Skip to main content
CVE-2024-50510 CRITICAL Emergency

Unrestricted file upload in the AR For Woocommerce WordPress plugin (versions through 6.3) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full remote code execution on the underlying web server. The vulnerability carries a maximum CVSS score of 10.0 with scope change, and an EPSS score in the 97th percentile (33.03%) indicates significantly elevated exploitation probability, though no public exploit is identified at time of analysis.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
33.0%
CVE-2024-50509 HIGH Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design woo-product-design allows Path Traversal.0.0. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 28.6% and no vendor patch available.

WordPress Path Traversal
NVD
CVSS 3.1
8.6
EPSS
28.6%
CVE-2024-50507 CRITICAL Act Now

Remote code execution in the DS.DownloadList WordPress plugin (versions through 1.3) allows unauthenticated attackers to trigger PHP object injection via untrusted deserialization, leading to full site compromise. EPSS scores this at the 96th percentile (22.05%) for exploitation probability, indicating elevated likelihood of opportunistic attacks against unpatched WordPress installations, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
22.1%
CVE-2024-48112 CRITICAL POC Act Now

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-48202 CRITICAL POC Act Now

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Icecms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48271 HIGH POC This Week

D-Link DSL6740C v6.TR069.20211230 was discovered to use insecure default credentials for Administrator access, possibly allowing attackers to bypass authentication and escalate privileges on the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass D-Link Brute Force Dsl 6740C Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-33699 HIGH POC This Week

The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wbr 6012 Firmware
NVD
CVSS 3.1
8.8
EPSS
9.2%
CVE-2024-24777 HIGH POC This Week

A cross-site request forgery (CSRF) vulnerability exists in the Web Application functionality of the LevelOne WBR-6012 R0.40e6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass CSRF Wbr 6012 Firmware
NVD
CVSS 3.1
8.8
EPSS
7.0%
CVE-2024-50508 HIGH Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chetan Khandla Woocommerce Product Design woo-product-design allows Path Traversal.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 26.3% and no vendor patch available.

WordPress Path Traversal
NVD
CVSS 3.1
7.5
EPSS
26.3%
CVE-2024-48646 HIGH POC This Week

An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sage Frp 1000
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-23309 HIGH POC This Week

The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Wbr 6012 Firmware
NVD
CVSS 3.1
8.1
EPSS
0.9%
CVE-2024-33700 HIGH POC This Week

The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wbr 6012 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-33623 HIGH POC THREAT This Week

A denial of service vulnerability exists in the Web Application functionality of LevelOne WBR-6012 R0.40e6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wbr 6012 Firmware
NVD
CVSS 3.1
7.5
EPSS
11.4%
CVE-2024-31152 HIGH POC THREAT This Week

The LevelOne WBR-6012 router with firmware R0.40e6 is vulnerable to improper resource allocation within its web application, where a series of crafted HTTP requests can cause a reboot. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wbr 6012 Firmware
NVD
CVSS 3.1
7.5
EPSS
17.2%
CVE-2024-28052 HIGH POC This Week

The WBR-6012 is a wireless SOHO router. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wbr 6012 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-51243 HIGH POC This Week

The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Eladmin
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
CVE-2024-48647 HIGH POC This Week

A file disclosure vulnerability exists in Sage 1000 v7.0.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure Sage Frp 1000
NVD GitHub
CVSS 3.1
7.2
EPSS
0.8%
CVE-2024-10525 HIGH POC PATCH THREAT This Week

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Heap Overflow Buffer Overflow Mosquitto
NVD GitHub
CVSS 4.0
7.2
EPSS
57.9%
CVE-2024-10509 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Codezips Online Institute Management System 1.0.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Online Institute Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.8%
CVE-2024-10507 MEDIUM POC This Month

A vulnerability classified as critical was found in Codezips Free Exam Hall Seating Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Free Exam Hall Seating Management System
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.8%
CVE-2024-51242 MEDIUM POC This Month

A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Eladmin
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-48272 MEDIUM POC This Month

D-Link DSL6740C v6.TR069.20211230 was discovered to use an insecure default Wifi password, possibly allowing attackers to connect to the device via a bruteforce attack. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Brute Force Information Disclosure Dsl 6740C Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-46531 MEDIUM POC This Month

phpgurukul Vehicle Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchinputdata parameter at /index.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Vehicle Record System
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
CVE-2024-48648 MEDIUM POC This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Sage 1000 v 7.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sage Frp 1000
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-50511 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-3935 MEDIUM POC PATCH This Month

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Mosquitto
NVD GitHub
CVSS 4.0
6.0
EPSS
0.8%
CVE-2024-50503 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck User Toolkit user-toolkit allows Authentication Bypass.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-51427 CRITICAL Act Now

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-51424 CRITICAL Act Now

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-9419 CRITICAL Act Now

Client / Server PCs with the HP Smart Universal Printing Driver installed are potentially vulnerable to Remote Code Execution and/or Elevation of Privilege. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow HP RCE Memory Corruption Smart Universal Printing Driver
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-51298 CRITICAL Act Now

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Vigor3900 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-31151 CRITICAL Act Now

A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wbr 6012 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-8444 MEDIUM POC This Month

The Download Manager WordPress plugin before 3.3.00 doesn't sanitize some of it's shortcode parameters, leading to cross site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Download Manager
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-10456 CRITICAL Act Now

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 4.0
9.3
EPSS
17.7%
CVE-2024-33603 MEDIUM POC This Month

The LevelOne WBR-6012 router has an information disclosure vulnerability in its web application, which allows unauthenticated users to access a verbose system log page and obtain sensitive data, such. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Wbr 6012 Firmware
NVD
CVSS 3.1
5.3
EPSS
8.8%
CVE-2024-10506 MEDIUM POC This Month

A vulnerability classified as critical has been found in code-projects Blood Bank System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Blood Bank Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.6%
CVE-2024-10505 MEDIUM POC This Month

A vulnerability was found in wuzhicms 4.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE Wuzhicms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.7%
CVE-2024-10502 MEDIUM POC This Month

A vulnerability has been found in ESAFENET CDG 5 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cdg
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10501 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in ESAFENET CDG 5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cdg
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10500 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in ESAFENET CDG 5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Cdg
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-8512 CRITICAL Act Now

The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2024-48733 HIGH This Week

{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-48734 HIGH This Week

{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-50504 HIGH This Week

Incorrect Privilege Assignment vulnerability in webxmedia Bulk Change Role bulk-role-change allows Privilege Escalation.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-50506 HIGH This Week

Incorrect Privilege Assignment vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Privilege Escalation.27.80. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-51426 HIGH This Week

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-51425 HIGH This Week

An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-36060 HIGH This Week

EnGenius EnStation5-AC A8J-ENS500AC 1.0.0 devices allow blind OS command injection via shell metacharacters in the Ping and Speed Test parameters. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2024-51258 HIGH This Week

DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Vigor3900 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-51301 HIGH This Week

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Vigor3900 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy