Skip to main content

File Upload

4032 CVEs technique

Monthly

CVE-2024-52369 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Optimal Access KBucket kbucket allows Upload a Web Shell to a Web Server.2.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.7%
CVE-2024-52384 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in wpmonks Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation ai-content-generator allows Upload a Web Shell to a. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.7%
CVE-2024-52380 CRITICAL Emergency

Unrestricted file upload in softpulseinfotech Picsmize plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. CVSS 10.0 with a scope-changed vector reflects the severity, and the EPSS score of 54.26% (98th percentile) indicates elevated likelihood of exploitation attempts, though no public exploit identified at time of analysis.

File Upload
NVD
CVSS 3.1
10.0
EPSS
54.3%
CVE-2024-52379 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in faizalbahasan kineticPay for WooCommerce kineticpay-for-woocommerce allows Upload a Web Shell to a Web Server.0.8. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-52377 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in bdthemes Instant Image Generator ai-image allows Upload a Web Shell to a Web Server.5.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-52376 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress boat-rental-system allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-52375 CRITICAL Emergency

Unrestricted file upload in the Datasets Manager by Arttia Creative WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to upload arbitrary files of dangerous types, leading to full server compromise via webshell execution. With a maximum CVSS score of 10.0, scope-changed impact, and an EPSS score of 54.56% in the 98th percentile, this represents a critical, high-probability exploitation target. No public exploit identified at time of analysis, but the attack surface and ease of weaponization make this an urgent priority.

File Upload
NVD
CVSS 3.1
10.0
EPSS
54.6%
CVE-2024-52374 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in DoThatTask Do That Task do-that-task allows Upload a Web Shell to a Web Server.5.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-52373 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Team Devexhub Devexhub Gallery devexhub-gallery allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-52372 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in WebTechGlobal Easy CSV Importer BETA easy-csv-importer allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.7%
CVE-2024-52302 HIGH POC This Week

common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Java File Upload
NVD GitHub Exploit-DB
CVSS 4.0
8.7
EPSS
3.2%
CVE-2024-11214 MEDIUM POC This Month

A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Best Employee Management System
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.6%
CVE-2024-11211 MEDIUM This Month

A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Eyoucms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.6%
CVE-2024-45879 MEDIUM This Month

The file upload function in the "QWKalkulation" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-10820 CRITICAL Act Now

The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload Woocommerce Upload Files
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-28730 MEDIUM This Month

Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via the file upload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

D-Link XSS File Upload Dwr 2000M Firmware
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-11138 MEDIUM This Month

A vulnerability classified as problematic has been found in DedeCMS 5.7.116. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass PHP File Upload Dedecms
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
2.5%
CVE-2024-11122 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in 上海灵当信息科技有限公司 Lingdang CRM up to 8.6.4.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Lingdang Crm
NVD VulDB
CVSS 4.0
5.3
EPSS
0.6%
CVE-2024-11018 CRITICAL Act Now

Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-11017 HIGH This Week

Webopac from Grand Vice info does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells, which could lead to arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-51793 CRITICAL POC THREAT Emergency

Unrestricted file upload in Ateeq Rafeeq's RepairBuddy (computer-repair-shop) WordPress plugin versions up to and including 3.8115 allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. Publicly available exploit code exists, and the EPSS score of 45.04% (98th percentile) indicates a high likelihood of exploitation activity. The maximum CVSS score of 10.0 reflects scope change and complete confidentiality, integrity, and availability impact.

File Upload
NVD GitHub
CVSS 3.1
10.0
EPSS
45.0%
Threat
4.9
CVE-2024-51792 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dang Ngoc Binh Audio Record audio-record allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-51791 CRITICAL POC Act Now

Unrestricted file upload in the Made I.T. Forms WordPress plugin (forms-by-made-it) through version 2.8.0 enables remote unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to full server compromise. With a maximum CVSS score of 10.0 and changed scope, the issue affects all installations up to and including 2.8.0; publicly available exploit code exists, though EPSS sits at 0.75% (73rd percentile) indicating moderate observed activity rather than mass exploitation.

File Upload
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-51790 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in HB WEBSOL HB AUDIO GALLERY hb-audio-gallery allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-51789 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in UjW0L Image Classify image-classify allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2024-51788 CRITICAL Emergency

Unrestricted file upload in Joshua Wolfe's The Novel Design Store Directory plugin (versions up to and including 4.3.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. With a maximum CVSS of 10.0, scope change, and an EPSS of 56.19% (98th percentile), this is among the highest-risk WordPress plugin issues; no public exploit is identified at time of analysis but exploitation probability is extremely elevated. Reported by Patchstack, the flaw enables direct arbitrary code execution against any site running the affected plugin.

File Upload
NVD
CVSS 3.1
10.0
EPSS
56.2%
CVE-2024-11054 MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Simple Music Cloud Community System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Simple Music Cloud Community System
NVD VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10801 CRITICAL Act Now

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-10547 CRITICAL Act Now

The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-10627 CRITICAL Act Now

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload Woocommerce Support Ticket System
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-51152 HIGH POC This Week

File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Laravel Cms
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2024-11000 MEDIUM POC This Month

A vulnerability classified as problematic was found in CodeAstro Real Estate Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Real Estate Management System
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.6%
CVE-2024-10999 MEDIUM POC This Month

A vulnerability classified as problematic has been found in CodeAstro Real Estate Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Real Estate Management System
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.6%
CVE-2024-10994 MEDIUM POC This Month

A vulnerability has been found in Codezips Online Institute Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Online Institute Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.6%
CVE-2024-10993 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Codezips Online Institute Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload Online Institute Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.7%
CVE-2024-51758 PHP LOW PATCH Monitor

Filament is a collection of full-stack components for accelerated Laravel development. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
CVSS 4.0
2.3
EPSS
0.5%
CVE-2024-10668 MEDIUM PATCH This Month

There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. Rated medium severity (CVSS 5.9). This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Authentication Bypass Microsoft Google File Upload Quick Share
NVD GitHub
CVSS 4.0
5.9
EPSS
0.4%
CVE-2024-8615 CRITICAL Act Now

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload Jobsearch Wp Job Board
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-8614 HIGH This Week

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload Jobsearch Wp Job Board
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-9307 CRITICAL Act Now

The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress RCE Mfolio
NVD
CVSS 3.1
9.9
EPSS
7.8%
CVE-2024-10766 MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Codezips Free Exam Hall Seating Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Free Exam Hall Seating Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10765 MEDIUM POC This Month

A vulnerability classified as critical was found in Codezips Online Institute Management System up to 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Institute Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10764 MEDIUM POC This Month

A vulnerability classified as critical has been found in Codezips Online Institute Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Institute Management System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-50531 CRITICAL Act Now

Unrestricted file upload in the RSVPMaker for Toastmasters WordPress plugin (versions through 6.2.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects scope change with complete confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS remains modest at 0.89% (75th percentile).

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-50530 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-50529 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training - Courses training allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-50527 CRITICAL Act Now

Unrestricted file upload in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) permits remote unauthenticated attackers to upload arbitrary files, including web shells, to vulnerable WordPress sites. The CVSS 10.0 score with a scope-changed vector reflects full compromise potential of the underlying web server, though no public exploit has been identified at time of analysis and the EPSS score of 0.89% (75th percentile) suggests no widespread exploitation observed yet.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-50526 CRITICAL POC Act Now

Unrestricted file upload in the Multi Purpose Mail Form WordPress plugin (versions through 1.0.2) by Lindeni Mahlalela allows unauthenticated remote attackers to upload arbitrary files including web shells, yielding full server compromise. CVSS is 10.0 with scope change, and publicly available exploit code exists; EPSS sits at 1.14% (78th percentile), indicating moderate but not yet widespread automated exploitation interest.

File Upload
NVD GitHub
CVSS 3.1
10.0
EPSS
1.1%
CVE-2024-50525 CRITICAL Act Now

Unrestricted file upload in the Helloprint WordPress plugin (versions through 2.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-auth exploitation with scope change and full CIA impact, though no public exploit has been identified at time of analysis and EPSS remains modest at 1.23% (79th percentile).

File Upload
NVD
CVSS 3.1
10.0
EPSS
1.2%
CVE-2024-50523 CRITICAL Act Now

Unrestricted file upload in the RainbowLink All Post Contact Form WordPress plugin (versions up to and including 1.8.2) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope change (S:C) indicates the impact extends beyond the vulnerable component to the underlying WordPress host. No public exploit identified at time of analysis, and EPSS of 0.89% (75th percentile) suggests moderate but not yet widespread exploitation interest.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2024-39639 LOW Monitor

Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.24.7. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress CSRF File Upload Wordpress File Upload
NVD
CVSS 3.1
3.5
EPSS
0.2%
CVE-2024-10392 CRITICAL Act Now

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
CVSS 3.1
9.8
EPSS
13.1%
CVE-2024-48734 HIGH This Week

Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-48093 HIGH This Week

Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
CVSS 3.1
8.0
EPSS
0.6%
CVE-2024-48202 CRITICAL POC Act Now

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Icecms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-48646 HIGH POC This Week

An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sage Frp 1000
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-50511 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.9%
CVE-2024-50510 CRITICAL Emergency

Unrestricted file upload in the AR For Woocommerce WordPress plugin (versions through 6.3) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full remote code execution on the underlying web server. The vulnerability carries a maximum CVSS score of 10.0 with scope change, and an EPSS score in the 97th percentile (33.03%) indicates significantly elevated exploitation probability, though no public exploit is identified at time of analysis.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
33.0%
CVE-2024-7985 HIGH PATCH This Week

The FileOrganizer - Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload Fileorganizer
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2024-50473 CRITICAL Emergency

Unrestricted file upload in the Ajar in5 Embed WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS of 61.50% (98th percentile) indicates a very high probability of near-term exploitation, though no public exploit or KEV listing was identified at time of analysis.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
61.5%
CVE-2024-50427 CRITICAL Emergency

Unrestricted file upload in SurveyJS versions up to and including 1.9.136 allows authenticated remote attackers to upload files of dangerous types, enabling code execution or content takeover with scope change to other components. EPSS scores this at the 99th percentile (69.65%) indicating very high exploitation probability, though no public exploit identified at time of analysis and not listed in CISA KEV.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
69.7%
Threat
4.1
CVE-2024-50420 CRITICAL Act Now

Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.7%
CVE-2024-50494 CRITICAL Act Now

Unrestricted file upload in the Sudan Payment Gateway for WooCommerce WordPress plugin (versions up to and including 1.2.2) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS 10.0 score reflecting network attack vector, no privileges, and changed scope, exploitation yields full server compromise; no public exploit identified at time of analysis, though EPSS places it at the 77th percentile indicating moderate predicted exploitation likelihood.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-50493 CRITICAL Emergency

Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
55.5%
CVE-2024-50484 CRITICAL Act Now

Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.6%
CVE-2024-50482 CRITICAL Emergency

Unrestricted file upload in the Chetan Khandla 'Woocommerce Product Design' WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, achieving full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and EPSS places it in the 98th percentile (55.5% probability of exploitation), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
55.5%
CVE-2024-50480 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Upload a Web Shell to a Web Server.27.80. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2024-50496 CRITICAL Act Now

Unauthenticated arbitrary file upload in the AR For WordPress plugin (versions up to and including 6.6) allows remote attackers to upload web shells and achieve full site compromise. With a maximum CVSS score of 10.0 and CWE-434 (Unrestricted Upload of File with Dangerous Type), the flaw is critical, though no public exploit identified at time of analysis and EPSS sits at 1.31% (80th percentile) indicating moderate predicted exploitation activity. Reported via Patchstack, the issue affects all known versions of the plugin from webandprint.

File Upload WordPress
NVD VulDB
CVSS 3.1
10.0
EPSS
1.3%
CVE-2024-50495 CRITICAL Act Now

Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
1.3%
CVE-2024-48594 HIGH POC Act Now

File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Prison Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
3.3%
CVE-2024-50623 CRITICAL POC KEV THREAT Act Now

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Harmony Lexicom Vltrader
NVD
CVSS 3.1
9.8
EPSS
98.5%
CVE-2024-10420 MEDIUM This Month

A vulnerability classified as critical has been found in SourceCodester Attendance and Payroll System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Attendance And Payroll System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10413 MEDIUM This Month

A vulnerability, which was classified as critical, has been found in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2024-10412 MEDIUM POC This Month

A vulnerability was found in Poco-z Guns-Medical 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Guns Medial
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2024-10410 MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Hotel Reservation System
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
1.1%
CVE-2024-9932 CRITICAL POC THREAT Act Now

The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress File Upload
NVD GitHub
CVSS 3.1
9.8
EPSS
35.8%
CVE-2024-48450 MEDIUM This Month

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF RCE File Upload
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-37847 HIGH This Week

An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal File Upload Mango Mangoapi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-48448 MEDIUM This Month

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS File Upload
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-48581 CRITICAL POC Act Now

File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE File Upload Best Courier Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-10016 MEDIUM This Month

The File Upload Types by WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2024-45263 HIGH This Week

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

File Upload Mt6000 Firmware Mt3000 Firmware Mt2500 Firmware Axt1800 Firmware +17
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-48454 HIGH This Week

An issue in SourceCodester Purchase Order Management System v1.0 allows a remote attacker to execute arbitrary code via the /admin?page=user component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Purchase Order Management System
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
CVE-2024-49676 MEDIUM This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Michael Bourne Custom Icons for Elementor custom-icons-for-elementor allows Upload a Web Shell to a Web Server.3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
6.6
EPSS
0.1%
CVE-2024-49671 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dogu Pekgoz AI Image Generator for Your Content & Featured Images - AI Postpix ai-postpix allows Upload a Web Shell to a Web. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2024-49669 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official ink-official allows Upload a Web Shell to a Web Server.1.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2024-49668 CRITICAL Emergency

Remote code execution in the Verbalize WP WordPress plugin (versions through 1.0) allows unauthenticated attackers to upload arbitrary files, including web shells, to the target web server. With a maximum CVSS score of 10.0 and an EPSS probability of 58.95% (98th percentile), this represents a critical, easily exploitable flaw, though no public exploit was identified at time of analysis and the CVE is not currently listed in CISA KEV.

File Upload
NVD VulDB
CVSS 3.1
10.0
EPSS
59.0%
CVE-2024-49658 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ecomerciar Woocommerce Custom Profile Picture woo-custom-profile-picture allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2024-49653 CRITICAL Emergency

Arbitrary web shell upload in james-eggers Portfolleo WordPress plugin (versions through 1.2) allows authenticated remote attackers to upload dangerous file types and achieve remote code execution on the underlying web server. CVSS 9.9 with scope change indicates the compromise extends beyond the plugin context to the hosting environment. EPSS of 58.97% (98th percentile) signals elevated exploitation probability, though no public exploit was identified and KEV does not list this CVE.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
59.0%
CVE-2024-49652 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Renata Bracichowicz 3D Work In Progress renee-work-in-progress allows Upload a Web Shell to a Web Server.0.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
CVSS 3.1
9.9
EPSS
0.6%
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Optimal Access KBucket kbucket allows Upload a Web Shell to a Web Server.2.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in wpmonks Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation ai-content-generator allows Upload a Web Shell to a. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 54% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in softpulseinfotech Picsmize plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. CVSS 10.0 with a scope-changed vector reflects the severity, and the EPSS score of 54.26% (98th percentile) indicates elevated likelihood of exploitation attempts, though no public exploit identified at time of analysis.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in faizalbahasan kineticPay for WooCommerce kineticpay-for-woocommerce allows Upload a Web Shell to a Web Server.0.8. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in bdthemes Instant Image Generator ai-image allows Upload a Web Shell to a Web Server.5.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress boat-rental-system allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
EPSS 55% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the Datasets Manager by Arttia Creative WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to upload arbitrary files of dangerous types, leading to full server compromise via webshell execution. With a maximum CVSS score of 10.0, scope-changed impact, and an EPSS score of 54.56% in the 98th percentile, this represents a critical, high-probability exploitation target. No public exploit identified at time of analysis, but the attack surface and ease of weaponization make this an urgent priority.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in DoThatTask Do That Task do-that-task allows Upload a Web Shell to a Web Server.5.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Team Devexhub Devexhub Gallery devexhub-gallery allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in WebTechGlobal Easy CSV Importer BETA easy-csv-importer allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 3% CVSS 8.7
HIGH POC This Week

common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Java File Upload
NVD GitHub Exploit-DB
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM This Month

A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass File Upload Eyoucms
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

The file upload function in the "QWKalkulation" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via the file upload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

D-Link XSS File Upload +1
NVD GitHub
EPSS 2% CVSS 5.1
MEDIUM This Month

A vulnerability classified as problematic has been found in DedeCMS 5.7.116. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in 上海灵当信息科技有限公司 Lingdang CRM up to 8.6.4.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Webopac from Grand Vice info does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells, which could lead to arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Webopac
NVD
EPSS 45% 4.9 CVSS 10.0
CRITICAL POC THREAT Emergency

Unrestricted file upload in Ateeq Rafeeq's RepairBuddy (computer-repair-shop) WordPress plugin versions up to and including 3.8115 allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full server compromise. Publicly available exploit code exists, and the EPSS score of 45.04% (98th percentile) indicates a high likelihood of exploitation activity. The maximum CVSS score of 10.0 reflects scope change and complete confidentiality, integrity, and availability impact.

File Upload
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dang Ngoc Binh Audio Record audio-record allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Unrestricted file upload in the Made I.T. Forms WordPress plugin (forms-by-made-it) through version 2.8.0 enables remote unauthenticated attackers to upload arbitrary files, including PHP web shells, leading to full server compromise. With a maximum CVSS score of 10.0 and changed scope, the issue affects all installations up to and including 2.8.0; publicly available exploit code exists, though EPSS sits at 0.75% (73rd percentile) indicating moderate observed activity rather than mass exploitation.

File Upload
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in HB WEBSOL HB AUDIO GALLERY hb-audio-gallery allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in UjW0L Image Classify image-classify allows Upload a Web Shell to a Web Server.0.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 56% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in Joshua Wolfe's The Novel Design Store Directory plugin (versions up to and including 4.3.0) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. With a maximum CVSS of 10.0, scope change, and an EPSS of 56.19% (98th percentile), this is among the highest-risk WordPress plugin issues; no public exploit is identified at time of analysis but exploitation probability is extremely elevated. Reported by Patchstack, the flaw enables direct arbitrary code execution against any site running the affected plugin.

File Upload
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Simple Music Cloud Community System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability classified as problematic was found in CodeAstro Real Estate Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability classified as problematic has been found in CodeAstro Real Estate Management System 1.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been found in Codezips Online Institute Management System 1.0 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in Codezips Online Institute Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP File Upload +1
NVD GitHub VulDB
EPSS 1% CVSS 2.3
LOW PATCH Monitor

Filament is a collection of full-stack components for accelerated Laravel development. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

There exists an auth bypass in Google Quickshare where an attacker can upload an unknown file type to a victim. Rated medium severity (CVSS 5.9). This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Authentication Bypass Microsoft Google +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 8% CVSS 9.9
CRITICAL Act Now

The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress RCE +1
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability, which was classified as critical, has been found in Codezips Free Exam Hall Seating Management System 1.0.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Free Exam Hall Seating Management System
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in Codezips Online Institute Management System up to 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Institute Management System
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical has been found in Codezips Online Institute Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Institute Management System
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the RSVPMaker for Toastmasters WordPress plugin (versions through 6.2.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects scope change with complete confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and EPSS remains modest at 0.89% (75th percentile).

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Upload a Web Shell to a Web Server.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in rudrainn Training - Courses training allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) permits remote unauthenticated attackers to upload arbitrary files, including web shells, to vulnerable WordPress sites. The CVSS 10.0 score with a scope-changed vector reflects full compromise potential of the underlying web server, though no public exploit has been identified at time of analysis and the EPSS score of 0.89% (75th percentile) suggests no widespread exploitation observed yet.

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL POC Act Now

Unrestricted file upload in the Multi Purpose Mail Form WordPress plugin (versions through 1.0.2) by Lindeni Mahlalela allows unauthenticated remote attackers to upload arbitrary files including web shells, yielding full server compromise. CVSS is 10.0 with scope change, and publicly available exploit code exists; EPSS sits at 1.14% (78th percentile), indicating moderate but not yet widespread automated exploitation interest.

File Upload
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Helloprint WordPress plugin (versions through 2.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score reflects network-reachable, no-auth exploitation with scope change and full CIA impact, though no public exploit has been identified at time of analysis and EPSS remains modest at 1.23% (79th percentile).

File Upload
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the RainbowLink All Post Contact Form WordPress plugin (versions up to and including 1.8.2) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The CVSS 10.0 score with scope change (S:C) indicates the impact extends beyond the vulnerable component to the underlying WordPress host. No public exploit identified at time of analysis, and EPSS of 0.89% (75th percentile) suggests moderate but not yet widespread exploitation interest.

File Upload
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Broken Access Control vulnerability in Nickolas Bossinas WordPress File Upload allows Exploiting Incorrectly Configured Access Control Security Levels.24.7. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress CSRF File Upload +1
NVD
EPSS 13% CVSS 9.8
CRITICAL Act Now

The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Icecms
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC This Week

An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sage Frp 1000
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in donimedia WP donimedia carousel wp-donimedia-carousel allows Upload a Web Shell to a Web Server.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 33% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the AR For Woocommerce WordPress plugin (versions through 6.3) allows remote unauthenticated attackers to upload arbitrary files including web shells, leading to full remote code execution on the underlying web server. The vulnerability carries a maximum CVSS score of 10.0 with scope change, and an EPSS score in the 97th percentile (33.03%) indicates significantly elevated exploitation probability, though no public exploit is identified at time of analysis.

File Upload WordPress
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The FileOrganizer - Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload +1
NVD
EPSS 62% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the Ajar in5 Embed WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to upload arbitrary files, including web shells, leading to full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and an EPSS of 61.50% (98th percentile) indicates a very high probability of near-term exploitation, though no public exploit or KEV listing was identified at time of analysis.

File Upload
NVD VulDB
EPSS 70% 4.1 CVSS 9.9
CRITICAL Emergency

Unrestricted file upload in SurveyJS versions up to and including 1.9.136 allows authenticated remote attackers to upload files of dangerous types, enabling code execution or content takeover with scope change to other components. EPSS scores this at the 99th percentile (69.65%) indicating very high exploitation probability, though no public exploit identified at time of analysis and not listed in CISA KEV.

File Upload
NVD VulDB
EPSS 2% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote code execution in aDirectory plugin versions up to and including 1.3 allows attackers to upload arbitrary files (web shells) to the web server with no authentication or user interaction required. The CVSS 10.0 score with scope-changed impact indicates full compromise potential, and while no public exploit is identified at time of analysis, the EPSS score of 1.67% (82nd percentile) signals elevated exploitation interest relative to the broader CVE population.

File Upload
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Sudan Payment Gateway for WooCommerce WordPress plugin (versions up to and including 1.2.2) allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the underlying web server. With a CVSS 10.0 score reflecting network attack vector, no privileges, and changed scope, exploitation yields full server compromise; no public exploit identified at time of analysis, though EPSS places it at the 77th percentile indicating moderate predicted exploitation likelihood.

File Upload WordPress
NVD VulDB
EPSS 56% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the masterhomepage Automatic Translation WordPress plugin (versions through 1.0.4) allows remote unauthenticated attackers to upload web shells and achieve full server compromise. The flaw carries a maximum CVSS 10.0 due to its network-reachable, no-interaction nature with scope change, and EPSS rates exploitation probability at 55.5% (98th percentile), indicating substantial likelihood of attack despite no public exploit identified at time of analysis.

File Upload
NVD VulDB
EPSS 2% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in Lindeni Mahlalela's Multi Purpose Mail Form WordPress plugin (versions up to and including 1.0.2) allows remote unauthenticated attackers to upload web shells and achieve remote code execution on the underlying web server. The CVSS 10.0 score reflects the worst-case scenario: network reachable, no authentication, no user interaction, and scope-changed impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though EPSS places this in the 82nd percentile, indicating above-average exploitation likelihood relative to other CVEs.

File Upload
NVD VulDB
EPSS 56% CVSS 10.0
CRITICAL Emergency

Unrestricted file upload in the Chetan Khandla 'Woocommerce Product Design' WordPress plugin (versions up to and including 1.0.0) allows remote unauthenticated attackers to upload arbitrary files, including web shells, achieving full server compromise. The flaw carries a maximum CVSS score of 10.0 with scope change, and EPSS places it in the 98th percentile (55.5% probability of exploitation), though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

File Upload WordPress
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO marketing-automation-by-azexo allows Upload a Web Shell to a Web Server.27.80. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unauthenticated arbitrary file upload in the AR For WordPress plugin (versions up to and including 6.6) allows remote attackers to upload web shells and achieve full site compromise. With a maximum CVSS score of 10.0 and CWE-434 (Unrestricted Upload of File with Dangerous Type), the flaw is critical, though no public exploit identified at time of analysis and EPSS sits at 1.31% (80th percentile) indicating moderate predicted exploitation activity. Reported via Patchstack, the issue affects all known versions of the plugin from webandprint.

File Upload WordPress
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.

File Upload
NVD VulDB
EPSS 3% CVSS 8.8
HIGH POC Act Now

File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Prison Management System
NVD GitHub
EPSS 99% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE File Upload Harmony +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability classified as critical has been found in SourceCodester Attendance and Payroll System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Attendance And Payroll System
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Online Hotel Reservation System
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in Poco-z Guns-Medical 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Guns Medial
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability classified as critical was found in SourceCodester Online Hotel Reservation System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Online Hotel Reservation System
NVD GitHub VulDB
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress File Upload
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF RCE File Upload
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal File Upload +2
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS File Upload
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The File Upload Types by WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.0 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

File Upload Mt6000 Firmware Mt3000 Firmware +19
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

An issue in SourceCodester Purchase Order Management System v1.0 allows a remote attacker to execute arbitrary code via the /admin?page=user component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Purchase Order Management System
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Michael Bourne Custom Icons for Elementor custom-icons-for-elementor allows Upload a Web Shell to a Web Server.3.3. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Dogu Pekgoz AI Image Generator for Your Content & Featured Images - AI Postpix ai-postpix allows Upload a Web Shell to a Web. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official ink-official allows Upload a Web Shell to a Web Server.1.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
EPSS 59% CVSS 10.0
CRITICAL Emergency

Remote code execution in the Verbalize WP WordPress plugin (versions through 1.0) allows unauthenticated attackers to upload arbitrary files, including web shells, to the target web server. With a maximum CVSS score of 10.0 and an EPSS probability of 58.95% (98th percentile), this represents a critical, easily exploitable flaw, though no public exploit was identified at time of analysis and the CVE is not currently listed in CISA KEV.

File Upload
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ecomerciar Woocommerce Custom Profile Picture woo-custom-profile-picture allows Upload a Web Shell to a Web Server.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload WordPress
NVD VulDB
EPSS 59% CVSS 9.9
CRITICAL Emergency

Arbitrary web shell upload in james-eggers Portfolleo WordPress plugin (versions through 1.2) allows authenticated remote attackers to upload dangerous file types and achieve remote code execution on the underlying web server. CVSS 9.9 with scope change indicates the compromise extends beyond the plugin context to the hosting environment. EPSS of 58.97% (98th percentile) signals elevated exploitation probability, though no public exploit was identified and KEV does not list this CVE.

File Upload
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Renata Bracichowicz 3D Work In Progress renee-work-in-progress allows Upload a Web Shell to a Web Server.0.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD VulDB
Prev Page 17 of 45 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy