CVE-2024-7384 : ACYBA ACYMAILING PLUGIN UP TO 9.7.2 ON WORDPRESS ACYM_EXTRACTARCHIVE UNRESTRICTED UPLOAD

Description

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c747bc9-582c-4b9f-85a4-469c446d50f5?source=cve

https://plugins.trac.wordpress.org/browser/acymailing/trunk/back/libraries/wordpress/file.php#L47

https://wordpress.org/plugins/acymailing/#developers

https://www.acymailing.com/changelog/

https://plugins.trac.wordpress.org/changeset?old_path=%2Facymailing&old=3118953&new_path=%2Facymailing&new=3137644&sfp_email=&sfph_mail=

https://plugins.trac.wordpress.org/changeset/3137644/

For More Information

CVERecord

Contact us to get started

CVE-2024-8762 : CODE-PROJECTS CRUD OPERATION SYSTEM 1.0 /UPDATEDATA.PHP SID SQL INJECTION

Description A vulnerability was found in code-projects Crud Operation System 1.0. It has been classified as critical. This affects an

Learn more

CVE-2024-34334 : ORDAT FOSS-ONLINE UP TO 2.24.00 FORGOT PASSWORD SQL INJECTION

Description ORDAT FOSS-Online before v2.24.01 was discovered to contain a SQL injection vulnerability via the forgot password function. References https://mind-bytes.de/sql-injection-in-foss-online-cve-2024-34334/

Learn more

CVE-2024-45383 : MICROSOFT HIGH DEFINITION AUDIO BUS DRIVER 10.0.19041.3636 IRP HDAUDBUS_DMA RESOURCE CONTROL

Description A mishandling of IRP requests vulnerability exists in the HDAudBus_DMA interface of Microsoft High Definition Audio Bus Driver 10.0.19041.3636

Learn more