Online Learning System 2.0 - Remote Code Execution (RCE)

Exploit Title: Online Learning System 2.0 - Remote Code Execution RCE Date: 15/11/2021 Exploit Author: djebbaranon Vendor Homepage: https://github.com/oretnom23 Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearningv20.zip Version: 2.0 Tested on: Kali linux...

SportsPress < 2.7.9 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape its matchday parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=spevent&matchday=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22...

ProfilePress < 3.2.3 - Reflected Cross-Site Scripting

The plugin does not escape the data parameter of the ppgetformsbybuildertype AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...

WP Admin Logo Changer <= 1.0 - Plugin's Settings Update via CSRF

The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. csrf.submit...

WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting

The plugin does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. POST /wp-login.php HTTP/1.1 Accept:...

Caldera forms < 1.9.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a form, and put the following payload in the Form Name via th...

Error Log Viewer Plugin <= 1.1.1 - Admin+ Arbitrary File Clearing

The plugin does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder Click the "Log Monitor" available under Error Log Viewer menu item. Choose a log file to clear. Intercept the reques...

Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access

The plugin allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. customfield field="fieldname" postid="ID" e.g customfield field="ctctverifykey" postid="23"...

LearnPress < 4.1.4 - Admin+ SQL Injection

The plugin does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues Id needs to start with a valid course/lesson/quiz/question ID:...

i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw

Exploit Title: i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw Date: 27.10.2021 Exploit Author: LiquidWorm Vendor Homepage: https://www.i3international.com i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw Vendor: i3 International Inc. Product web page:...

Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting

The plugin does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting With the "Enable Logs" setting activated: https://example.com/wp-admin/admin.php?page=check-email-logs&d="+style=animation-name:rotation+onanimationstart=alert/XSS///...

myCred < 2.3 - Subscriber+ SQL Injection

The plugin does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user PoC any authenticated user...

Exploit for Expression Language Injection in Atlassian Confluence_Data_Center

CVE-2021-26084 Confluence remote code execution RCE...

Falang multilanguage for WordPress < 1.3.18 - Reflected Cross-Site Scripting

The plugin does not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site scripting issue alert/XSS/' /...

WP Spell Check < 9.3 - Reflected Cross-Site Scripting

The plugin does not escape the page and wpsc-scan-tab parameters before outputting them back in attributes, leading Reflected Cross-Site Scripting issues alert/XSS/' / alert/XSS/' /...

AUVESY Versiondog has an unspecified vulnerability (CNVD-2021-82926)

AUVESY Versiondog is an automated production data and change management software solution from the German company AUVESY. a security vulnerability exists in AUVESY Versiondog, which can be exploited by attackers to read values and modify data...

CVE-2021-38484 InHand Networks IR615 Router

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 do not have a filter or signature check to detect or prevent an upload of malicious files to the server, which may allow an attacker, acting as an administrator, to upload malicious files. This could result in cross-site scriptin...

Images to WebP < 1.9 - Multiple Cross Site Request Forgery (CSRF)

The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion The PoC varies based on the endpoint targeted. Here is one example that will modify the...

Email Log < 2.4.7 - Admin+ SQL Injection

The plugin does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections https://example.com/wp-admin/admin.php?page=email-log&orderby=sentdate+AND+SELECT+3025...

MouseWheel Smooth Scroll < 5.7 - Plugin's Setting Update via CSRF

The plugin does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack...