Skip to main content
CVE-2024-9989 CRITICAL POC THREAT Emergency

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.6%.

WordPress Authentication Bypass Crypto Tool
NVD
CVSS 3.1
9.8
EPSS
92.6%
Threat
6.2
CVE-2024-50427 CRITICAL Emergency

Unrestricted file upload in SurveyJS versions up to and including 1.9.136 allows authenticated remote attackers to upload files of dangerous types, enabling code execution or content takeover with scope change to other components. EPSS scores this at the 99th percentile (69.65%) indicating very high exploitation probability, though no public exploit identified at time of analysis and not listed in CISA KEV.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
69.7%
Threat
4.1
CVE-2024-50473 CRITICAL Emergency

Unrestricted file upload in the Ajar in5 Embed WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS of 61.50% (98th percentile) indicates a very high probability of near-term exploitation, though no public exploit or KEV listing was identified at time of analysis.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
61.5%
CVE-2024-50493 CRITICAL Emergency

Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
55.5%
CVE-2024-50482 CRITICAL Emergency

Unrestricted file upload in the Chetan Khandla 'Woocommerce Product Design' WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, achieving full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and EPSS places it in the 98th percentile (55.5% probability of exploitation), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
55.5%
CVE-2024-50490 CRITICAL Emergency

Authorization bypass in the PegaPoll WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to invoke plugin functionality that should be restricted by ACLs. The flaw was reported by Patchstack and carries a critical CVSS of 9.8 alongside an unusually high EPSS of 52.44% (98th percentile), indicating elevated exploitation likelihood relative to typical CVEs, though no public exploit identified at time of analysis and not present in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
52.4%
CVE-2024-51568 CRITICAL POC THREAT Emergency

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Cyberpanel
NVD
CVSS 3.1
9.8
EPSS
45.7%
CVE-2024-51567 CRITICAL POC KEV PATCH THREAT Act Now

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Cyberpanel
NVD GitHub
CVSS 3.1
9.8
EPSS
86.7%
CVE-2024-51378 CRITICAL POC KEV PATCH THREAT Act Now

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Cyberpanel
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
94.8%
CVE-2024-50475 CRITICAL Emergency

Privilege escalation in Scott Gamon's Signup Page WordPress plugin (versions up to and including 1.0) allows remote unauthenticated attackers to elevate privileges due to a missing authorization check (CWE-862). With a CVSS score of 9.8 and an EPSS score of 31.97% (97th percentile), this represents an elevated exploitation likelihood, though no public exploit is identified at time of analysis.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
32.0%
CVE-2024-50476 CRITICAL Act Now

Privilege escalation in GRÜN spendino Spendenformular plugin versions through 1.0.1 allows remote unauthenticated attackers to gain elevated privileges due to missing authorization checks. With a CVSS of 9.8 and EPSS at 24.70% (96th percentile), this represents a significant exploitation risk, though no public exploit identified at time of analysis. The flaw is tagged as both Authentication Bypass and Privilege Escalation, reported by Patchstack who specializes in WordPress plugin security.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
24.7%
CVE-2024-50485 CRITICAL Act Now

Privilege escalation in the Udit Rawat Exam Matrix WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to gain elevated privileges due to incorrect privilege assignment (CWE-266). The CVSS 9.8 rating combined with an EPSS score of 21.91% (96th percentile) signals significant attacker interest, though there is no public exploit identified at time of analysis. The flaw permits full compromise of confidentiality, integrity, and availability of the affected WordPress site.

Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
21.9%
CVE-2024-48573 CRITICAL POC Act Now

A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Aquilacms
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-48063 CRITICAL POC PATCH Act Now

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Pytorch
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2024-8309 CRITICAL POC PATCH THREAT Act Now

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Information Disclosure Denial Of Service Langchain
NVD GitHub
CVSS 3.1
9.8
EPSS
13.8%
CVE-2024-7042 CRITICAL POC PATCH Act Now

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Information Disclosure Denial Of Service Langchain
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-6868 CRITICAL POC PATCH Act Now

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Localai
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2024-5982 CRITICAL POC PATCH THREAT Act Now

A path traversal vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Path Traversal Chuanhuchatgpt
NVD GitHub
CVSS 3.1
9.8
EPSS
27.2%
CVE-2024-7774 CRITICAL POC PATCH Act Now

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Langchain Js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-7475 CRITICAL POC PATCH Act Now

An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-5823 CRITICAL POC PATCH Act Now

A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Chuanhuchatgpt
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-6581 CRITICAL POC PATCH Act Now

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE XSS Lord Of Large Language Models
NVD GitHub
CVSS 3.1
9.0
EPSS
0.6%
CVE-2024-50334 HIGH POC This Week

Scoold is a Q&A and a knowledge sharing platform for teams. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Scoold
NVD GitHub
CVSS 4.0
8.7
EPSS
1.0%
CVE-2024-48921 HIGH POC PATCH This Week

Kyverno is a policy engine designed for Kubernetes. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Kubernetes Kyverno
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2024-7474 HIGH POC PATCH This Week

In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-9988 CRITICAL Act Now

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.19. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.2% and no vendor patch available.

Authentication Bypass WordPress Crypto Tool
NVD
CVSS 3.1
9.8
EPSS
11.2%
CVE-2024-7962 HIGH POC PATCH This Week

An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Chuanhuchatgpt
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-7807 HIGH POC PATCH This Week

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240628 allows for a Denial of Service (DOS) attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Chuanhuchatgpt
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-7783 HIGH POC PATCH This Week

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Anythingllm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-6674 HIGH POC PATCH This Week

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Lollms Web Ui
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-7473 MEDIUM POC PATCH This Month

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-7472 MEDIUM POC PATCH This Month

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-6673 MEDIUM POC PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Lollms Web Ui
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-50420 CRITICAL Act Now

Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.7%
CVE-2024-50484 CRITICAL Act Now

Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.6%
CVE-2024-50494 CRITICAL Act Now

Unrestricted file upload in the Sudan Payment Gateway for WooCommerce WordPress plugin (versions up to and including 1.2.2) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS 10.0 score reflecting network attack vector, no privileges, and changed scope, exploitation yields full server compromise; no public exploit identified at time of analysis, though EPSS places it at the 77th percentile indicating moderate predicted exploitation likelihood.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-51076 MEDIUM POC This Month

A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/booking-search.php in PHPGurukul Online DJ Booking Management System 1.0, which allows remote attackers to execute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-51075 MEDIUM POC This Month

A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/user-search.php in PHPGurukul Online DJ Booking Management System v1.0, which allows remote attackers to execute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS Online Dj Booking Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-51181 MEDIUM POC This Month

A Reflected Cross Site Scripting (XSS) vulnerability was found in /ifscfinder/admin/profile.php in PHPGurukul IFSC Code Finder Project v1.0, which allows remote attackers to execute arbitrary code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS Ifsc Code Finder
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-51180 MEDIUM POC This Month

A Reflected Cross Site Scripting (XSS) vulnerability was found in /ifscfinder/index.php in PHPGurukul IFSC Code Finder Project v1.0, which allows remote attackers to execute arbitrary code via the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP XSS Ifsc Code Finder
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-50480 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Upload a Web Shell to a Web Server.27.80. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-7010 MEDIUM POC PATCH This Month

mudler/localai version 2.17.1 is vulnerable to a Timing Attack. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Authentication Bypass Localai
NVD GitHub
CVSS 3.1
5.9
EPSS
0.5%
CVE-2024-48138 CRITICAL Act Now

A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-44081 CRITICAL PATCH Act Now

In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Jitsi Meet
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-48206 CRITICAL Act Now

A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-45656 CRITICAL Act Now

IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass IBM Power System E1080 9080 Hex Firmware Power System L922 9008 22L Firmware Power System S922 9009 22A Firmware +25
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-50348 MEDIUM POC PATCH This Month

InstantCMS is a free and open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Instantcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-10491 MEDIUM POC PATCH This Month

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Express
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-8923 CRITICAL Act Now

ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Servicenow
NVD
CVSS 4.0
9.3
EPSS
1.1%
CVE-2024-10479 MEDIUM POC This Month

A vulnerability, which was classified as problematic, was found in LinZhaoguan pb-cms up to 2.0.1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pb Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy