WP User Frontend < 3.5.29 - Obscure Registration as Admin

The plugin uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpufencryption. This could allow an attacker having access to the AUTHKEY and AUTHSALT constant via an arbitrary file access issue for...

CVE-2022-41974

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege...

Zoho CRM Lead Magnet < 1.7.6.2 - Subscriber+ Arbitrary Options Update

The plugin does not have authorisation and CSRF in some AJAX actions, and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary blog options such as defaultrole and userscanregister. v response.text...

Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape some parameters before outputting them back in various pages, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=grid-kit&action=edit&id=...

Wordpress ImageMagick-Engine 1.7.4 Plugin - Remote Code Execution (Authenticated) Exploit

Exploit Title: Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution RCE Authenticated Google Dork: inurl:"/wp-content/plugins/imagemagick-engine/" Date: Thursday, September 1, 2022 Exploit Author: ABDO10 Vendor Homepage: https://wordpress.org/plugins/imagemagick-engine/ Software Link...

eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS via AJAX

The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to any authenticated users, such as subscriber, leading to a Reflected Cross-Site Scripting Make a logged in user open a page containing the HTML code below alert/XSS/"...

Exploit for Expression Language Injection in Atlassian Confluence_Data_Center

PoC exploit for CVE-2022-26134, a remote code execution vulnerab...

PT-2022-22282 · Jiusi Oa · Jiusi Oa

Name of the Vulnerable Software and Affected Versions: Jiusi OA affected versions not specified Description: A critical vulnerability was found in Jiusi OA, affecting an unknown functionality of the file /jsoa/hntdCustomDesktopActionContent. The manipulation of the inforid argument leads to SQL...

Smart Slider 3 < 3.5.1.11 - PHP Object Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site. To simulate a gadget chain, put the following code in a plugin class Evil public...

Envira Gallery Lite < 1.8.4.7 - Reflected Cross-Site Scripting

The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers https://example.com/wp-admin/edit.php?posttype=envira&page=envira-gallery-lite-addons&"alert1...

CVE-2022-1199 affecting package kernel for versions less than 5.15.67.1-4

CVE-2022-1199 affecting package kernel for versions less than 5.15.67.1-4. A patched version of the package is available...

Create Block Theme < 1.2.2 - Unauthenticated Arbitrary File Upload

The plugin does not have authorisation and CSRF checks, as well as does not validate the file to be uploaded, which could allow unauthenticated attackers to upload arbitrary files to the server As unauthenticated user, open The file will be uploaded at...

Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...

Meks Easy Social Share < 1.2.8 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Intercept the request made when saving the setting...

Active eCommerce CMS 6.3.0 Cross Site Scripting

Exploit Title: Active eCommerce CMS Cross Site Scripting Exploit Author: th3d1gger Vendor Homepage: https://codecanyon.net Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405 Version: Version 6.3.0 Tested on Ubuntu 18.04 -------Request----------- POST /ajax-search HTTP/1.1...

Popup Maker < 1.16.9 - Contributor+ Stored XSS via Subscription Form

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a post/page pumsubform namefieldtype="fullname" labelname="Name"...

WP Custom Cursors < 3.0.1 - Stored Cross-Site Scripting via CSRF

The plugin does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored...

WP Custom Cursors < 3.0.1 - Arbitrary Cursor Deletion via CSRF

The plugin does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack. Make a logged in admin open a page with the following JS code: fetch'https://example.com/wp-admin/admin.php?page=wpcustomcursors',...

Buffalo TeraStation Network Attached Storage (NAS) 1.66 Authentication Bypass

Exploit Title: Buffalo TeraStation Network Attached Storage NAS 1.66 - Authentication Bypass Date: 2022-08-11 Exploit Author: JORDAN GLOVER Type: WEBAPPS Platform: HARDWARE Vendor Homepage: https://www.buffalotech.com/ Model: TeraStation Series Firmware Version: 1.66 Tested on: Windows 10 An...

Enable Media Replace < 4.0.0 - Admin+ Path Traversal

The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example When replacing the file, select "Replace the file, use new file name and update...