Event Manager for WooCommerce < 3.5.8 - Contributor+ SQL Injection

The plugin does not validate and escape the postauthorgutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks Create or edit an event as a contributor, intercept the request and...

Hide Admin Bar Based on User Roles < 3.0.0 - Subscriber+ Settings Update

The plugin does not have authorisation and CSRF checks, allowing any authenticated users, such as subscriber, to update the plugin's settings https://example.com/wp-admin/admin-ajax.php?action=saveuserroles&caps=test&disableForAll=no...

Tiny File Manager 2.4.3 Shell Upload Exploit

Tiny File Manager Example: ./exploit.sh http://files.ubuntu.local/index.php admin "email protected" https://github.com/febinrev/tinyfilemanager-2.4.3-exploit !/bin/bash check which curl if $? = 0 then printf "✔ Curl found! \n" else printf "❌ Curl not found! \n" exit fi which jq if $? = 0 then...

WP Voting Contest <= 2.1 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the postid parameter before outputting it back in the response via the wpvcsocialshareicons AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...

Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection

The plugin does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection...

Smart Forms < 2.6.71 - Subscriber+ Form Data Download

The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. Execute the below command in the web develop...

Exploit for Out-of-bounds Write in Polkit_Project Polkit

pwncatpwnkit !asciicasthttps://asciinema.org/a/n3DRuvT0hr...

Subrion CMS 4.2.1 Cross Site Request Forgery

Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery CSRF Add Amin Date: 2022-02-09 Exploit Author: Aryan Chehreghani Vendor Homepage: https://subrion.org Software Link: https://subrion.org/download Version: 4.2.1 Tested on: Windows 10 About - Subrion CMS : Subrion is a PHP/MySQL based C...

Email Subscribers & Newsletters < 5.3.2 - Subscriber+ Blind SQL injection

The plugin does not correctly escape the order and orderby parameters to the ajaxfetchreportlist action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to tri...

Email Subscribers & Newsletters < 5.3.2 - Unauthenticated arbitrary option update

The plugin lacks both authentication and nonce checks in its esdismissadminnotice function, allowing an external attacker to set arbitrary plugin options to "yes". https://example.com/?optionname=userroles&esdismissadminnotice=1 This will set the option igesuserroles to "yes"...

WordPress Secure Copy Content Protection And Content Locking 2.8.1 SQL Injection

Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection Unauthenticated Date 08.02.2022 Exploit Author: Ron Jost Hacker5preme Vendor Homepage: https://ays-pro.com/ Software Link:...

Siemens Siprotec5 Improper Access Control (CVE-2019-10938)

A vulnerability has been identified in SIPROTEC 5 devices with CPU variants CP200 All versions V7.59, SIPROTEC 5 devices with CPU variants CP300 and CP100 All versions V8.01, Siemens Power Meters Series 9410 All versions V2.2.1, Siemens Power Meters Series 9810 All versions. An unauthenticated...

Exploit for Out-of-bounds Write in Polkit_Project Polkit

CVE-2021-...

Advanced iFrame < 2022 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the aiconfigid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue alert/XSS/;" / var form1 = document.getElementById'hack'; form1.submit;...

Conversios.io < 4.6.2 - Subscriber+ SQL Injection

The plugin does not sanitise, validate and escape the syncprogressivedata parameter for the tvcajaxproductsyncbantchwise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. Note: The vendor was notified multiple times since November 6t...

Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF

The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash https://example.com/wp-admin/edit.php?posttype=easy-pricing-table&page=ept3-list&action=trash&post=1...

TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection

The plugins do not sanitise and escape the itemid parameter before using it in a SQL statement via the wishlist/removeproduct REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks time wget...

Better Notifications for WP < 1.8.7 - Email Address Disclosure

The plugin does not have authorisation and CSRF check in its bnfwsearchusers AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes finding the first letter, then the second one, then the third one etc.. import sys import string import urllib.parse import...

Superforms < 6.0.4 - Reflected Cross-Site Scripting

The plugin does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user...

WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)

The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert1%3E...