Remote code execution via arbitrary plugin upload in Alone - Charity Multipurpose Non-profit WordPress Theme up to version 7.8.3 allows unauthenticated attackers to upload malicious zip files containing webshells through the alone_import_pack_install_plugin() function, achieving complete server compromise. This critical vulnerability (CVSS 9.8) stems from missing capability checks, enabling attackers to bypass all authentication requirements. No public exploit identified at time of analysis, though the attack is technically straightforward given the unauthenticated attack vector and low complexity (AC:L).
Memory corruption in SQLite versions before 3.50.2 allows network-based attackers with low privileges to manipulate aggregate queries causing integrity impacts. The vulnerability stems from improper validation of aggregate terms against available columns (CWE-197), leading to buffer overflow conditions. CVSS 7.2 (High) with network attack vector but high complexity and partial attack complexity requirements. Vendor-released patch available in SQLite 3.50.2. No confirmed active exploitation (not in CISA KEV), though multiple security advisories from Siemens and OSS-security mailing lists indicate broad downstream impact across industrial control systems and embedded products using SQLite.
Unauthenticated remote code execution in HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks plugin (all versions ≤2.2.1) allows attackers to upload arbitrary files to the WordPress server. Missing file type validation in temp_file_upload() function enables unrestricted file uploads, permitting execution of malicious scripts. Critical severity (CVSS 9.8) due to network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.
Arbitrary file movement in HT Contact Form Widget for Elementor & Gutenberg (WordPress plugin) allows unanatuhenticated remote attackers to relocate server files including wp-config.php, enabling remote code execution. Affects all versions through 2.2.1. Vulnerability stems from insufficient path validation in handle_files_upload() function. No public exploit identified at time of analysis, low observed exploitation activity.
Arbitrary file deletion in HT Contact Form Widget For Elementor (WordPress plugin) allows unanetworks attackers to remove critical server files, enabling remote code execution. Affecting all versions through 2.2.1, the vulnerability stems from insufficient path validation in temp_file_delete(), permitting deletion of wp-config.php or other essential files. CVSS 9.1 (Critical) with network attack vector, low complexity, and no authentication required. Vendor patch available (changeset 3326887). No public exploit identified at time of analysis, though the attack path is straightforward for skilled adversaries.
Unauthenticated arbitrary file deletion in Alone WordPress theme versions ≤7.8.5 enables remote attackers to achieve code execution by deleting critical files like wp-config.php. The vulnerability stems from insufficient path validation in the alone_import_pack_restore_data() function, exploitable over the network with low complexity and no user interaction required. Partial fix released in version 7.8.5; fully addressed in version 7.8.7. EPSS data and KEV status not provided in available intelligence, but the unauthenticated remote attack vector and direct path to RCE represent critical risk for sites running affected versions.
Path traversal in Vim's zip.vim plugin prior to version 9.1.1551 allows local attackers to overwrite arbitrary files when a user opens a specially crafted zip archive, potentially enabling arbitrary command execution if sensitive files or privileged locations are targeted. The vulnerability requires direct user interaction (opening a malicious zip file in Vim) and has low real-world impact due to high attack complexity and local attack vector, though publicly available exploit code exists. EPSS exploitation probability is minimal at 0.03% (7th percentile), reflecting the friction imposed by user interaction requirements.