Skip to main content
CVE-2024-52475 CRITICAL Act Now

Authentication bypass in the Wawp automation-web-platform plugin (versions up to and including 3.0.18) allows remote unauthenticated attackers to circumvent authentication via an alternate path or channel and gain unauthorized access to protected functionality. With a CVSS of 9.8 and an EPSS of 23.59% (96th percentile), the flaw poses elevated exploitation interest, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
23.6%
CVE-2024-52490 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.5.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-8672 CRITICAL Act Now

The Widget Options - The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
CVSS 3.1
9.9
EPSS
43.8%
CVE-2024-11082 CRITICAL Act Now

The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD GitHub
CVSS 3.1
9.9
EPSS
1.2%
CVE-2024-52338 CRITICAL PATCH Act Now

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Apache Python Arrow
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2024-11103 CRITICAL PATCH Act Now

The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation WordPress Contest Gallery
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-11925 CRITICAL Act Now

The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-52474 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Сервис “Экспресс Платежи” Express Payments Module express-pay allows Blind SQL. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy