3 vulnerabilities across 2 products scored HIGH or above on June 08, 2026.
- HIGH: 3
[HIGH] wp_travel_kit/travelscape
2 CVEs | CVSS 4.0: 9.3 | AAS 9.2
The WordPress plugin wp_travel_kit Travelscape contains remote code execution vulnerabilities (CVE-2023-54352, CVE-2024-58349) that allow unauthenticated attackers to upload and execute arbitrary PHP code, with a maximum CVSS score of 9.3. Administrators should immediately apply vendor patches and inspect their wp-content/themes directory for suspicious files. This affects all versions running the vulnerable code; see the vendor advisory for patch availability.
- CVE-2023-54352 (CVSS 4.0: 9.3)
- CVE-2024-58349 (CVSS 4.0: 9.3)
[HIGH] background-image-cropper/background_image_cropper
1 CVE | CVSS 4.0: 9.3 | AAS 9.2
The WordPress plugin background-image-cropper version 1.2 contains a remote code execution vulnerability (CVE-2024-58348) allowing unauthenticated attackers to upload arbitrary files through the ups.php endpoint, with a maximum CVSS score of 9.3. Administrators should immediately patch affected systems or disable the plugin if remediation is unavailable. Review server logs and the plugin directory for evidence of exploitation or unauthorized file uploads.
- CVE-2024-58348 (CVSS 4.0: 9.3)