FireBear Improved Import And Export 3.8.6 XSLT Server Side Injection

Exploit Title: FireBear Improved Import & Export ver. 3.8.6 for Magento 2.4.6 - XSLT Server Side Injection Command Execution Date: 2023-11-17 Exploit Author: tmrswrr Vendor Homepage: https://commercemarketplace.adobe.com/ Software Link:...

Exploit for CVE-2023-1521

PoC bash gcc -sha...

Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF

Description The plugin does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks Make a logged in admin open an HTML page with the form below Deletion This will delete the form...

Bookly < 22.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. As an admin user, visit the Bookly...

Slimstat Analytics < 5.0.10 - Contributor+ SQL Injection

Description The plugin is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers wit...

WP Simple Table Manager Plugin <= 1.5.6 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click Simple Table Manager then...

Awesome Support < 6.1.5 - Submitter+ Arbitrary File Deletion

Description The plugin does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server. 1. Visit Tickets Settings File Upload 2. Ensure "Enable File Upload", "Enable drag-n-drop uploader for ticket form", and "Check this t...

Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

Description The plugin does not prevent users with low privileges like subscribers from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS. Once the site gets at least 25 conversions using the plugin, a notice will show up on the...

EventPrime < 3.2.0 - Booking Creation via CSRF

Description The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks. Create an Event, noting its ID. Add a ticket type to the Event the details don't matter. As a logged-in user, visit a page with t...

CVE-2023-42824

The issue was addressed with improved checks. This issue is fixed in iOS 16.7.1 and iPadOS 16.7.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6...

PT-2023-27725 · Idm Sistemas Qsige +1 · Qsige

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: The file upload functionality is not implemented correctly, allowing the upload of any type of file. An attacker must log into the application with a valid username to exploit this...

Track The Click < 0.3.12 - Author+ Time-Based Blind SQL Injection

Description The plugin does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database. Version 0.3.11 changes the API endpoint to only be...

User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent

Description The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks. PoC 1 Make sure the plugin's Enable User Agent For Log setting is set at /wp-admin/admin.php?page=ualpsettings 2 If...

ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Content Disclosure

Description The plugin does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post such as draft and private via an IDOR vector. Password protected posts are not affected by...

WP Matterport Shortcode < 2.1.7 - Reflected XSS

Description The plugin does not escape the PHPSELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin Make a logged in admin open https://example.com/wp-admin/admin.php/"/?page=wpms-opti...

NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete

Description The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Create a Gallery called "My Gallery" and note its ID. 2. Run the following code in...

Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection

Description The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin: class Test...

islamnt CMS 2.1.0 Add Administrator

==================================================================================================================================== | Title : islamnt CMS v2.1.0 Add ADmin Vulnerability Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox...

Kylin CMS 1.3.0 SQL Injection

==================================================================================================================================== | Title : KylinCMS V1.3.0 Auth by pass Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 66.0.332-bit | |...

Locatoraid Store Locator < 3.9.24 - Reflected XSS

Description The plugin does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Setup as admin: - Locatoraid Configuration Google Maps Enter "none" at...