CVE-2022-0952

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as...

CVE-2018-25127 SOCA Access Control System 180612 Cross-Site Request Forgery via Admin Interface

SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by tricking logged-in users...

CVE-2018-25127

CVE-2018-25127 affects SOCA Access Control System 180612. The issue is a cross-site request forgery in the admin interface caused by lack of proper request validation, allowing forged requests to create admin accounts when a user visits a malicious page. Affected component: admin interface/API en...

EUVD-2023-60216

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative...

PT-2025-51961

Name of the Vulnerable Software and Affected Versions UliCMS version 2023.1 Description An unauthenticated attacker can create administrative accounts through the UserController endpoint. By sending a crafted POST request to the /dist/admin/index.php endpoint with specific parameters, an attacker...

Metasploit Wrap-Up 11/21/2025

CVE-2025-64446 - Fortinet’s FortiWeb exploitation A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall, now assigned CVE-2025-64446 CVSS 9.1, allows unauthenticated attackers to gain full administrator access to the FortiWeb Manager interface and its websocket CLI. The flaw...

CVE-2025-63221

The Axel Technology puma devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system...

EUVD-2025-25750

Malicious code in bioql PyPI...

CVE-2025-57760

Langflow contains a privilege-escalation vulnerability in its container runtime: an authenticated user with RCE can invoke the CLI binary at /app/.venv/bin/langflow (langflow superuser) to create a new administrative user, granting full superuser access and compromising the instance. Affected beh...

moonshine Stored Cross-Site Scripting Vulnerability in Create Admin

A stored cross-site scripting XSS vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter...

GHSA-RH9F-GR6Q-MPC4 moonshine Stored Cross-Site Scripting Vulnerability in Create Admin

A stored cross-site scripting XSS vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter...

PT-2025-33739 · Moonshine · Moonshine

Name of the Vulnerable Software and Affected Versions: MoonShine version 3.12.3 Description: A stored cross-site scripting XSS vulnerability exists in the Create Admin function. Attackers can execute arbitrary web scripts or HTML by injecting a crafted payload into the Name parameter...

CVE-2025-8059

The CVE refers to the WordPress B Blocks plugin (versions up to 2.0.6) with a privilege-escalation flaw caused by missing authorization and input validation in the rgfr_registration() function. This allows unauthenticated attackers to create a new account and grant it the administrator role. Publ...

CVE-2024-35433

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user...

AnythingLLM 输入验证错误漏洞

AnythingLLM is a document chatbot that meets business requirements. An input validation error vulnerability exists in AnythingLLM that stems from improper input validation, where a user with the administrator role is able to craft a request containing a nested write operation to create a new...

Ulicms 2023.1 - create admin user via mass assignment

Exploit Title: Ulicms 2023.1 - create admin user via mass assignment Application: Ulicms Version: 2023.1-sniffing-vicuna Bugs: create admin user via mass assignment Technology: PHP Vendor URL: https://en.ulicms.de/ Software Link:...

The vulnerability of the CAS server of General Bytes Crypto Application Server, related to the manipulation of inter-site requests, allows a hacker to create a user with admin privileges and modify any data on the server at will.

The vulnerability of the CAS server of General Bytes Crypto Application Server is related to the manipulation of inter-site requests. Exploiting this vulnerability allows a malicious actor to create a user with admin privileges and modify any data on the server at will...

GHSA-7F62-4887-CFV5 Privilege escalation in easyappointments

The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user eg. provider can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A patch is available on the develop branch ...

Project Expense Monitoring System 1.0 Authentication Bypass Vulnerability

Exploit Title: Project expense Monitoring System | Create Admin Account Unauthorised Exploit Author: Richard Jones Vendor Homepage: https://www.sourcecodester.com/php/14001/project-expense-monitoring-system-project-php-source-code-2020.html Software Link:...

Microsoft Windows Kernel Elevation of Privilege Vulnerability (CNVD-2020-43107)

Microsoft Windows and Microsoft Windows Server are both products of Microsoft Corporation.Microsoft Windows is an operating system for personal devices.Microsoft Windows Server is a server operating system. An elevation of privilege vulnerability exists in the Microsoft Windows Kernel, which aris...