CVE ID : CVE-2024-11350 Published : Jan. 8, 2025, 9:15 a.m. | 35 minutes ago Description : The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user’s identity prior to updating their password through…

CVE ID : CVE-2024-11635 Published : Jan. 8, 2025, 8:15 a.m. | 1 hour, 35 minutes ago Description : The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the ‘wfu_ABSPATH’ cookie parameter. This makes it possible for unauthenticated attackers to execute code on the…

CVE ID : CVE-2024-11271 Published : Jan. 8, 2025, 5:15 a.m. | 4 hours, 35 minutes ago Description : The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to modification of data due to a missing capability check on several functions in all versions up to, and including, 1.33.24. This makes it possible for authenticated…

CVE ID : CVE-2024-11613 Published : Jan. 8, 2025, 7:15 a.m. | 2 hours, 35 minutes ago Description : The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the ‘wfu_file_downloader.php’ file. This is due to lack of…

CVE ID : CVE-2024-11816 Published : Jan. 8, 2025, 4:15 a.m. | 5 hours, 35 minutes ago Description : The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the ‘wpext_handle_snippet_update’ function. This makes it possible for authenticated attackers,…

CVE ID : CVE-2024-11270 Published : Jan. 8, 2025, 5:15 a.m. | 4 hours, 35 minutes ago Description : The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the ‘sync-import-imgs’ function and missing file type validation in all versions up to, and including, 1.33.24.…

CVE ID : CVE-2024-50603 Published : Jan. 8, 2025, 1:15 a.m. | 8 hours, 35 minutes ago Description : An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can…

CVE ID : CVE-2025-22133 Published : Jan. 7, 2025, 10:15 p.m. | 11 hours, 35 minutes ago Description : WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which…

CVE ID : CVE-2024-55555 Published : Jan. 7, 2025, 5:15 p.m. | 16 hours, 35 minutes ago Description : Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product’s repository, that have default APP_KEY values. The route/{hash} route defined…