30 matches found
WordPress GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content plugin <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary plugin Installation vulnerability
Missing Authorization to Unauthenticated Arbitrary plugin Installation vulnerability discovered by kiemtiendinhau in WordPress Plugin GeekyBot versions = 1.2.2...
CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-33038
WWBN AVideo is an open source video platform. Versions 25.0 and below are vulnerable to unauthenticated application takeover through the install/checkConfiguration.php endpoint. install/checkConfiguration.php performs full application initialization: database setup, admin account creation, and...
WordPress plugin Booking Calendar for Appointments and Service Businesses – Booktics 访问控制错误漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...
CVE-2026-1490
CVE-2026-1490 affects the WordPress plugin Spam protection, Anti-Spam and Firewall by CleanTalk (versions up to 6.71). The vulnerability is an authorization bypass via reverse DNS (PTR) spoofing in the checkWithoutToken function, allowing unauthenticated attackers to install and activate arbitrar...
Remote Code Execution (RCE)
MCPJam Inspector is vulnerable to Remote Code Execution RCE. The vulnerability is due to exposed HTTP functionality that allows unauthenticated installation of MCP servers while listening on all network interfaces, which allows an attacker to send a crafted HTTP request to execute arbitrary code...
CVE-2025-8682
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsupadmininfoinstallplugin function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin...
WordPress plugin Newsup 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
CVE-2025-8481
CVE-2025-8481 concerns the WordPress plugin “Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid” (version ≤ 1.1.7). The issue is a Cross‑Site Request Forgery (CSRF) due to missing/incorrect nonce validation in the bdfe_install_activate_rswpbs_only function. The description states...
Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation Date: 16 December, 2024 Exploit Author: Jun Takemura Author's GitHub: https://github.com/JunTakemura Author's Blog: juntakemura.dev Vendor Homepage: https://themehunk.com Software Link:...
Exploit for CVE-2024-11972
-- Hunk Companion Plugin A PoC exploit for CVE-2024-1...
WordPress Hunk Companion plugin <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation vulnerability
Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation vulnerability discovered by Sean Murphy in WordPress Plugin Hunk Companion versions = 1.8.4...
CVE-2024-7079 Openshift-console: unauthenticated installation of helm charts
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser middleware function. Contrary to its name, this...
PT-2024-18096 · WordPress · Wp Database Reset
Name of the Vulnerable Software and Affected Versions: Database Reset plugin for WordPress versions up to, and including, 3.22 Description: The issue is due to missing or incorrect nonce validation on the install wpr function, making it possible for unauthenticated attackers to install the WP Res...
CVE-2023-3977
Several plugins for WordPress by Inisev are vulnerable to Cross-Site Request Forgery to unauthorized installation of plugins due to a missing nonce check on the handleinstallation function that is called via the inisevinstallation AJAX aciton in various versions. This makes it possible for...
CVE-2022-20721
Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being...
CVE-2022-20719
Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being...
CVE-2022-20726
Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being...
CVE-2022-20724
CVE-2022-20724 is a race condition vulnerability in Cisco IOx Application Hosting Environment affecting multiple Cisco platforms. The issue can allow an unauthenticated remote attacker to bypass authentication and impersonate another authenticated user session. The condition arises from timing/sy...
CVE-2022-20677
CVE-2022-20677 affects Cisco IOx Application Hosting Environment (Cisco IOx) within Cisco IOS XE/IOx stack. Reports describe an authenticated, local attacker escalating privileges to root by exploiting weaknesses in the IOx hosting environment; broader impact includes command injection and potent...