135 matches found
CVE-2025-5060
The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebookajaxlogincallback. This makes it possible for...
CVE-2025-8059
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfrregistration function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and...
CVE-2025-8059
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfrregistration function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and...
PT-2025-32623 · WordPress · B Blocks
Name of the Vulnerable Software and Affected Versions: B Blocks plugin for WordPress versions prior to 2.0.7 Description: The B Blocks plugin for WordPress is susceptible to privilege escalation due to missing authorization and improper input validation within the rgfr registration function. This...
📄 WordPress Ultimate Member 2.6.6 Privilege Escalation
WordPress Ultimate Member plugin version 2.6.6 proof of concept privilege escalation exploit. !/usr/bin/env python3 Exploit Title: Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation Exploit Author: Gurjot Singh CVE: CVE-2023-3460 Description : The attached PoC demonstrates how an...
CVE-2025-22462
An authentication bypass in Ivanti Neurons for ITSM on-prem only before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system...
CVE-2025-22466
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required...
CVE-2024-9636
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register...
Four-Faith F3x36 安全漏洞
The Four-Faith F3x36 is a portable wireless mobile router from Four-Faith China. A security vulnerability exists in the Four-Faith F3x36 version v2.0.0, which stems from the fact that certain administrative functions do not enforce authentication...
CVE-2024-11004
Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required...
PT-2024-28775 · Unknown · Vilo 5 Mesh Wifi System
Name of the Vulnerable Software and Affected Versions: Vilo 5 Mesh WiFi System versions 5.16.1.33 and earlier Description: The issue is related to Insecure Permissions, specifically a lack of authentication in the custom TCP service on port 5432. This allows remote, unauthenticated attackers to...
CVE-2024-9265
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echocheckpostheadersent function. This makes it possib...
PT-2024-21052 · Elabftw · Elabftw
Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 5.1.0 Description: The issue allows a regular user to become an administrator of a team where they are a member, under a reasonable configuration. In versions subsequent to v5.0.0, it may also allow an initially...
PT-2024-38019 · Omntec · Omntec Proteus Tank Monitoring Oel8000Iii Series
Name of the Vulnerable Software and Affected Versions: OMNTEC Proteus Tank Monitoring OEL8000III Series affected versions not specified Description: The issue allows an attacker to perform administrative actions without proper authentication. It is being actively exploited. Recommendations: At th...
CVE-2024-44069
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value Celsius, Fahrenheit,...
Webhood 安全漏洞
Webhood is a self-hosted URL scanner for analyzing phishing and malicious websites. A security vulnerability exists in Webhood version 0.9.0 and prior versions, which stems from a vulnerability that allows an unauthenticated attacker to create an administrator account by sending an HTTP request t...
Vulnerabilities fixed in ConnectWise ScreenConnect
Connectwise has fixed vulnerabilities in ScreenConnect. A unauthenticated malicious person could exploit the vulnerabilities to create a new administrator account. An exploit is available that makes the chance of exploitation significant. At this no CVEs have yet been assigned to the...
PT-2024-12979 · Undefined · Undefined
NCC Group выпустила третье исследование с оценкой безопасности популярных инструментов RMM, в котором представила обзор на 18 уязвимостей в PandoraFMS. Ранее в поле зрения исследователей попадали множественные уязвимости в Faronics Insight и Nagios XI. PandoraFMS - это приложение для мониторинга ...
PT-2023-26095 · Unknown · I-Doit Open +1
Name of the Vulnerable Software and Affected Versions: i-doit pro versions 25 and below I-doit open versions 25 and below Description: The software is configured with insecure default administrator credentials, and there is no warning or prompt to ask users to change the default password and...
PT-2023-23939 · Cyberpower · Cyberpower Powerpanel Enterprise
Name of the Vulnerable Software and Affected Versions: CyberPower PowerPanel Enterprise affected versions not specified Description: A non-feature complete authentication mechanism exists in the production application, allowing an attacker to bypass all authentication checks if LDAP authenticatio...