CVE & Exploit Intelligence Database

CVE-2024-31224 9.8 CRITICAL 1 Writeup EPSS 0.06

GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.

CWE-502 Apr 08, 2024

CVE-2024-3431 4.7 MEDIUM EPSS 0.00

A vulnerability was found in EyouCMS 1.6.5. It has been declared as critical. This vulnerability affects unknown code of the file /login.php?m=admin&c=Field&a=channel_edit of the component Backend. The manipulation of the argument channel_id leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259612. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE-502 Apr 07, 2024

CVE-2024-31308 4.4 MEDIUM EPSS 0.00

Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26.

CWE-502 Apr 07, 2024

CVE-2024-31277 8.7 HIGH EPSS 0.01

Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32.

CWE-502 Apr 07, 2024

CVE-2024-3366 3.5 LOW EPSS 0.00

A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480.

CWE-502 Apr 06, 2024

CVE-2024-31211 5.5 MEDIUM 1 PoC Analysis EPSS 0.40

WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

CWE-502 Apr 04, 2024

CVE-2024-27604 9.8 CRITICAL EPSS 0.00

Alldata V0.4.6 is vulnerable to Command execution vulnerability. System commands can be deserialized.

CWE-502 Apr 02, 2024

CVE-2023-51570 9.8 CRITICAL EPSS 0.05

Voltronic Power ViewPower Pro Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RMI interface, which listens on TCP port 41009 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21012.

CWE-502 Apr 01, 2024

CVE-2024-29433 9.8 CRITICAL EPSS 0.00

A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data.

CWE-502 Apr 01, 2024

CVE-2024-31094 9.8 CRITICAL EPSS 0.00

Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05.

CWE-502 Mar 31, 2024

CVE-2024-3018 8.8 HIGH EPSS 0.01

The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CWE-502 Mar 30, 2024

CVE-2023-23649 8.1 HIGH EPSS 0.01

Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.This issue affects MainWP Links Manager Extension: from n/a through 2.1.

CWE-502 Mar 28, 2024

CVE-2024-30221 5.4 MEDIUM EXPLOITED EPSS 0.01

Deserialization of Untrusted Data vulnerability in WP Sunshine Sunshine Photo Cart.This issue affects Sunshine Photo Cart: from n/a through 3.1.1.

CWE-502 Mar 28, 2024

CVE-2024-30230 8.2 HIGH EPSS 0.00

Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7.

CWE-502 Mar 28, 2024

CVE-2024-30229 8.0 HIGH EXPLOITED EPSS 0.01

Deserialization of Untrusted Data vulnerability in GiveWP.This issue affects GiveWP: from n/a through 3.4.2.

CWE-502 Mar 28, 2024

CVE-2024-30228 9.9 CRITICAL EPSS 0.01

Deserialization of Untrusted Data vulnerability in Hercules Design Hercules Core.This issue affects Hercules Core : from n/a through 6.4.

CWE-502 Mar 28, 2024

CVE-2024-30227 9.0 CRITICAL EPSS 0.00

Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.

CWE-502 Mar 28, 2024

CVE-2024-30226 9.0 CRITICAL EPSS 0.12

Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3.

CWE-502 Mar 28, 2024

CVE-2024-30225 10.0 CRITICAL EPSS 0.01

Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10.

CWE-502 Mar 28, 2024

CVE-2024-30224 10.0 CRITICAL EPSS 0.01

Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2.

CWE-502 Mar 28, 2024