Skip to main content
CVE-2024-50510 CRITICAL Emergency

Unrestricted file upload in the AR For Woocommerce WordPress plugin (versions through 6.3) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full remote code execution on the underlying web server. The vulnerability carries a maximum CVSS score of 10.0 with scope change, and an EPSS score in the 97th percentile (33.03%) indicates significantly elevated exploitation probability, though no public exploit is identified at time of analysis.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
33.0%
CVE-2024-50507 CRITICAL Act Now

Remote code execution in the DS.DownloadList WordPress plugin (versions through 1.3) allows unauthenticated attackers to trigger PHP object injection via untrusted deserialization, leading to full site compromise. EPSS scores this at the 96th percentile (22.05%) for exploitation probability, indicating elevated likelihood of opportunistic attacks against unpatched WordPress installations, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
22.1%
CVE-2024-48112 CRITICAL POC Act Now

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE PHP Thinkphp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-48202 CRITICAL POC Act Now

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Icecms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-50511 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-50503 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck User Toolkit user-toolkit allows Authentication Bypass.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-51427 CRITICAL Act Now

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-51424 CRITICAL Act Now

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-9419 CRITICAL Act Now

Client / Server PCs with the HP Smart Universal Printing Driver installed are potentially vulnerable to Remote Code Execution and/or Elevation of Privilege. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow HP RCE Memory Corruption Smart Universal Printing Driver
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-51298 CRITICAL Act Now

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Vigor3900 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-31151 CRITICAL Act Now

A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Wbr 6012 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-10456 CRITICAL Act Now

Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 4.0
9.3
EPSS
17.7%
CVE-2024-8512 CRITICAL Act Now

The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
CVSS 3.1
9.1
EPSS
1.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy