CVE-2024-50625

An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to arbitrary file uploads within specific directories, potentially enabling privilege escalation when...

CVE-2024-50625

Digi ConnectPort LTS prior to 1.4.12 is affected by a vulnerability in the web application’s file upload handling that allows manipulation of the file path via POST requests. This can enable arbitrary file uploads within specific directories and potentially lead to privilege escalation when combi...

CVE-2024-12181 DedeCMS SWF File uploads_add.php cross site scripting

A vulnerability classified as problematic was found in DedeCMS 5.7.116. Affected by this vulnerability is an unknown functionality of the file /member/uploadsadd.php of the component SWF File Handler. The manipulation of the argument mediatype leads to cross site scripting. The attack can be...

CVE-2024-8962

The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-8962

CVE-2024-8962 concerns the WordPress plugin WPBITS Addons For Elementor Page Builder. The vulnerability is a Stored Cross-Site Scripting (XSS) via SVG file uploads in versions up to and including 1.5.2, caused by insufficient input sanitization and output escaping. Exploitation requires an authen...

CVE-2024-11093

The SG Helper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in version 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web...

CVE-2024-11093

CVE-2024-11093 concerns the WordPress plugin SG Helper (versions ≤ 1.0). The vulnerability is a Stored Cross‑Site Scripting via SVG file uploads, caused by insufficient input sanitization and output escaping. It requires authenticated access at Administrator level or higher, and can let the attac...

CVE-2024-11391

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'classfmaconnector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above,...

The vulnerability in the web interface for managing Zyxel ZLD microprogramming software’s network interface allows a perpetrator to execute file uploads or downloads.

The vulnerability in the web interface for managing Zyxel ZLD microprogramming software lies in incorrect restrictions on the path name to the restricted directory. Exploiting this vulnerability allows a malicious actor to perform file uploads or downloads through a specially crafted URL address...

CVE-2024-11082

The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimationspanel function in all versions up to, and including, 1.9.15. This makes it possible for authenticated attackers, with Author-level access and above, to...

CVE-2024-11082

The CVE-2024-11082 entry concerns the Tumult Hype Animations WordPress plugin (versions

CVE-2024-8066

CVE-2024-8066 affects File Manager Pro – Filester plugin for WordPress (all versions up to and including 1.8.6). The vulnerability stems from missing validation in the fsConnector function, enabling authenticated users with Subscriber-level access (and with permissions granted by an Administrator...

WordPress plugin File Manager Pro – Filester 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin.... A code issue vulnerability exist...

PT-2024-16745 · Tumult · Tumult Hype Animations

Name of the Vulnerable Software and Affected Versions: Tumult Hype Animations plugin for WordPress versions up to, and including, 1.9.15 Description: The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations...

CVE-2024-46054

OpenVidReview 1.0 is vulnerable to Incorrect Access Control. The /upload route is accessible without authentication, allowing any user to upload files...

CVE-2024-46054

OpenVidReview 1.0 is affected by CVE-2024-46054 due to Incorrect Access Control: the /upload endpoint is accessible without authentication, allowing file uploads by any user. This risk is reflected across multiple sources (NVD/Red Hat/CNNVD, etc.). Root cause: unauthenticated access to the upload...

CVE-2024-11091

The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-11091 Support SVG – Upload svg files in wordpress without hassle <= 1.1.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload

The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-9504

CVE-2024-9504 affects the Booking calendar, Appointment Booking System plugin for WordPress, with an unauthenticated stored XSS via SVG uploads in versions up to 3.2.15 caused by inadequate input sanitization and output escaping. The vulnerability permits injection of script code that executes wh...

CVE-2024-9660

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mjsmgtloaddocumetsnew and mjsmgtloaddocumets functions in all versions up to, and including, 91.5.0. This makes it possible for authenticated attacker...