CVE-2026-5779

An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an...

PT-2026-35714

Name of the Vulnerable Software and Affected Versions Minerva version 3.6.0 Description An insecure direct object reference IDOR issue exists in the '/minerva/user/updateUserProfile' endpoint. This improper access control allows an authenticated user to modify the profiles of other registered...

CVE-2026-3568

CVE-2026-3568 affects the WordPress MStore API plugin up to version 4.18.3. The root cause is in update_user_profile() processing the raw JSON field 'meta_data' without validation, allowlisting, or sanitization, and then applying arbitrary keys/values to update_user_meta() after cookie-based auth...

EUVD-2020-7078

Malware in sbrugna...

WordPress plugin MStore API 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...

CVE-2020-36713

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'updateuserprofile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delet...

Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR

The plugin suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. PoC The following Python script automates the exploitation of this vulnerability. The script was tested on an installation of WordPress 6.1 with the vulnerable...

BSA Radar 1.6.7234.24750 Cross Site Scripting

Exploit title: BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting Exploit Author: William Summerhill Date: 2020-06-22 Vendor homepage: https://www.globalradar.com/ Tested on: Window CVE-2020-14943 Description: The "Firstname" and "Lastname" parameters in Global RADAR BSA Radar 1.6.7234.X...

CVE-2020-14943

The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting XSS via Update User Profile...

Cross site scripting

The Firstname and Lastname parameters in Global RADAR BSA Radar 1.6.7234.24750 and earlier are vulnerable to stored cross-site scripting XSS via Update User Profile...

CVE-2020-14943

CVE-2020-14943 affects Global RADAR BSA Radar versions 1.6.7234.24750 and earlier. The vulnerability is a stored cross-site scripting (XSS) in the Update User Profile feature, exploitable via the Firstname and Lastname parameters. Public PoCs and exploits show injection of script payloads (e.g., ...

PT-2020-14079 · Global Radar · Global Radar Bsa Radar

Name of the Vulnerable Software and Affected Versions: Global RADAR BSA Radar versions 1.6.7234.24750 and earlier Description: The issue concerns stored cross-site scripting XSS via the Update User Profile feature. Specifically, the Firstname and Lastname parameters are vulnerable. Recommendation...

Timber 1.1 Cross Site Request Forgery

Exploit Title: Timber - Ultimate Freelancer Platform 1.1 - Cross site request forgery Date: 2018-05-24 Exploit Author: L0RD or [email protected] Vendor Homepage: https://codecanyon.net/item/timber-ultimate-freelancer-platform/14747284?srank=1717 Version: 1.1 Tested on: Kali linux...