A command injection vulnerability in the firmware_update command, in the device’s restricted telnet interface, allows an authenticated attacker to execute arbitrary commands as root.
CWE-77
CVE-2023-0039
The User Post Gallery – UPG plugin for WordPress is vulnerable to authorization bypass which leads to remote command execution due to the use of a nopriv AJAX action and user supplied function calls and parameters in versions up to, and including 2.19. This makes it possible for unauthenticated attackers to call arbitrary PHP functions and perform actions like adding new files that can be webshells and updating the site’s options to allow anyone to register as an administrator.