Livewire Remote Code Execution on File Uploads

In livewire/livewire prior to v2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type e.g.,...

CVE-2024-47823 Livewire Remote Code Execution (RCE) on File Uploads

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to 2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not...

CVE-2024-47823 Livewire Remote Code Execution (RCE) on File Uploads

Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to 2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not...

CVE-2024-8964

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-8964

CVE-2024-8964 affects the WordPress plugin “Image Optimizer, Resizer and CDN – Sirv” (Sirv) for WordPress, vulnerable up to version 7.2.9. The issue is a Stored Cross-Site Scripting (XSS) vector via SVG file uploads caused by insufficient input sanitization and output escaping. Exploitation requi...

CVE-2024-9417

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are...

CVE-2024-9417

CVE-2024-9417 affects the WordPress Hash Form – Drag & Drop Form Builder plugin. All versions up to 1.1.9 are vulnerable to unauthenticated, limited file uploads due to a misconfigured file type validation in handleUpload, allowing files outside both the allowedExtensions and unallowed_extensions...

CVE-2024-9455

The WP Cleanup and Basic Functions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2024-9271

The Re:WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to injec...

CVE-2024-9071

The Easy Demo Importer – A Modern One-Click Demo Import Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-9271

The CVE-2024-9271 entry pertains to the Re:WP WordPress plugin (versions

CVE-2024-9368

The Aggregator Advanced Settings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2024-9368

CVE-2024-9368 : The WordPress plugin Aggregator Advanced Settings is vulnerable to a Stored Cross-Site Scripting (XSS) via the SVG file upload feature in all versions up to 1.2.1. The root cause is insufficient input sanitization and output escaping for SVG uploads. Exploitation requires authenti...

PT-2024-27797 · Unknown · Itsourcode Online Discussion Forum Project

Name of the Vulnerable Software and Affected Versions: Itsourcecode Online Discussion Forum Project version 1.0 Description: The issue allows a remote attacker to execute arbitrary code via the "poster.php" file. The uploaded file is received using the $ FILES variable. This enables the attacker ...

PT-2024-32714 · Unknown · Shilpi Client Dashboard

Name of the Vulnerable Software and Affected Versions: Shilpi Client Dashboard affected versions not specified Description: The issue exists due to improper validation of files being uploaded other than the specified extension. An authenticated remote attacker could exploit this by uploading a...

CVE-2024-9172

The Demo Importer Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

CVE-2024-8967

The CVE refers to the WordPress plugin “PWA — easy way to Progressive Web App” (iworks-pwa) with Stored Cross-Site Scripting via SVG file uploads in versions up to 1.6.3. Root cause: insufficient input sanitization and output escaping for uploaded SVGs, enabling authenticated attackers (Author le...

CVE-2024-7855

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the updatereview function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload...

CVE-2024-7855

CVE-2024-7855 affects the WordPress plugin WP Hotel Booking (versions

WordPress plugin WP Hotel Booking 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...