Skip to main content
CVE-2024-6159 CRITICAL POC Act Now

The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Push Notification For Post And Buddypress
NVD WPScan
CVSS 3.1
9.8
EPSS
9.8%
CVE-2024-8673 CRITICAL POC Act Now

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Z Downloads
NVD WPScan
CVSS 3.1
9.1
EPSS
5.8%
CVE-2025-46052 CRITICAL POC Act Now

An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP SQLi Weberp
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-6584 CRITICAL POC Act Now

The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jetpack Boost
NVD WPScan
CVSS 3.1
9.1
EPSS
0.6%
CVE-2025-4564 CRITICAL Act Now

The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP RCE Path Traversal
NVD
CVSS 3.1
9.8
EPSS
3.7%
CVE-2025-3917 CRITICAL Act Now

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2025-47275 CRITICAL PATCH This Week

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress PHP Authentication Bypass
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-47928 CRITICAL This Week

Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-47788 CRITICAL This Week

Atheos is a self-hosted browser-based cloud IDE. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.6%
CVE-2024-6809 CRITICAL POC Act Now

The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Simple Video Directory
NVD WPScan
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-32002 CRITICAL This Week

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD
CVSS 4.0
9.3
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy