Lucene search
K

87400 matches found

Nuclei
Nuclei
added yesterday10 views

KevinLAB BEMS 1.0 - SQL Injection

KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through inputid POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information from a database, modify data, and...

9.8CVSS7.3AI score0.08146EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday15 views

Emlog 2.1.9 - SQL Injection

emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files. id: CVE-2023-39121 info: name: Emlog 2.1.9 - SQL Injection author: wjch611 severity: high description: |...

7.2CVSS7.3AI score0.02258EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday12 views

Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials

Sitecore Experience Manager XM and Experience Platform XP versions 10.1 to 10.1.4 rev. 011974 PRE, all versions of 10.2, 10.3 to 10.3.3 rev. 011967 PRE, and 10.4 to 10.4.1 rev. 011941 PRE contain a hardcoded user account. Unauthenticated and remote attackers can use this account to access...

7.5CVSS7.4AI score0.39961EPSS
Exploits6References3
Nuclei
Nuclei
added yesterday24 views

WordPress Automatic Plugin - Unauthenticated Options Change

WordPress Automatic Plugin versions 3.53.2 and below contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the processform.php script. The vulnerable script uses updateoption on all POST parameters without authentication or capability...

9.8CVSS7.3AI score0.16408EPSS
Exploits3References2
Nuclei
Nuclei
added yesterday20 views

Protect WP Admin < 4.0 - Unauthenticated Protection Bypass

The Protect WP Admin WordPress plugin before version 4.0 disclosed the URL of the admin panel through the redirection of a crafted URL, bypassing the protection offered. id: CVE-2023-3139 info: name: Protect WP Admin 4.0 - Unauthenticated Protection Bypass author: popcorn94 severity: medium...

6.1CVSS6.8AI score0.00734EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday22 views

Arcserve UDP <= 9.0.6034 - Authentication Bypass

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute a...

9.8CVSS7.2AI score0.37715EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday12 views

GiveWP - Missing Authorization to Settings Update

GiveWP plugin through 2.5.9 for WordPress contains an unauthenticated settings change caused by insecure access in includes/gateways/stripe/includes/admin/admin-actions.php, letting attackers modify settings without authentication, exploit requires no authentication. id: CVE-2020-20627 info: name...

5.3CVSS6.1AI score0.01881EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday35 views

Fortinet FortiWeb - Authentication Bypass to Admin Privilege

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges o...

8.1CVSS7.4AI score0.1067EPSS
Exploits4References3
Nuclei
Nuclei
added yesterday62 views

ZKTeco BioTime <= 9.0.1 - Privilege Escalation

BioTime default employee credentials password 123456 allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files. id: CVE-2023-38952 info: name: ZKTeco BioTime = 9.0.1 - Privilege Escalation author: riteshs4hu severity: high...

9.8CVSS7AI score0.03197EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday16 views

XWiki <= 17.3.0 - Server-Side Template Injection (SSTI)

XWiki = 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic. id: CVE-2025-51991 info: name: XWiki = 17.3.0 -...

8.8CVSS7.4AI score0.03366EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday35 views

MStore API <= 3.9.1 - Authentication Bypass

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated...

9.8CVSS7.2AI score0.03805EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday13 views

Simple File List < 6.1.13 - Reflected Cross-Site Scripting

Simple File List WordPress plugin \u003C 6.1.13 contains a reflected cross-site scripting caused by unsanitized URL output in an attribute, letting attackers execute malicious scripts in admin browsers, exploit requires victim to be an admin. id: CVE-2024-10146 info: name: Simple File List 6.1.13...

5.4CVSS5.9AI score0.00574EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday17 views

WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation

Privilege escalation vulnerability exists in the Frontend Login and Registration Blocks plugin for WordPress versions = 1.0.7. An unauthenticated attacker can exploit the AJAX endpoint flrblocksusersettingshandleajaxcallback to change the administrator's email address. Subsequently, the attacker...

9.8CVSS7.2AI score0.06441EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday22 views

Four-Faith F3x36 - Authentication Bypass

Four-Faith F3x36 router with firmware v2.0.0 contains an authentication bypass caused by hard-coded credentials in the administrative web server, letting attackers with knowledge of credentials gain administrative access via crafted HTTP requests. id: CVE-2024-9643 info: name: Four-Faith F3x36 -...

9.8CVSS7.2AI score0.0293EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday37 views

Broadstreet WordPress plugin - Reflected XSS

Broadstreet WordPress plugin 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction. id: CVE-2025-4652 info: name: Broadstreet WordPress plugin -...

6.1CVSS6AI score0.00468EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday15 views

LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

5.3CVSS6.2AI score0.00914EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday9 views

AffiliateImporterEb <= 1.0.6 - Reflected XSS

AffiliateImporterEb WordPress plugin through 1.0.6 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12732 info: name: AffiliateImporterEb =...

6.1CVSS6AI score0.00521EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday12 views

WP DeskLite - Reflected XSS

WP DeskLite WordPress plugin through 1.0.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12724 info: name: WP DeskLite - Reflected XSS...

6.1CVSS6AI score0.00521EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday8 views

Custom Field Manager WordPress - Cross-Site Scripting

Custom Field Manager WordPress plugin through 1.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12873 info: name: Custom Field Manager...

6.1CVSS7.2AI score0.0053EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday12 views

Zarinpal Paid Download - Reflected XSS

Zarinpal Paid Download WordPress plugin v2.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such as admin, exploit requires...

6.1CVSS7.1AI score0.00564EPSS
Exploits1References2
Rows per page
Query Builder