Skip to main content
CVE-2024-54363 CRITICAL Emergency

Privilege escalation in the Wp NssUser Register WordPress plugin (versions through 1.0.0) by saiful.total allows remote unauthenticated attackers to gain elevated privileges due to incorrect privilege assignment. With a CVSS of 9.8 and an EPSS of 31.93% (97th percentile), this represents elevated exploitation likelihood relative to most CVEs, though no public exploit identified at time of analysis. The flaw permits full compromise of confidentiality, integrity, and availability of affected WordPress installations.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
31.9%
CVE-2024-55976 CRITICAL Act Now

SQL injection in the Critical Site Intel WordPress plugin (mikeleembruggen, versions through 1.0) allows remote unauthenticated attackers to manipulate backend database queries via the critical-site-intel-stats functionality, leading to data disclosure and limited availability impact with scope change to the underlying WordPress database. The vulnerability carries a CVSS 9.3 (Critical) rating and an EPSS score of 29.74% (97th percentile), placing it well above typical baseline exploitation likelihood, though no public exploit identified at time of analysis.

Intel SQLi
NVD
CVSS 3.1
9.3
EPSS
29.7%
CVE-2024-55988 CRITICAL Act Now

Unauthenticated blind SQL injection in the Navayan CSV Export WordPress plugin (versions through 1.0.9) allows remote attackers to inject arbitrary SQL into backend queries without any user interaction. With a CVSS of 9.3 and EPSS of 26.63% (96th percentile), the issue carries elevated exploitation probability, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
26.6%
CVE-2024-55982 CRITICAL Act Now

Blind SQL injection in the WordPress 'Share Buttons - Social Media' plugin (rich-web-share-button) by richteam through version 1.0.2 allows remote unauthenticated attackers to extract database contents via crafted requests. With a CVSS 9.3 (changed scope) and EPSS at the 96th percentile (26.03%), this represents a high-priority WordPress ecosystem risk despite no public exploit being identified at the time of analysis.

SQLi
NVD
CVSS 3.1
9.3
EPSS
26.0%
CVE-2024-29671 CRITICAL POC THREAT Act Now

Buffer Overflow vulnerability in NEXTU FLATA AX1500 Router v.1.0.2 allows a remote attacker to execute arbitrary code via the POST request handler component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
20.9%
CVE-2024-55981 CRITICAL Act Now

SQL injection in Nabajit Roy's Nabz Image Gallery WordPress plugin (versions up to and including v1.00) allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw carries a critical CVSS 9.3 score with a scope-changed impact and an elevated EPSS exploitation probability of 20.15% (95th percentile), indicating notable likelihood of exploitation attempts, though no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
20.1%
CVE-2024-54369 CRITICAL Act Now

Missing authorization in ThemeHunk's Zita Site Builder WordPress plugin (versions through 1.0.2) allows remote unauthenticated attackers to invoke functionality that should be restricted by ACLs, leading to high integrity and availability impact. No public exploit identified at time of analysis, but the EPSS score of 19.29% (95th percentile) signals elevated likelihood of exploitation activity relative to most CVEs. The flaw is network-reachable with low attack complexity and no user interaction required, making it attractive for opportunistic mass-scanning against WordPress sites.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
19.3%
CVE-2024-55972 CRITICAL Act Now

SQL injection in the chriscarvache eTemplates WordPress plugin (versions through 0.2.1) allows remote unauthenticated attackers to inject arbitrary SQL commands against the backing database. With CVSS 9.3 and a scope-changed impact (confidentiality high, availability low), successful exploitation can expose sensitive data stored beyond the plugin's own boundary. EPSS sits at 8.33% (92nd percentile), indicating meaningfully elevated exploitation probability, though no public exploit is identified at time of analysis.

SQLi
NVD
CVSS 3.1
9.3
EPSS
8.3%
CVE-2024-55980 CRITICAL Act Now

SQL injection in the robindkumar Wr Age Verification WordPress plugin (versions up to and including 2.0.0) allows remote unauthenticated attackers to inject crafted SQL into backend queries, exposing database contents with a scope change that extends impact beyond the plugin itself. The flaw carries a CVSS 9.3 (Critical) and an EPSS of 4.91% (90th percentile), indicating meaningfully elevated exploitation likelihood relative to the broader CVE population, though no public exploit identified at time of analysis.

SQLi
NVD
CVSS 3.1
9.3
EPSS
4.9%
CVE-2024-55978 CRITICAL Act Now

Unauthenticated SQL injection in WalletStation Code Generator Pro (versions up to and including 1.2) allows remote attackers to inject arbitrary SQL into backend queries over the network without user interaction. The flaw carries a CVSS 9.3 with scope change and high confidentiality impact, and EPSS places it in the 90th percentile (4.91%) for exploitation likelihood, though no public exploit identified at time of analysis. Reported by Patchstack, the issue is tagged as SQLi and corresponds to CWE-89.

SQLi
NVD
CVSS 3.1
9.3
EPSS
4.9%
CVE-2024-54370 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows Upload a Web Shell to a Web Server.1.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-54367 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-56012 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in lizeipe Flash News / Post (Responsive) flashnews-fading-effect-pearlbells allows Privilege Escalation.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-43234 CRITICAL Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice woffice allows Authentication Bypass.4.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-54229 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in straightvisions GmbH SV100 Companion sv100-companion allows Privilege Escalation.0.02. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-55085 CRITICAL Act Now

GetSimple CMS CE 3.3.19 suffers from arbitrary code execution in the template editing function in the background management system, which can be used by an attacker to implement RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Getsimple Cms
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-55557 CRITICAL Act Now

ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-10095 CRITICAL Act Now

In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible through an insecure deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Ui For Wpf
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-54368 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in rubengarzajr GitSync git-sync allows Code Injection.1.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2024-54372 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Insertify insertify allows Code Injection.1.4. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2024-12641 CRITICAL Act Now

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS CSRF Tenderdoctransfer
NVD
CVSS 3.1
9.6
EPSS
1.4%
CVE-2024-54361 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tenteeglobal Instant Appointment instant-appointment allows SQL Injection.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2024-55977 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BinaryCarpenter LaunchPage.app Importer launchpage-app-importer allows SQL Injection.app. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2024-54280 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.6.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2024-55949 CRITICAL PATCH Act Now

MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2024-49775 CRITICAL Act Now

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2501.0001), Opcenter Intelligence (All versions < V2501.0001), Opcenter Quality (All versions < V2512), Opcenter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow RCE
NVD
CVSS 4.0
9.3
EPSS
1.5%
CVE-2024-11144 CRITICAL Act Now

The server lacks thread safety and can be crashed by anomalous data sent by an anonymous user from a remote network. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition File Upload
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2024-54285 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in SeedProd LLC SeedProd Pro seedprod-coming-soon-pro-5 allows Upload a Web Shell to a Web Server.18.13. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy