Skip to main content
CVE-2024-9989 CRITICAL POC THREAT Emergency

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.6%.

WordPress Authentication Bypass Crypto Tool
NVD
CVSS 3.1
9.8
EPSS
92.6%
Threat
6.2
CVE-2024-50427 CRITICAL Emergency

Unrestricted file upload in SurveyJS versions up to and including 1.9.136 allows authenticated remote attackers to upload files of dangerous types, enabling code execution or content takeover with scope change to other components. EPSS scores this at the 99th percentile (69.65%) indicating very high exploitation probability, though no public exploit identified at time of analysis and not listed in CISA KEV.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
69.7%
Threat
4.1
CVE-2024-50473 CRITICAL Emergency

Unrestricted file upload in the Ajar in5 Embed WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS of 61.50% (98th percentile) indicates a very high probability of near-term exploitation, though no public exploit or KEV listing was identified at time of analysis.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
61.5%
CVE-2024-50493 CRITICAL Emergency

Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
55.5%
CVE-2024-50482 CRITICAL Emergency

Unrestricted file upload in the Chetan Khandla 'Woocommerce Product Design' WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, achieving full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and EPSS places it in the 98th percentile (55.5% probability of exploitation), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
55.5%
CVE-2024-50490 CRITICAL Emergency

Authorization bypass in the PegaPoll WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to invoke plugin functionality that should be restricted by ACLs. The flaw was reported by Patchstack and carries a critical CVSS of 9.8 alongside an unusually high EPSS of 52.44% (98th percentile), indicating elevated exploitation likelihood relative to typical CVEs, though no public exploit identified at time of analysis and not present in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
52.4%
CVE-2024-51568 CRITICAL POC THREAT Emergency

CyberPanel (aka Cyber Panel) before 2.3.5 allows Command Injection via completePath in the ProcessUtilities.outputExecutioner() sink. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Cyberpanel
NVD
CVSS 3.1
9.8
EPSS
45.7%
CVE-2024-51567 CRITICAL POC KEV PATCH THREAT Act Now

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Cyberpanel
NVD GitHub
CVSS 3.1
9.8
EPSS
86.7%
CVE-2024-51378 CRITICAL POC KEV PATCH THREAT Act Now

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Cyberpanel
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
94.8%
CVE-2024-50475 CRITICAL Emergency

Privilege escalation in Scott Gamon's Signup Page WordPress plugin (versions up to and including 1.0) allows remote unauthenticated attackers to elevate privileges due to a missing authorization check (CWE-862). With a CVSS score of 9.8 and an EPSS score of 31.97% (97th percentile), this represents an elevated exploitation likelihood, though no public exploit is identified at time of analysis.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
32.0%
CVE-2024-50476 CRITICAL Act Now

Privilege escalation in GRÜN spendino Spendenformular plugin versions through 1.0.1 allows remote unauthenticated attackers to gain elevated privileges due to missing authorization checks. With a CVSS of 9.8 and EPSS at 24.70% (96th percentile), this represents a significant exploitation risk, though no public exploit identified at time of analysis. The flaw is tagged as both Authentication Bypass and Privilege Escalation, reported by Patchstack who specializes in WordPress plugin security.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
24.7%
CVE-2024-50485 CRITICAL Act Now

Privilege escalation in the Udit Rawat Exam Matrix WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to gain elevated privileges due to incorrect privilege assignment (CWE-266). The CVSS 9.8 rating combined with an EPSS score of 21.91% (96th percentile) signals significant attacker interest, though there is no public exploit identified at time of analysis. The flaw permits full compromise of confidentiality, integrity, and availability of the affected WordPress site.

Privilege Escalation
NVD VulDB
CVSS 3.1
9.8
EPSS
21.9%
CVE-2024-48573 CRITICAL POC Act Now

A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Aquilacms
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-48063 CRITICAL POC PATCH Act Now

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Pytorch
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2024-8309 CRITICAL POC PATCH THREAT Act Now

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Information Disclosure Denial Of Service Langchain
NVD GitHub
CVSS 3.1
9.8
EPSS
13.8%
CVE-2024-7042 CRITICAL POC PATCH Act Now

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Information Disclosure Denial Of Service Langchain
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-6868 CRITICAL POC PATCH Act Now

mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Localai
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2024-5982 CRITICAL POC PATCH THREAT Act Now

A path traversal vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Path Traversal Chuanhuchatgpt
NVD GitHub
CVSS 3.1
9.8
EPSS
27.2%
CVE-2024-7774 CRITICAL POC PATCH Act Now

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Langchain Js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-7475 CRITICAL POC PATCH Act Now

An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-5823 CRITICAL POC PATCH Act Now

A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Chuanhuchatgpt
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-6581 CRITICAL POC PATCH Act Now

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE XSS Lord Of Large Language Models
NVD GitHub
CVSS 3.1
9.0
EPSS
0.6%
CVE-2024-9988 CRITICAL Act Now

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.19. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.2% and no vendor patch available.

Authentication Bypass WordPress Crypto Tool
NVD
CVSS 3.1
9.8
EPSS
11.2%
CVE-2024-50420 CRITICAL Act Now

Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.7%
CVE-2024-50484 CRITICAL Act Now

Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.6%
CVE-2024-50494 CRITICAL Act Now

Unrestricted file upload in the Sudan Payment Gateway for WooCommerce WordPress plugin (versions up to and including 1.2.2) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS 10.0 score reflecting network attack vector, no privileges, and changed scope, exploitation yields full server compromise; no public exploit identified at time of analysis, though EPSS places it at the 77th percentile indicating moderate predicted exploitation likelihood.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-50480 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Upload a Web Shell to a Web Server.27.80. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-48138 CRITICAL Act Now

A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-44081 CRITICAL PATCH Act Now

In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Jitsi Meet
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-48206 CRITICAL Act Now

A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-45656 CRITICAL Act Now

IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass IBM Power System E1080 9080 Hex Firmware Power System L922 9008 22L Firmware Power System S922 9009 22A Firmware +25
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-8923 CRITICAL Act Now

ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Servicenow
NVD
CVSS 4.0
9.3
EPSS
1.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy