Exploit for CVE-2026-8732

CVE-2026-8732 - WordPress WP Google Map Pro Mass Scanner & Aut...

EUVD-2018-21919

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

EUVD-2026-33251

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

PT-2026-44744

Name of the Vulnerable Software and Affected Versions WP Maps Pro versions prior to 6.1.1 Description The WP Maps Pro plugin for WordPress contains a flaw allowing unauthenticated attackers to create administrator accounts and achieve complete site takeover. The issue stems from a temporary acces...

CVE-2026-45716 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

CVE-2026-45716 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

EUVD-2026-32602

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

Lumiverse 竞争条件问题漏洞

Lumiverse is a full-featured AI chat application suite developed by Prolix OCs’ individual developers. Versions of Lumiverse prior to 0.9.7 contained a race condition vulnerability. This vulnerability stemmed from the fact that the consumeNonce function only checked whether module-level variables...

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

PT-2026-42865

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMemberFeaturesTeam Accounts::save settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

PT-2026-41795

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In...

PT-2026-41441

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts...

CVE-2026-42457

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

EUVD-2026-30301

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

CVE-2026-42457

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

EUVD-2026-30257

The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the isadmincreationprocess method relying solely on the presence of action=createuser in the $REQUEST superglobal without performing any...

PT-2026-40894

Name of the Vulnerable Software and Affected Versions User Registration & Membership plugin for WordPress versions prior to 5.1.6 Description An issue exists where the is admin creation process function relies exclusively on the presence of the action=createuser parameter within the $ REQUEST...

CVE-2021-47932

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcpregisterandloginajax action with tcprole set to...

CVE-2021-47932 WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcpregisterandloginajax action with tcprole set to...

CVE-2026-40350

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints /settings/users and use them to enumerate all users and create a new administrator account. This happens because the route...