Rocket LMS 1.6 Shell Upload

Exploit Title: Rocket LMS - Learning Management System Shell Upload Exploit Author: th3d1gger Vendor Homepage: https://codecanyon.net Software Link: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735 Version: Version 1.6 Tested on Ubuntu 18.04 base64 encode your...

@Drive 2.8 Local File Inclusion

Exploit Title: @Drive 2.8 Local File inclusion Date: Sep 8, 2022 Exploit Author: Chokri Hammedi Vendor Homepage: https://evolutive.co/ Software Link: https://apps.apple.com/us/app/drive/id578982909 Version: 2.8 Tested on: iPhone ios 15.6 GET...

Exploit for Use of a One-Way Hash with a Predictable Salt in Redux Gutenberg_Template_Library_\&_Redux_Framework

CVE-2021-38314 Python Exploit Detail...

PT-2022-18110 · Dell · Dell Bios

Name of the Vulnerable Software and Affected Versions: Dell BIOS affected versions not specified Description: The issue is a stack-based buffer overflow vulnerability. A local attacker could exploit this by sending malicious input via SMI to bypass security checks, resulting in arbitrary code...

Exploit for Incorrect Conversion between Numeric Types in Linux Linux_Kernel

CVE-2022-2639 using pipe primitive CVE-2022-2639https://...

WP Popup Builder < 1.2.9 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting The custom-popup parameter needs to be the ID of an existing popup https://example.com/wp-admin/admin.php?page=wppb&pos-name=xxx"alert%2FXSS%2F%3B&custom-popup=1...

CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload

The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. Activate PHP extension: - Log in and go to "CM Downloads" "Settings" "General". -...

Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi

The plugin does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...

Alphabetic Pagination < 3.0.8 - Unauthenticated Arbitrary Option Update

The plugin does not have any proper authorisation in place when updating some settings via a REST endpoint, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary option from the blog and allow registration with a...

Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read

The plugin does not properly validates paths generated with user input in the almrepeatersexport function, which could allow high privilege users to read arbitrary files form the server even when they should not be able to have access to any, for example in multisite setup This is due to an...

All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS

The plugin uses the wrong content type for, and does not properly escape the response from the ai1wmexport action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. "...

CVE-2022-36225

EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery CSRF via the background, column management function and add...

Affiliates Manager < 2.9.14 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape parameters before outputting them back in pages, which could lead to Reflected Cross-Site Scripting GET /wp-admin/admin.php?page=wpam-settings&b=" HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...

Leaflet Maps Marker < 3.12.5 - Admin+ SQLi

The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks. PoC for filter-operator1 parameter: POST...

Exploit for CVE-2021-41349

CVE-2021-41349 Exploit! Microsoft Exchange Server Spoofing...

Hardcoded credentials

In Veritas NetBackup OpsCenter, a hard-coded credential exists that could be used to exploit the underlying VxSS subsystem. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10...

Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion

The plugin has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...

Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload

The plugin allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. 1. Craft a custom zip file...

Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF

The plugin does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin...

Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting

The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description. Steps to reproduce: 1 As a Contributor, go to portfolio on the dashboard and add new item. 2 on the editing page that comes up, scroll dow...