Mail.ru: RCE в .api/nr/report/{id}/download

Domain, site, application -- app.nativeroll.tv Steps to reproduce -- Нужен аккаунт рекламодателя, можно зарегистрировать здесь https://seedr.ru/register-user/advertiser 1. Войти как рекламодатель https://seedr.ru/login/advertiser 2. Пощелкать что-нибудь, поперехватывать запросы, нужен accesstoken...

Fetch Tweets <= 2.6.4 - Reflected Cross-Site Scripting

The plugin does not escape some parameters before outputting them back in attributes in an admin page, leading to Reflected Cross-Site Scripting issues alert/XSS-page/' / alert/XSS-tab/' /...

St Daily Tip <= 4.7 - CSRF to Stored Cross-Site Scripting

The plugin does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to ...

YITH WooCommerce Product Add-Ons < 2.1.0 - Authenticated Local File Inclusion

The plugin does not validate user input before using it to generate a local path passed to include, which could lead to a Local File Inclusion issue on Windows Web Servers https://example.com/wp-admin/admin.php?page=yithwapopanel&tab=blocks&blockid=1&addonid=1&addontype=html%2F..%2Fhello...

WP Import Export Lite < 3.9.5 - Subscriber+ Extensions Update

The plugin does not have any CSRF and authorisation checks done in wpieextsaveextensions AJAX action. This could allow any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF to set the extensions to be used by the plugin, as well as disable all of them To disabled al...

Exploit for Special Element Injection in Rocket.Chat

CVE-2021-22911 Modifed ver of the original exploit to save som...

CVE-2021-40825

CVE-2021-40825 affects Acuity Brands nLight ECLYPSE (nECY) system controllers running software older than 1.17.21245.754. The issue is described as a default key vulnerability where the device does not force a key change at initial configuration, impacting the SensorView Password (nLight Explorer...

CVE-2020-21601

libde265 v1.0.4 contains a stack buffer overflow in the putqpelfallback function, which can be exploited via a crafted a file...

Affiliate Power < 2.3.0 - Reflected Cross-Site Scripting

The plugin does not escape the page parameter in its Affiliate Power Sales dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...

Download from files <= 1.48 - Unauthenticated Arbitrary File Upload

The downloadfromfiles617fileupload AJAX action f the plugin, available to both unauthenticated and authenticated users does not properly restrict the files to be uploaded, which could allow unauthenticated users to upload PHP4 files for example POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...

Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF

The delreistereddomains AJAX action of the plugin does not have any CSRF checks, and is vulnerable to a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=delreistereddomain&id=1...

Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections

The plugin does not escape multiple POST parameters such as statuscode, department, userid, conversationid, conversationstatuscode, and recipientid before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. The login-cookie parameter is needed,...

Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API

The plugin does not properly check for capability in its REST API, allowing - Any authenticated user with the uploadfile capability such as author+ to call them in versions before 4.1.9 - Any unauthenticated user to call them except the restallsettings endpoint, in 4.1.9 One endpoint in...

Countdown Block < 1.1.2 - Missing Authorisation in AJAX action

The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...

Multiple Plugins from miniorange - Reflected Cross-Site Scripting via appId

The plugins do not escape the appId parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&appId="alert/XSS/...

ProcessMaker 3.5.4 Local File Inclusion

Exploit Title: ProcessMaker 3.5.4 - Local File inclusion Exploit Author: Ai Ho @j3ssiejjj Date: 16-04-2021 Vendor Homepage: https://www.processmaker.com/ Version: ProcessMaker = 3.5.4 References: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/process-maker-lfi.yaml PoC: Wi...

WP Map Block < 1.2.3 - Contributor+ Stored Cross-Site Scripting

The plugin does not escape some attributes of the WP Map Block, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks - As a contributor, add a WP Map Block to a post/page - Click "Show more settings" - Scroll the sidebar and click "Map Marker" -...

Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection

The plugin contains a 'Social & Donations' module not activated by default, which adds the rest route '/services/contributor/?P\d+, takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi. With the 'Social & Donations' module of the plugin activated. Permali...

Responsive 3D Slider <= 1.2 - Authenticated SQL Injection

The Add new scene functionality in the plugin uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 secon...

Online Traffic Offense Management System 1.0 - &#039;id&#039; SQL Injection (Authenticated)

Exploit Title: Online Traffic Offense Management System 1.0 - 'id' SQL Injection Authenticated Date: 19/08/2021 Exploit Author: Justin White Vendor Homepage: https://www.sourcecodester.com Software Link:...