The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

The Top 10 Not So Common SSH Usernames and Passwords

Published: 2024-10-16.

Last Updated: 2024-10-16 17:26:49 UTC

by Johannes Ullrich (Version: 1)

Our list of "Top" ssh usernames and password is pretty static. Well known defaults, like "root" and "admin" are at the top of the list. But there are always some usernames and password in the list that are not as well known, or only showed up more recently. I will focus in this diary on these "second tier" credentials.

345gs5662d34

Used by Polycom CX600 IP phones, this password often shows up in the username field (as other passwords do) if sloppy bots do enter it into the wrong field.

zyfwp

A backdoor account in Zyxel equipment. It was found by Rapid 7 (and later removed by Zyxel) in 2020.

yhtcAdmin

Used in "Youhua PT939G" fiber routers.

vadmin

The default username for the web hosting platform LiteSpeed. Can be used via SSH or HTTP.

telecomadmin

The username used by Huawei ONT HG8245H5 fiber termination kit.

chenzilong

Not sure. But it may be a popular Chinese character. Maybe anybody reading this knows?

7ujMko0admin

Some Dahua network NVRs use this telnet/ssh password. They are pretending the string "7ujMko0" to the web password, which by default is "admin".

a1sev5y7c39k

The default password for some unspecified routers using the Realtek chipset.

Xpon@Olt9417#

V*SOL GPON OLT default password

ve0RbANG

used with the "YhtcAdmin" username for Youhua PT939G optical network termination equipment. The same device also uses Admin/1234 and Admin/Telecom_1234. .

You can look at our top password list here:

https://isc.sans.edu/data/ssh.html

I will add some of the details about our username and password pages as you look up a particular password. For example:

https://isc.sans.edu/ssh_usernames.html?username=345gs5662d34

Complete diary:

https://isc.sans.edu/diary/The+Top+10+Not+So+Common+SSH+Usernames+and+Passwords/31360/

A Network Nerd's Take on Emergency Preparedness

Published: 2024-10-15. Last Updated: 2024-10-21 15:10:48 UTC

by Johannes Ullrich (Version: 1)

Over the last month, two hurricanes barely missed me. Luckily, neither caused me any significant inconvenience. Sadly, others were not as lucky, and I think this is a good time to do a little "Lessons Learned" exercise. It made me reconsider some of my emergency preparations. I will take a "geek spin" on emergency preparedness in this post. There are better sources to talk about what food to store and how to fill your tub with sufficient water. I will focus more on power and data connectivity. At least once, someone complained that the "Internet Storm Center" does not talk about the weather. This post should keep them happy :).

One advantage of hurricanes, compared to other disasters like earthquakes, is that they are usually announced several days ahead. One very viable option is to "get out". If you plan to get out, make a hotel reservation in a safe spot early. Maybe make a hotel reservation that can be canceled on short notice if you do not need it. Or call some friends/family. Leave before mandatory evacuations are announced. Roads are usually packed 24-48 hours before the storm's landfall.

Unplug as many devices as possible before the storm hits (or before you leave), or disconnect circuit breakers. It may be worthwhile to disconnect cable modems and other devices. During a storm, power will often be unstable, and I have seen power lines fall on cable TV and phone lines. This should not cause harm, but it is best to be safe. At the same time, make sure any rechargeable devices and battery packs are fully charged, and turn them off.

If you own a portable backup battery, ensure they are fully turned off while not in use. These batteries' inverters can use significant power even without any devices plugged in [1].

I am not an electrician, so I refer to others for generator safety issues. Generators connected to natural gas may provide longer-term power backup as long as the natural gas supply is not disrupted. For other fuels, it depends on how much you can store locally.

If you use mobile solar cells: Bring them inside during the storm. Same for any antennas that can be detached, like satellite or cell phone external antennas.

Backup batteries will provide you power for a limited time. Most UPS systems will last 15-60 minutes. Some larger battery packs can last a day (e.g. Tesla Powerwall). Most will not last much longer, but you can extend the lifetime by reducing power consumption, particularly for heavy uses like air conditioners. People outside Florida may not realize it, but after the hurricane passes, you often end up with sunny and hot weather. It may not be easy to live without air conditioning.

Most solar systems will not provide backup power without a battery backup. Only some relatively new inverters can run without grid power or supporting a regular generator. The solar system should be off if the generator is running unless the solar system was specifically designed to support the generator. Do not overestimate the capacity of your backup power solution. You often have surges as devices are turned on (for example, refrigerators). My non-electrician rule of thumb is that you need about three times the capacity of your steady-state usage. [2]

And of course, electricity and water do not work well with each other. If water intrudes into your house, you may still want to turn the devices off.

One issue that kept coming up during the recent storms was the reliability of cellular services. In particular, in more rural areas, which often do not have great cellular coverage in the first place, cellular networks were often not usable. Cellular towers still require uplinks and are sometimes destroyed by high winds or water. Power backup is often limited. Mobile operators will sometimes deploy temporary emergency backup towers. However, these towers may only offer a limited range and capacity. Most phones will allow roaming by default, and mobile operators will allow each other's customers to use their network during disasters. But double-check that your phone has roaming enabled ...

[1] https://www.donrowe.com/power-inverter-faq-a/258.htm

[2] https://www.greenlancer.com/post/solar-battery-backup-vs-generator

Complete diary:

https://isc.sans.edu/diary/A+Network+Nerds+Take+on+Emergency+Preparedness/31356/

Everybody Loves Bash Scripts. Including Attackers. (2024.10.23)

https://isc.sans.edu/diary/Everybody+Loves+Bash+Scripts+Including+Attackers/31376/

How much HTTP (not HTTPS) Traffic is Traversing Your Perimeter? (2024.10.22)

https://isc.sans.edu/diary/How+much+HTTP+not+HTTPS+Traffic+is+Traversing+Your+Perimeter/31372/

Scanning Activity from Subnet 15.184.0.0/16 (2024.10.17)

https://isc.sans.edu/diary/Scanning+Activity+from+Subnet+151840016/31362/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

Product: Kubernetes Image Builder

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9486

ISC Podcast: https://isc.sans.edu/podcastdetail/9184

NVD References:

- https://github.com/kubernetes-sigs/image-builder/pull/1595

- https://github.com/kubernetes/kubernetes/issues/128006

- https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ

Product: Grafana

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9264

ISC Podcast: https://isc.sans.edu/podcastdetail/9188

NVD References: https://grafana.com/security/security-advisories/cve-2024-9264/

Product: ScienceLogic SL1

CVSS Score: 9.8

** KEV since 2024-10-21 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9537

NVD References:

- https://arcticwolf.com/resources/blog/rackspace-breach-linked-to-zero-day-vulnerability-sciencelogic-sl1s-third-party-utility/

- https://community.sciencelogic.com/blog/latest-kb-articles-and-known-issues-blog-board/week-of-september-30-2024---latest-kb-articles-and-known-issues-part-1-of-2/1690

- https://rackspace.service-now.com/system_status?id=detailed_status&service=4dafca5a87f41610568b206f8bbb35a6

- https://support.sciencelogic.com/s/article/15465

- https://support.sciencelogic.com/s/article/15527

- https://twitter.com/ynezzor/status/1839931641172467907

- https://www.bleepingcomputer.com/news/security/rackspace-monitoring-data-stolen-in-sciencelogic-zero-day-attack/

- https://www.theregister.com/2024/09/30/rackspace_zero_day_attack/

Product: SolarWinds Web Help Desk

CVSS Score: 0

** KEV since 2024-10-15 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28987

ISC Podcast: https://isc.sans.edu/podcastdetail/9184

Product: Fortinet FortiOS

CVSS Score: 0

** KEV since 2024-10-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23113

ISC Podcast: https://isc.sans.edu/podcastdetail/9180

Product: Kubernetes Image Builder

CVSS Score: 6.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9594

ISC Podcast: https://isc.sans.edu/podcastdetail/9184

NVD References:

- https://github.com/kubernetes-sigs/image-builder/pull/1596

- https://github.com/kubernetes/kubernetes/issues/128007

- https://groups.google.com/g/kubernetes-security-announce/c/UKJG-oZogfA/m/Lu1hcnHmAQAJ

Product: Spring DataBinder

CVSS Score: 3.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38820

ISC Podcast: https://isc.sans.edu/podcastdetail/9188

NVD References: https://spring.io/security/cve-2024-38820

Product: UsualToolCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9916

NVD References:

- https://github.com/DeepMountains/zzz/blob/main/CVE5-1.md

- https://vuldb.com/?ctiid.280244

- https://vuldb.com/?id.280244

- https://vuldb.com/?submit.418748

Product: TEAMPLUS TECHNOLOGY The Team+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9921

NVD References:

- https://www.twcert.org.tw/en/cp-139-8125-4a1ad-2.html

- https://www.twcert.org.tw/tw/cp-132-8124-d9b92-1.html

Product: Hgiga OAKlouds

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9924

NVD References:

- https://www.twcert.org.tw/en/cp-139-8131-0b5e1-2.html

- https://www.twcert.org.tw/tw/cp-132-8130-89bb1-1.html

Product: Moxa Service

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9137

NVD References: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241154-missing-authentication-and-os-command-injection-vulnerabilities-in-routers-and-network-security-appliances

Product: Magicbug Cloudlog

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48253

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48255

NVD References:

- https://chiggerlor.substack.com/p/unauthenticated-sql-injection-in-9a3

- https://github.com/magicbug/Cloudlog

- https://www.magicbug.co.uk/cloudlog/

Product: Wavelog

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48251

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48257

NVD References:

- https://chiggerlor.substack.com/p/unauthenticated-sql-injection-in

- https://github.com/wavelog/wavelog/commit/0bf2675d93602b591850790c8fcfced886eca423

- https://www.wavelog.org

Product: D-Link DIR-820L

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48150

NVD References: https://github.com/fu37kola/cve/blob/main/D-Link/DIR-820L/D-Link%20DIR-820L%20Stack%20Overflow%20Vulnerability.md

Product: D-Link DCS-960L

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48168

NVD References: https://github.com/fu37kola/cve/blob/main/D-Link/DCS-960L/D-Link%20DCS-960L%201.09%20Stack%20overflow_1.md

Product: DrayTek Vigor3900

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48153

NVD References: https://github.com/tw11ty/CVE/blob/main/DrayTek/Vigor3900/Vigor3900%20command%20execution%20vulnerability.md

Product: Jepaas v7.2.8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46535

NVD References: https://gitee.com/ketr/jepaas-release/issues/IAPJ8H?from=project-issue

Product: Nagios XI

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-48082

NVD References: https://www.nagios.com/change-log/

Product: Automatic Systems Maintenance SlimLane

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48823

NVD References: https://daly.wtf/multiple-vulnerabilities-discovered-in-automatic-systems-software/

Product: ChanGate Property Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9972

NVD References:

- https://www.twcert.org.tw/en/cp-139-8141-9b045-2.html

- https://www.twcert.org.tw/tw/cp-132-8140-ee91e-1.html

Product: Esi Technology AIM LINE Marketing Platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9982

NVD References:

- https://www.twcert.org.tw/en/cp-139-8147-eb650-2.html

- https://www.twcert.org.tw/tw/cp-132-8146-497a2-1.html

Product: Tai Smart Factory QPLANT SF

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9925

NVD References: https://incibe.es/en/incibe-cert/notices/aviso-sci/sql-injection-qplant-tai-smart-factory

Product: Ragic Enterprise Cloud Database

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9984

NVD References:

- https://www.twcert.org.tw/en/cp-139-8151-1a4b5-2.html

- https://www.twcert.org.tw/tw/cp-132-8150-c955a-1.html

Product: Ragic Enterprise Cloud Database

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9985

NVD References:

- https://www.twcert.org.tw/en/cp-139-8153-1120e-2.html

- https://www.twcert.org.tw/tw/cp-132-8152-09e81-1.html

Product: Rittal IoT Interface & CMC III Processing Unit

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47945

NVD References:

- https://r.sec-consult.com/rittaliot

- https://www.rittal.com/de-de/products/deep/3124300

Product: Oretnom23 Online_Eyewear_Shop 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9973

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9974

NVD References:

- https://gist.github.com/higordiego/b9699573de61b26f2290e69f38d23fd0

- https://gist.github.com/higordiego/2373b9e3e89f03e5f8888efd38eb4b48

- https://www.sourcecodester.com/

Product: MB connect line MbNET.Mini

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45274 (Missing Authentication for Critical Function)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45275 (Use of Hard-coded Credentials)

NVD References:

- https://cert.vde.com/en/advisories/VDE-2024-056

- https://cert.vde.com/en/advisories/VDE-2024-066

Product: Acronis Cyber Protect

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49388

NVD References: https://security-advisory.acronis.com/advisories/SEC-5984

Product: Code-Projects Pharmacy Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9976

NVD References:

- https://code-projects.org/

- https://gist.github.com/higordiego/b57040961b993cb5f1bfe0005f6b57be

Product: Phpgurukul User Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48283

NVD References: https://github.com/m14r41/Writeups/blob/main/CVE/phpGurukul/User%20Registration%20%26%20Login%20and%20User%20Management%20System%20With%20admin%20panel/SQL%20Injection%20-%20Search.md

Product: Vendure's asset server plugin

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48914

NVD References:

- https://github.com/vendure-ecommerce/vendure/blob/801980e8f599c28c5059657a9d85dd03e3827992/packages/asset-server-plugin/src/plugin.ts#L352-L358

- https://github.com/vendure-ecommerce/vendure/commit/e2ee0c43159b3d13b51b78654481094fdd4850c5

- https://github.com/vendure-ecommerce/vendure/commit/e4b58af6822d38a9c92a1d8573e19288b8edaa1c

- https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq

Product: Oracle Hospitality OPERA 5

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21172

NVD References: https://www.oracle.com/security-alerts/cpuoct2024.html

Product: Oracle Weblogic Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21216

NVD References: https://www.oracle.com/security-alerts/cpuoct2024.html

Product: Mbed TLS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49195

NVD References:

- https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/

- https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Product: itsourcecode Online Tours and Travels Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48411

NVD References: https://github.com/Comitora/CVEs/blob/main/CVE-2024-48411

Product: Wanxing Technology Yitu Project Management Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48779

NVD References: https://gist.github.com/zty-1995/3fcdf702017ad6721e5011f74c1f6cee

Product: Wanxing Technology Yitu Project Management Kirin Edition

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48781

NVD References: https://gist.github.com/zty-1995/a7948be24b3411759a6afa3cc616dc12

Product: DYCMS Open-Source Version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48782

NVD References: https://gist.github.com/zty-1995/7750a2ea1231971f973f02dc4c893b46

Product: Mozilla Firefox for iOS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10004

NVD References:

- https://bugzilla.mozilla.org/show_bug.cgi?id=1904885

- https://www.mozilla.org/security/advisories/mfsa2024-54/

Product: WordPress UltimateAI plugin

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9105

NVD References:

- https://codecanyon.net/item/ultimateai-ai-enhanced-wordpress-plugin-with-saas-for-content-code-chat-and-image-generation/51201953

- https://www.wordfence.com/threat-intel/vulnerabilities/id/c2475643-a0b4-444a-a2c6-a5c45e90e1dd?source=cve

Product: Transsion Holdings AI voice assistant

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10018

NVD References:

- https://security.tecno.com/SRC/blogdetail/323?lang=en_US

- https://security.tecno.com/SRC/securityUpdates?type=SA

Product: Apache Solr

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45216

NVD References:

Product: Rancher RKECVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-32191NVD References: - https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-32191- https://github.com/rancher/rke/security/advisories/GHSA-6gr4-52w6-vmqxCVE-2024-48180 - ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method.Product: ClassCMSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48180NVD References: https://github.com/J-0k3r/CVE-2024-48180CVE-2024-10025 - SICK products are vulnerable to unauthorized access due to plaintext default passwords stored in the .sdd file.Product: SICK productsCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10025NVD References: - https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF- https://sick.com/psirt- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices- https://www.first.org/cvss/calculator/3.1- https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0003.json- https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0003.pdfCVE-2024-48920 - PutongOJ online judging software allows unprivileged users to escalate privileges before version 2.1.0-beta.1, potentially compromising sensitive data and system integrity, fixed in v2.1.0.beta.1 with a manual patch available.Product: PutongOJ online judging softwareCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48920NVD References: - https://github.com/acm309/PutongOJ/commit/211dfe9ebf1c6618ce5396b0338de4f9b580715e#diff-782628b47d666d5d551e040815ca3f80c0704397258718f0e0f31164608ea7beL118-R120- https://github.com/acm309/PutongOJ/releases/tag/v2.1.0-beta.1- https://github.com/acm309/PutongOJ/security/advisories/GHSA-gj6h-73c5-xw6fCVE-2023-26785 - MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability.Product: MariaDBCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26785NVD References: - https://github.com/Ant1sec-ops/CVE-2023-26785- https://seclists.org/fulldisclosure/2012/Dec/39CVE-2024-43566 - Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityProduct: Microsoft Edge ChromiumCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43566NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43566CVE-2024-10118 - SECOM WRTR-304GN-304TW-UPSC is vulnerable to injection attacks allowing unauthenticated remote attackers to execute arbitrary commands on the device.Product: SECOM WRTR-304GN-304TW-UPSCCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10118NVD References: - https://www.twcert.org.tw/en/cp-139-8155-c1ea6-2.html- https://www.twcert.org.tw/tw/cp-132-8154-69fa5-1.htmlCVE-2024-10119 - WRTM326 wireless router from SECOM is vulnerable to remote code execution due to inadequate parameter validation.Product: SECOM WRTM326CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10119NVD References:- https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html- https://www.twcert.org.tw/tw/cp-132-8156-81c9d-1.htmlCVE-2024-9634 - The GiveWP – Donation Plugin and Fundraising Platform for WordPress is vulnerable to PHP Object Injection and remote code execution through untrusted input in the give_company_name parameter.Product: GiveWP Donation Plugin for WordPressActive Installations: 100,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9634NVD References: - https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829- https://plugins.trac.wordpress.org/changeset/3166836/give/tags/3.16.4/includes/process-donation.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e?source=cveCVE-2016-15040 - The Kento Post View Counter plugin for WordPress is vulnerable to SQL Injection via the 'kento_pvc_geo' parameter, allowing unauthenticated attackers to extract sensitive information from the database.Product: WordPress Kento Post View CounterActive Installations: This plugin has been closed and is no longer available for download.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15040NVD References: - https://plugins.trac.wordpress.org/browser/kento-post-view-counter/trunk/index.php#L216- https://www.wordfence.com/threat-intel/vulnerabilities/id/525b466d-137a-467b-8b49-e51393a73866?source=cveCVE-2018-25105 - The File Manager plugin for WordPress is vulnerable to authorization bypass, enabling unauthenticated attackers to download and upload arbitrary files for remote code execution.Product: WordPress File Manager pluginActive Installations: 1 million+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25105NVD References: - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1942390%40wp-file-manager&new=1942390%40wp-file-manager&sfp_email=&sfph_mail=- https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cveCVE-2019-25213 - The…

Product: ClassCMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48180

NVD References: https://github.com/J-0k3r/CVE-2024-48180

Product: SICK products

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10025

NVD References:

- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF

- https://sick.com/psirt

- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

- https://www.first.org/cvss/calculator/3.1

- https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0003.json

- https://www.sick.com/.well-known/csaf/white/2024/sca-2024-0003.pdf

Product: PutongOJ online judging software

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48920

NVD References:

- https://github.com/acm309/PutongOJ/commit/211dfe9ebf1c6618ce5396b0338de4f9b580715e#diff-782628b47d666d5d551e040815ca3f80c0704397258718f0e0f31164608ea7beL118-R120

- https://github.com/acm309/PutongOJ/releases/tag/v2.1.0-beta.1

- https://github.com/acm309/PutongOJ/security/advisories/GHSA-gj6h-73c5-xw6f

Product: MariaDBCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26785NVD References: - https://github.com/Ant1sec-ops/CVE-2023-26785- https://seclists.org/fulldisclosure/2012/Dec/39CVE-2024-43566 - Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityProduct: Microsoft Edge ChromiumCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43566NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43566CVE-2024-10118 - SECOM WRTR-304GN-304TW-UPSC is vulnerable to injection attacks allowing unauthenticated remote attackers to execute arbitrary commands on the device.Product: SECOM WRTR-304GN-304TW-UPSCCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10118NVD References: - https://www.twcert.org.tw/en/cp-139-8155-c1ea6-2.html- https://www.twcert.org.tw/tw/cp-132-8154-69fa5-1.htmlCVE-2024-10119 - WRTM326 wireless router from SECOM is vulnerable to remote code execution due to inadequate parameter validation.Product: SECOM WRTM326CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10119NVD References:- https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html- https://www.twcert.org.tw/tw/cp-132-8156-81c9d-1.htmlCVE-2024-9634 - The GiveWP – Donation Plugin and Fundraising Platform for WordPress is vulnerable to PHP Object Injection and remote code execution through untrusted input in the give_company_name parameter.Product: GiveWP Donation Plugin for WordPressActive Installations: 100,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9634NVD References: - https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829- https://plugins.trac.wordpress.org/changeset/3166836/give/tags/3.16.4/includes/process-donation.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e?source=cveCVE-2016-15040 - The Kento Post View Counter plugin for WordPress is vulnerable to SQL Injection via the 'kento_pvc_geo' parameter, allowing unauthenticated attackers to extract sensitive information from the database.Product: WordPress Kento Post View CounterActive Installations: This plugin has been closed and is no longer available for download.CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15040NVD References: - https://plugins.trac.wordpress.org/browser/kento-post-view-counter/trunk/index.php#L216- https://www.wordfence.com/threat-intel/vulnerabilities/id/525b466d-137a-467b-8b49-e51393a73866?source=cveCVE-2018-25105 - The File Manager plugin for WordPress is vulnerable to authorization bypass, enabling unauthenticated attackers to download and upload arbitrary files for remote code execution.Product: WordPress File Manager pluginActive Installations: 1 million+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25105NVD References: - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1942390%40wp-file-manager&new=1942390%40wp-file-manager&sfp_email=&sfph_mail=- https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cveCVE-2019-25213 - The Advanced Access Manager plugin for WordPress up to version 5.9.8.1 allows unauthenticated attackers to read any file on the server, including sensitive files like wp-config.php.Product: WordPress Advanced Access ManagerActive Installations: 100,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25213NVD References: - https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316&old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cveCVE-2019-25217 - The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion.Product: SiteGround Optimizer pluginActive Installations: 1 million+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25217NVD References: - https://blog.sucuri.net/2019/03/vulnerability-disclosure-siteground-optimizer-caldera-forms.html- https://www.wordfence.com/threat-intel/vulnerabilities/id/657f3bd7-2cdc-4eb6-ba50-7c7fca468df0?source=cveCVE-2020-36832 - The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass between versions 7.3 to 8.6, allowing unauthenticated attackers to login as any user, including the site administrator.Product: WordPress Ultimate Membership Pro pluginActive Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36832NVD References: - https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253- https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281- https://www.wordfence.com/threat-intel/vulnerabilities/id/a5341bbd-55bd-41ad-b5d1-d6b56c141277?source=cveCVE-2020-36837 - The ThemeGrill Demo Importer p…

Product: Microsoft Edge Chromium

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43566

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43566

Product: SECOM WRTR-304GN-304TW-UPSC

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10118

NVD References:

- https://www.twcert.org.tw/en/cp-139-8155-c1ea6-2.html

- https://www.twcert.org.tw/tw/cp-132-8154-69fa5-1.html

Product: SECOM WRTM326

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10119

NVD References:

- https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html

- https://www.twcert.org.tw/tw/cp-132-8156-81c9d-1.html

Product: GiveWP Donation Plugin for WordPress

Active Installations: 100,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9634

NVD References:

- https://plugins.trac.wordpress.org/browser/give/tags/3.16.2/src/Donations/Repositories/DonationRepository.php?rev=3157829

- https://plugins.trac.wordpress.org/changeset/3166836/give/tags/3.16.4/includes/process-donation.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/b8eb3aa9-fe60-48b6-aa24-7873dd68b47e?source=cve

Product: WordPress Kento Post View Counter

Active Installations: This plugin has been closed and is no longer available for download.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15040

NVD References:

- https://plugins.trac.wordpress.org/browser/kento-post-view-counter/trunk/index.php#L216

- https://www.wordfence.com/threat-intel/vulnerabilities/id/525b466d-137a-467b-8b49-e51393a73866?source=cve

Product: WordPress File Manager plugin

Active Installations: 1 million+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-25105

NVD References:

- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1942390%40wp-file-manager&new=1942390%40wp-file-manager&sfp_email=&sfph_mail=

- https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cve

Product: WordPress Advanced Access Manager

Active Installations: 100,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25213

NVD References:

- https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316&old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve

Product: SiteGround Optimizer plugin

Active Installations: 1 million+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25217

NVD References:

- https://blog.sucuri.net/2019/03/vulnerability-disclosure-siteground-optimizer-caldera-forms.html

- https://www.wordfence.com/threat-intel/vulnerabilities/id/657f3bd7-2cdc-4eb6-ba50-7c7fca468df0?source=cve

Product: WordPress Ultimate Membership Pro plugin

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36832

NVD References:

- https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253

- https://wpscan.com/vulnerability/9811025e-ab17-4255-aaaf-4f0306f5d281

- https://www.wordfence.com/threat-intel/vulnerabilities/id/a5341bbd-55bd-41ad-b5d1-d6b56c141277?source=cve

Product: ThemeGrill Demo Importer plugin for WordPress

Active Installations: 100,000+

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36837

NVD References:

- https://raw.githubusercontent.com/themegrill/themegrill-demo-importer/master/CHANGELOG.txt

- https://www.openwall.com/lists/oss-security/2020/02/19/1

- https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/8c0dc694-854e-4f96-8c2d-7251c41a3ee9?source=cve

Product: WordPress Mega Menu plugin

Active Installations: 20,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-4443

NVD References:

- https://sh3llcon.org/la-debilidad-de-wordpress/

- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wordpress-mega-menu-quadmenu-remote-code-execution-2-0-6/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/04003542-fd62-4587-9834-70e7fe8f08ef?source=cve

Product: WordPress ZoomSounds

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-4449

NVD References:

- https://codecanyon.net/item/zoomsounds-wordpress-wave-audio-player-with-playlist/6181433

- https://github.com/0xAgun/Arbitrary-File-Upload-ZoomSounds

- https://ithemes.com/blog/wordpress-vulnerability-report-june-2021-part-5/#ib-toc-anchor-2

- https://sploitus.com/exploit?id=WPEX-ID:07259A61-8BA9-4DD0-8D52-CC1DF389C0AD

- https://wpscan.com/vulnerability/07259a61-8ba9-4dd0-8d52-cc1df389c0ad

- https://www.wordfence.com/threat-intel/vulnerabilities/id/262e3bb3-bc83-4d0b-8056-9f94ec141b8f?source=cve

Product: WordPress Frontend File Manager

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-15042

NVD References:

- https://wordpress.org/plugins/nmedia-user-file-uploader/#developers

- https://wpscan.com/vulnerability/052f7d9a-aaff-4fb1-92b7-aeb83cc705a7

- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-n-media-post-front-end-form-arbitrary-file-upload-1-0/

- https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-front-end-file-upload-and-manager-plugin/

- https://www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-post-front-end-form/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1e6298-f243-49a5-b1b7-52bd6a6c8858?source=cve

Product: OTP Verification with Firebase plugin for WordPress

Active Installations: 100+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9862

NVD References:

- https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L236

- https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file3

- https://www.wordfence.com/threat-intel/vulnerabilities/id/9c3df12d-e526-4a23-89d3-bfdcea9f7b2d?source=cve

Product: Supsystic Contact Form

Active Installations: 9,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48042

NVD References: https://patchstack.com/database/vulnerability/contact-form-by-supsystic/wordpress-contact-form-by-supsystic-plugin-1-7-28-remote-code-execution-rce-vulnerability?_s_id=cve

Product: Webforza BuddyPress Better Registration

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49247

NVD References: https://patchstack.com/database/vulnerability/better-bp-registration/wordpress-buddypress-better-registration-plugin-1-6-broken-authentication-vulnerability?_s_id=cve

Product: Denis Azz Anonim Posting

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49257

NVD References: https://patchstack.com/database/vulnerability/azz-anonim-posting/wordpress-azz-anonim-posting-plugin-0-9-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Unlimited Elements Unlimited Elements For Elementor

Active Installations: 300,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49271

NVD References: https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-free-widgets-addons-templates-plugin-1-5-121-remote-code-execution-rce-vulnerability?_s_id=cve

Product: THATplugin IconizeActive Installations: This plugin has been closed as of September 23, 2024 and is not available for download. This closure is temporary, pending a full review.CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47649NVD References: https://patchstack.com/database/vulnerability/iconize/wordpress-iconize-plugin-1-2-4-remote-code-execution-rce-vulnerability?_s_id=cveCVE-2024-48026 - Disc Golf Manager is vulnerable to Deserialization of Untrusted Data, leading to Object Injection in versions up to 1.0.0.Product: Grayson Robbins Disc Golf ManagerActive Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48026NVD References: https://patchstack.com/database/vulnerability/disc-golf-manager/wordpress-disc-golf-manager-plugin-1-0-0-php-object-injection-vulnerability?_s_id=cveCVE-2024-48027 - External featured image from bing allows for unrestricted upload of dangerous files, potentially enabling the upload of a web shell to a web server.Product: xaraartech External featured image from bingActive Installations: This plugin has been closed as of October 8, 2024 and is not available for download. This closure is temporary, pending a full review.CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48027NVD References: https://patchstack.com/database/vulnerability/external-featured-image-from-bing/wordpress-external-featured-image-from-bing-plugin-1-0-2-remote-code-execution-rce-vulnerability?_s_id=cveCVE-2024-48028 - Boyan Raichev IP Loc8 is vulnerable to deserialization of untrusted data, allowing object injection from versions n/a through 1.1.Product: Boyan Raichev IP Loc8Active Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48028NVD References: https://patchstack.com/database/vulnerability/ip-loc8/wordpress-ip-loc8-plugin-1-1-php-object-injection-vulnerability?_s_id=cveCVE-2024-48030 - Telecash Ricaricaweb is vulnerable to untrusted data deserialization leading to object injection, impacting versions from n/a to 2.2.Product: Gabriele Valenti Telecash RicaricawebActive Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48030NVD References: https://patchstack.com/database/vulnerability/telecash-ricaricaweb/wordpress-telecash-ricaricaweb-plugin-2-2-php-object-injection-vulnerability?_s_id=cveCVE-2024-48034 - Creates 3D Flipbook, PDF Flipbook allows for unrestricted file upload, enabling the potential upload of a web shell to a web server.Product: Fliperrr Team Creates 3D FlipbookActive Installations: unknownCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48034NVD References: https://patchstack.com/database/vulnerability/create-flipbook-from-pdf/wordpress-creates-3d-flipbook-pdf-flipbook-plugin-1-2-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-48035 - Takayuki Imanishi ACF Images Search And Insert allows attackers to upload a web shell to a web server due to unrestricted file uploads with dangerous types from versions n/a through 1.1.4.Product: Takayuki Imanishi ACF Images Search And InsertActive Installations: unknownCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48035NVD References: https://patchstack.com/database/vulnerability/acf-images-search-and-insert/wordpress-acf-images-search-and-insert-plugin-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-49216 - Feed Comments Number in Joshua Clayton allows unrestricted upload of dangerous files, enabling the upload of a web shell onto a web server.Product: Joshua Clayton Feed Comments NumberActive Installations: unknownCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49216NVD References: https://patchstack.com/database/vulnerability/feed-comments-number/wordpress-feed-comments-number-plugin-0-2-1-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-49218 - Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1.Product: Al Imran Akash RecentlyActive Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49218NVD References: https://patchstack.com/database/vulnerability/recently-viewed-most-viewed-and-sold-products-for-woocommerce/wordpress-recently-plugin-1-1-php-object-injection-vulnerability?_s_id=cveCVE-2024-49242 - Shafiq Digital Lottery allows attackers to upload a malicious web shell to a web server due to unrestricted file uploads.Product: Shafiq Digital LotteryActive Installations: This plugin has been closed as of October 8th, 2024 and is no longer available for download. This closure is temporary, pending a full review.CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49242NVD References: https://patchstack.com/database/vulnerability/digital-lottery/wordpress-digital-lottery-plugin-3-0-5-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-49254 - Sunjianle is vulnerable to improper control of generation of code, allowin…

Product: Boyan Raichev IP Loc8Active Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48028NVD References: https://patchstack.com/database/vulnerability/ip-loc8/wordpress-ip-loc8-plugin-1-1-php-object-injection-vulnerability?_s_id=cveCVE-2024-48030 - Telecash Ricaricaweb is vulnerable to untrusted data deserialization leading to object injection, impacting versions from n/a to 2.2.Product: Gabriele Valenti Telecash RicaricawebActive Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48030NVD References: https://patchstack.com/database/vulnerability/telecash-ricaricaweb/wordpress-telecash-ricaricaweb-plugin-2-2-php-object-injection-vulnerability?_s_id=cveCVE-2024-48034 - Creates 3D Flipbook, PDF Flipbook allows for unrestricted file upload, enabling the potential upload of a web shell to a web server.Product: Fliperrr Team Creates 3D FlipbookActive Installations: unknownCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48034NVD References: https://patchstack.com/database/vulnerability/create-flipbook-from-pdf/wordpress-creates-3d-flipbook-pdf-flipbook-plugin-1-2-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-48035 - Takayuki Imanishi ACF Images Search And Insert allows attackers to upload a web shell to a web server due to unrestricted file uploads with dangerous types from versions n/a through 1.1.4.Product: Takayuki Imanishi ACF Images Search And InsertActive Installations: unknownCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48035NVD References: https://patchstack.com/database/vulnerability/acf-images-search-and-insert/wordpress-acf-images-search-and-insert-plugin-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-49216 - Feed Comments Number in Joshua Clayton allows unrestricted upload of dangerous files, enabling the upload of a web shell onto a web server.Product: Joshua Clayton Feed Comments NumberActive Installations: unknownCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49216NVD References: https://patchstack.com/database/vulnerability/feed-comments-number/wordpress-feed-comments-number-plugin-0-2-1-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-49218 - Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1.Product: Al Imran Akash RecentlyActive Installations: unknownCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49218NVD References: https://patchstack.com/database/vulnerability/recently-viewed-most-viewed-and-sold-products-for-woocommerce/wordpress-recently-plugin-1-1-php-object-injection-vulnerability?_s_id=cveCVE-2024-49242 - Shafiq Digital Lottery allows attackers to upload a malicious web shell to a web server due to unrestricted file uploads.Product: Shafiq Digital LotteryActive Installations: This plugin has been closed as of October 8th, 2024 and is no longer available for download. This closure is temporary, pending a full review.CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49242NVD References: https://patchstack.com/database/vulnerability/digital-lottery/wordpress-digital-lottery-plugin-3-0-5-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-49254 - Sunjianle is vulnerable to improper control of generation of code, allowing for Code Injection via the ajax-extend feature.Product: Sunjianle ajax-extendActive Installations: unknownCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49254NVD References: https://patchstack.com/database/vulnerability/ajax-extend/wordpress-ajax-extend-plugin-1-0-remote-code-execution-rce-vulnerability?_s_id=cveCVE-2024-49260 - Limb WordPress Gallery Plugin – Limb Image Gallery is vulnerable to unrestricted file uploads with dangerous types, allowing for code injection.Product: WordPress Limb Image GalleryActive Installations: This extension has been closed as of October 2, 2024 and is no longer available for download. This closure is temporary, pending a full review.CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49260NVD References: https://patchstack.com/database/vulnerability/limb-gallery/wordpress-limb-gallery-plugin-1-5-7-arbitrary-file-upload-vulnerability?_s_id=cveCVE-2024-9893 - The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers to log in as any existing user on the site.Product: Nextend Social Login Pro pluginActive Installations: 300,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9893NVD References: - https://nextendweb.com/social-login/- https://wordpress.org/plugins/nextend-facebook-connect/#developers- https://www.wordfence.com/threat-intel/vulnerabilities/id/0e4588d1-f21e-48ba-a8cb-d18c421f000a?source=cveCVE-2024-9863 - The UserPro plugin for WordPress is vulnerable to privilege escalation due to insecure default settings allowing unauthenticated attackers to register an …

Product: Fliperrr Team Creates 3D Flipbook

Active Installations: unknown

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48034

NVD References: https://patchstack.com/database/vulnerability/create-flipbook-from-pdf/wordpress-creates-3d-flipbook-pdf-flipbook-plugin-1-2-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Takayuki Imanishi ACF Images Search And Insert

Active Installations: unknown

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48035

NVD References: https://patchstack.com/database/vulnerability/acf-images-search-and-insert/wordpress-acf-images-search-and-insert-plugin-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Joshua Clayton Feed Comments Number

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49216

NVD References: https://patchstack.com/database/vulnerability/feed-comments-number/wordpress-feed-comments-number-plugin-0-2-1-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Al Imran Akash Recently

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49218

NVD References: https://patchstack.com/database/vulnerability/recently-viewed-most-viewed-and-sold-products-for-woocommerce/wordpress-recently-plugin-1-1-php-object-injection-vulnerability?_s_id=cve

Product: Shafiq Digital Lottery

Active Installations: This plugin has been closed as of October 8th, 2024 and is no longer available for download. This closure is temporary, pending a full review.

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49242

NVD References: https://patchstack.com/database/vulnerability/digital-lottery/wordpress-digital-lottery-plugin-3-0-5-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Sunjianle ajax-extend

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49254

NVD References: https://patchstack.com/database/vulnerability/ajax-extend/wordpress-ajax-extend-plugin-1-0-remote-code-execution-rce-vulnerability?_s_id=cve

Product: WordPress Limb Image Gallery

Active Installations: This extension has been closed as of October 2, 2024 and is no longer available for download. This closure is temporary, pending a full review.

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49260

NVD References: https://patchstack.com/database/vulnerability/limb-gallery/wordpress-limb-gallery-plugin-1-5-7-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Nextend Social Login Pro plugin

Active Installations: 300,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9893

NVD References:

- https://nextendweb.com/social-login/

- https://wordpress.org/plugins/nextend-facebook-connect/#developers

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0e4588d1-f21e-48ba-a8cb-d18c421f000a?source=cve

Product: UserPro WordPress

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9863

NVD References:

- https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194

- https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4

- https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve

Product: WP Timetics AI-powered Appointment Booking Calendar and Online Scheduling Plugin

Active Installations: 2,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9263

NVD References:

- https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.25/core/customers/customer.php#L299

- https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/customers/api-customer.php

- https://plugins.trac.wordpress.org/changeset/3169771/timetics/trunk/core/customers/customer.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/74bd595b-d2fa-4c62-82d2-dba2c2b128f0?source=cve

Product: Madiri Salman Aashish Adding drop down roles in registration

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49217

NVD References: https://patchstack.com/database/vulnerability/user-drop-down-roles-in-registration/wordpress-adding-drop-down-roles-in-registration-plugin-1-1-privilege-escalation-vulnerability?_s_id=cve

Product: anand23 Ajax Rating with Custom Login

Active Installations: This plugin has been closed as of October 8, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49246

NVD References: https://patchstack.com/database/vulnerability/ajax-rating-with-custom-login/wordpress-ajax-rating-with-custom-login-plugin-1-1-sql-injection-vulnerability?_s_id=cve

Product: Gora Tech LLC Cooked Pro

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49291

NVD References: https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve

Product: WPFactory Email Verification for WooCommerce

Active Installations: 7,000+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49305

NVD References: https://patchstack.com/database/vulnerability/emails-verification-for-woocommerce/wordpress-customer-email-verification-for-woocommerce-plugin-2-8-10-sql-injection-vulnerability?_s_id=cve

Product: JiangQie Free Mini Program

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49314

NVD References: https://patchstack.com/database/vulnerability/jiangqie-free-mini-program/wordpress-jiangqie-free-mini-program-plugin-2-5-2-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Scott Olson My Reading Library

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49318

NVD References: https://patchstack.com/database/vulnerability/my-reading-library/wordpress-my-reading-library-plugin-1-0-php-object-injection-vulnerability?_s_id=cve

CVE-2024-49322 - Job Board Manager for WordPress is vulnerable to Incorrect Privilege Assignment, allowing Privilege Escalation from versions n/a through 1.0.

Product: CodePassenger Job Board Manager for WordPress

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49322

NVD References: https://patchstack.com/database/vulnerability/jemployee/wordpress-job-board-manager-for-wordpress-plugin-1-0-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-49286 - Moridrin SSV Events allows PHP Local File Inclusion due to a Path Traversal vulnerability.

Product: Moridrin SSV Events

Active Installations: unknown

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49286

NVD References: https://patchstack.com/database/vulnerability/ssv-events/wordpress-ssv-events-plugin-3-2-7-local-file-inclusion-to-rce-vulnerability?_s_id=cve

CVE-2024-49328 - Vivek Tamrakar WP REST API FNS is vulnerable to an Authentication Bypass via an alternate path or channel, affecting versions from n/a through 1.0.0.

Product: Vivek Tamrakar WP REST API FNS

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49328

NVD References: https://patchstack.com/database/vulnerability/rest-api-fns/wordpress-wp-rest-api-fns-plugin-plugin-1-0-0-account-takeover-vulnerability?_s_id=cve

CVE-2024-49604 - Simple User Registration in Najeeb Ahmad allows Authentication Bypass through an alternate path, affecting versions up to 5.5.

Product: Najeeb Ahmad Simple User Registration

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49604

NVD References: https://patchstack.com/database/vulnerability/wp-registration/wordpress-simple-user-registration-plugin-5-5-account-takeover-vulnerability?_s_id=cve

CVE-2024-49611 - Paxman Product Website Showcase allows unauthorized upload of malicious files, potentially compromising the security of the web server.

Product: Paxman Product Website Showcase

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49611

NVD References: https://patchstack.com/database/vulnerability/product-websites-showcase/wordpress-product-website-showcase-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49626 - Shipyaari Shipping Management is vulnerable to deserialization of untrusted data, allowing object injection from n/a through 1.2.

Product: Piyushmca Shipyaari Shipping Management

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49626

NVD References: https://patchstack.com/database/vulnerability/shipyaari-shipping-managment/wordpress-shipyaari-shipping-management-plugin-1-2-php-object-injection-vulnerability?_s_id=cve

CVE-2024-49324 - Sovratec Case Management allows unrestricted upload of files with dangerous types, potentially enabling attackers to upload a web shell to a web server.

Product: Sovratec Case Management

Active Installations: This plugin has been closed as of October 16, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49324

NVD References: https://patchstack.com/database/vulnerability/sovratec-case-management/wordpress-sovratec-case-management-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49326 - Affiliator allows unauthorized upload of dangerous file types, which can lead to web server compromise, affecting versions from n/a through 2.1.3.

Product: Vasilis Kerasiotis Affiliator

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49326

NVD References: https://patchstack.com/database/vulnerability/affiliator-lite/wordpress-affiliator-plugin-2-1-3-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49327 - Woostagram Connect allows the unrestricted upload of dangerous file types, potentially enabling attackers to upload web shells to web servers.

Product: Asep Bagja Priandana Woostagram Connect

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49327

NVD References: https://patchstack.com/database/vulnerability/woostagram-connect/wordpress-woostagram-connect-plugin-1-0-2-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49329 - Vivek Tamrakar WP REST API FNS allows the unrestricted uploading of dangerous file types, enabling attackers to upload a web shell to a web server.

Product: Vivek Tamrakar WP REST API FNS

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49329

NVD References: https://patchstack.com/database/vulnerability/rest-api-fns/wordpress-wp-rest-api-fns-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49330 - Nice Backgrounds in versions n/a through 1.0 allows unrestricted upload of a file with a dangerous type, potentially leading to the uploading of a web shell onto a web server.

Product: brx8r Nice Backgrounds

Active Installations: This plugin has been closed as of October 14, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49330

NVD References: https://patchstack.com/database/vulnerability/nicebackgrounds/wordpress-nice-backgrounds-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49331 - Myriad Solutionz Property Lot Management System allows unrestricted upload of dangerous file types, leading to the potential upload of a web shell and compromising the web server.

Product: Myriad Solutionz Property Lot Management System

Active Installations: unknown

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49331

NVD References: https://patchstack.com/database/vulnerability/plms/wordpress-property-lot-management-system-plugin-4-2-38-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49332 - Deserialization of Untrusted Data vulnerability in Giveaway Boost allows Object Injection.This issue affects Giveaway Boost: from n/a through 2.1.4.

Product: Giveaway Boost

Active Installations: This plugin has been closed as of October 14, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49332

NVD References: https://patchstack.com/database/vulnerability/giveaway-boost/wordpress-giveaway-boost-plugin-2-1-4-php-object-injection-vulnerability?_s_id=cve

CVE-2024-49607 - WP Dropbox Dropins is vulnerable to unrestricted upload of dangerous file types, allowing attackers to upload a web shell to the web server.

Product: Redwan Hilali WP Dropbox Dropins

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49607

NVD References: https://patchstack.com/database/vulnerability/wp-dropbox-dropins/wordpress-wp-dropbox-dropins-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49610 - Photokit allows for the unrestricted upload of dangerous files, such as web shells, which poses a security risk from versions n/a through 1.0.

Product: Jack Zhu photokit

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49610

NVD References: https://patchstack.com/database/vulnerability/photokit/wordpress-photokit-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-49624 - Smartdevth Advanced Advertising System is vulnerable to object injection via deserialization of untrusted data in versions up to 1.3.1.

Product: Smartdevth Advanced Advertising System

Active Installations: This plugin has been closed as of October 14, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49624

NVD References: https://patchstack.com/database/vulnerability/advanced-advertising-system/wordpress-advanced-advertising-system-plugin-1-3-1-php-object-injection-vulnerability?_s_id=cve

CVE-2024-49625 - Brandon Clark SiteBuilder Dynamic Components has a vulnerability that allows Object Injection through the deserialization of untrusted data.

Product: Brandon Clark SiteBuilder Dynamic Components

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49625

NVD References: https://patchstack.com/database/vulnerability/sitebuilder-dynamic-components/wordpress-sitebuilder-dynamic-components-plugin-1-0-php-object-injection-vulnerability?_s_id=cve

CVE-2024-44000 - Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a before 6.5.0.1.

Product: LiteSpeed Technologies LiteSpeed Cache

Active Installations: 6 million+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44000

NVD References:

- https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin?_s_id=cve

- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-0-1-unauthenticated-account-takeover-vulnerability?_s_id=cve

The following vulnerability needs a manual review:

CVE-2024-38819: Path traversal vulnerability in functional web frameworks

https://spring.io/security/cve-2024-38819

Product: Moridrin SSV Events

Active Installations: unknown

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49286

NVD References: https://patchstack.com/database/vulnerability/ssv-events/wordpress-ssv-events-plugin-3-2-7-local-file-inclusion-to-rce-vulnerability?_s_id=cve

Product: Vivek Tamrakar WP REST API FNS

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49328

NVD References: https://patchstack.com/database/vulnerability/rest-api-fns/wordpress-wp-rest-api-fns-plugin-plugin-1-0-0-account-takeover-vulnerability?_s_id=cve

Product: Najeeb Ahmad Simple User Registration

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49604

NVD References: https://patchstack.com/database/vulnerability/wp-registration/wordpress-simple-user-registration-plugin-5-5-account-takeover-vulnerability?_s_id=cve

Product: Paxman Product Website Showcase

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49611

NVD References: https://patchstack.com/database/vulnerability/product-websites-showcase/wordpress-product-website-showcase-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Piyushmca Shipyaari Shipping Management

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49626

NVD References: https://patchstack.com/database/vulnerability/shipyaari-shipping-managment/wordpress-shipyaari-shipping-management-plugin-1-2-php-object-injection-vulnerability?_s_id=cve

Product: Sovratec Case Management

Active Installations: This plugin has been closed as of October 16, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49324

NVD References: https://patchstack.com/database/vulnerability/sovratec-case-management/wordpress-sovratec-case-management-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Vasilis Kerasiotis Affiliator

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49326

NVD References: https://patchstack.com/database/vulnerability/affiliator-lite/wordpress-affiliator-plugin-2-1-3-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Asep Bagja Priandana Woostagram Connect

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49327

NVD References: https://patchstack.com/database/vulnerability/woostagram-connect/wordpress-woostagram-connect-plugin-1-0-2-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Vivek Tamrakar WP REST API FNS

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49329

NVD References: https://patchstack.com/database/vulnerability/rest-api-fns/wordpress-wp-rest-api-fns-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve

Product: brx8r Nice Backgrounds

Active Installations: This plugin has been closed as of October 14, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49330

NVD References: https://patchstack.com/database/vulnerability/nicebackgrounds/wordpress-nice-backgrounds-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Myriad Solutionz Property Lot Management System

Active Installations: unknown

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49331

NVD References: https://patchstack.com/database/vulnerability/plms/wordpress-property-lot-management-system-plugin-4-2-38-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Giveaway Boost

Active Installations: This plugin has been closed as of October 14, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49332

NVD References: https://patchstack.com/database/vulnerability/giveaway-boost/wordpress-giveaway-boost-plugin-2-1-4-php-object-injection-vulnerability?_s_id=cve

Product: Redwan Hilali WP Dropbox Dropins

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49607

NVD References: https://patchstack.com/database/vulnerability/wp-dropbox-dropins/wordpress-wp-dropbox-dropins-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Jack Zhu photokit

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49610

NVD References: https://patchstack.com/database/vulnerability/photokit/wordpress-photokit-plugin-1-0-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Smartdevth Advanced Advertising System

Active Installations: This plugin has been closed as of October 14, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49624

NVD References: https://patchstack.com/database/vulnerability/advanced-advertising-system/wordpress-advanced-advertising-system-plugin-1-3-1-php-object-injection-vulnerability?_s_id=cve

Product: Brandon Clark SiteBuilder Dynamic Components

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49625

NVD References: https://patchstack.com/database/vulnerability/sitebuilder-dynamic-components/wordpress-sitebuilder-dynamic-components-plugin-1-0-php-object-injection-vulnerability?_s_id=cve

Product: LiteSpeed Technologies LiteSpeed Cache

Active Installations: 6 million+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44000

NVD References:

- https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin?_s_id=cve

- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-5-0-1-unauthenticated-account-takeover-vulnerability?_s_id=cve

The following vulnerability needs a manual review:

CVE-2024-38819: Path traversal vulnerability in functional web frameworks

https://spring.io/security/cve-2024-38819