPSS at 24.70% (96th percentile), this represents a significant exploitation risk, though no public exploit identified at time of analysis. The flaw is tagged as both Authentication Bypass and Privilege Escalation, reported by Patchstack who specializes in WordPress plugin security.

Authentication Bypass Privilege Escalation
CVE-2024-50420 CRITICAL CVSS 10.0
Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

File Upload

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities