Otter - Gutenberg Blocks < 2.2.6 - Author+ PHAR Deserialization

The plugin does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP startBuffering; $phar-addFromString'test.png', 'text'; $phar-setStub"\xff\xd8\xff\n"; $phar-setMetadatanew Evil; $phar-stopBuffering; 2...

Exploit for Insecure Default Initialization of Resource in Apache Superset

CVE-2023-27524: Apache Superset Auth Bypass Script to check if...

Tailor Mangement System SQL Injection Vulnerability

Tailor Management System is a tailor store management system. Tailor Mangement System is vulnerable to an SQL injection vulnerability that stems from the presence of an SQL injection vulnerability. An attacker can exploit this vulnerability to execute arbitrary code via the customer parameter of...

Tiempo.com <= 0.1.2 - Reflected XSS

The plugin does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' /...

REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion

The plugin does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...

Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF

The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1...

Ninja Forms < 3.6.22 - Reflected XSS

The plugin does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...

Ad Inserter < 2.7.27 - Admin+ PHP Object Injection

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitra...

RapidExpCart <= 1.0 - Stored XSS via CSRF

The plugin does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection...

WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example Run the bel...

Bitcoin / AltCoin Payment Gateway <= 1.7.1 - Unauthenticated SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users Setup: 1. Install woocommerce dependency, no setup required 2. Install the vulnerable plugin woo-altcoin-payment-gateway version 1.7.1 3. ...

Wp-D3 <= 2.4.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. d3-source canvas='" onmouseover="alert1"...

Cross site scripting

A vulnerability has been found in Campcodes Advanced Online Voting System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/configsave.php. The manipulation of the argument title leads to cross site scripting. The attack can be initiated remotely. The...

ChatBot < 4.4.7 - Unauthenticated PHP Object Injection

The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog PoC To simulate a gadget chain, put the following code in a plugin: class Evil public functio...

Sql injection

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins...

Medicine Tracker System 1.0 SQL Injection

Exploit Title: Medicine Tracker System v1.0 - Sql Injection Exploit Author: Sanjay Singh Vendor Homepage: https://www.sourcecodester.com Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts0.zip Version: V1.0.0 Tested on: Windows/Linux Proof of Concept: 1-...

Icinga Web 2.10 - Arbitrary File Disclosure Exploit

!/usr/bin/env python3 Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure Date: 2023-03-19 Exploit Author: Jacob Ebben Vendor Homepage: https://icinga.com/ Software Link: https://github.com/Icinga/icingaweb2 Version: 2.8.6, 2.9.6, 2.10 Tested on: Icinga Web 2 Version 2.9.2 on Linux CVE:...

flatnux 2021-03.25 Remote Code Execution

Exploit Title: flatnux-2021-03.25 - Remote Code Execution Authenticated Exploit Author: Ömer Hasan Durmuş Vendor Homepage: https://en.altervista.org Software Link: http://flatnux.altervista.org/flatnux.html Version: 2021-03.25 Tested on: Windows/Linux POST...

LDAP Tool Box Self Service Password 1.5.2 Account Takeover

Exploit Title: LDAP Tool Box Self Service Password v1.5.2 - Account takeover Date: 02/17/2023 Exploit Author: Tahar BENNACEF aka tar.gz Software Link: https://github.com/ltb-project/self-service-password Version: 1.5.2 Tested on: Ubuntu Self Service Password is a PHP application that allows users...

Stagtools < 2.3.7 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 1. Create a Post and add a Shortcode. 2...