Lucene search
K

299 matches found

ATTACKERKB
ATTACKERKB
added 2026/03/06 9:11 a.m.5 views

CVE-2026-3589

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example...

7.5CVSS5.9AI score0.00126EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/06 9:11 a.m.8 views

CVE-2026-3589 WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example...

5.9AI score0.00126EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/06 6:0 a.m.31 views

CVE-2026-2446 Powerpack for LearnDash < 1.3.0 - Unauthenticated Arbitrary Option Update

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options such as defaultrole etc and create arbitrary admin users...

0.00303EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2026/03/04 12:0 a.m.119 views

📄 WordPress AI Engine 3.1.3 Add Admin / Shell Upload

The AI Engine WordPress plugin version 3.1.3 exposes an MCP JSON RPC endpoint allowing unauthenticated calls to administrative functions. An attacker can remotely create an administrator account then upload a malicious plugin or payload to obtain full remote code execution on the WordPress Server...

9.8CVSS6.6AI score0.75063EPSS
Exploits7
Packet Storm
Packet Storm
added 2026/03/04 12:0 a.m.156 views

📄 WordPress AI Engine 3.1.3 Mass Enumeration

This advisory documents a fully automated PHP-based exploitation framework designed to perform mass enumeration, plugin detection, token extraction, and automated account creation targeting vulnerable WordPress MCP-related REST API endpoints...

9.8CVSS5.9AI score0.75063EPSS
Exploits5
RedhatCVE
RedhatCVE
added 2026/02/20 1:22 a.m.6 views

CVE-2025-67304

In Ruckus Network Director RND 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the hardcoded credentials to authenticate...

9.8CVSS6AI score0.00481EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/19 12:0 a.m.24 views

CVE-2025-67304

In Ruckus Network Director RND 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the hardcoded credentials to authenticate...

0.00481EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/19 12:0 a.m.3 views

CVE-2025-67305

In RUCKUS Network Director RND 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the attacker can access the...

5.4AI score0.00494EPSS
Exploits1References2
Snyk
Snyk
added 2026/02/11 8:56 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/users endpoint. A remote attacker with a low-privileged API token can create new administrative users by abusing the "admin" parameter in a POST...

8.8CVSS5.7AI score0.00494EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/05 4:13 p.m.5 views

CVE-2020-37145 HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user...

5.1CVSS5.2AI score0.00156EPSS
Exploits0References3
EUVD
EUVD
added 2026/02/05 4:13 p.m.4 views

EUVD-2020-31039

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user...

5.1CVSS5.2AI score0.00156EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/05 4:13 p.m.4 views

CVE-2020-37145

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user...

5.1CVSS5.1AI score0.00156EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/02/05 4:13 p.m.11 views

CVE-2020-37145

HRSALE 1.1.8 is affected by a cross-site request forgery that lets an attacker add unauthorized administrative users through the employee registration form. The exploit can be triggered by an attacker crafting a malicious HTML page with hidden form fields to trick an authenticated administrator i...

5.1CVSS5.2AI score0.00156EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/05 12:0 a.m.10 views

PT-2026-6587

Name of the Vulnerable Software and Affected Versions HRSALE version 1.1.8 Description HRSALE version 1.1.8 is susceptible to a cross-site request forgery condition. This allows attackers to add unauthorized administrative users via the employee registration form. An attacker can create a malicio...

5.1CVSS5.2AI score0.00156EPSS
Exploits0References5
CVE
CVE
added 2026/02/03 10:1 p.m.12 views

CVE-2020-37091

Maian Support Helpdesk 4.3 is affected by a cross-site request forgery (CSRF) vulnerability that allows attackers to create administrative accounts without authentication. Exploitation involves crafting malicious HTML forms to add admin users and upload PHP files via the FAQ attachment system, en...

5.3CVSS5.2AI score0.0015EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/03 10:1 p.m.28 views

CVE-2020-37091 Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)

Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FA...

5.3CVSS0.0015EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.8 views

PT-2026-5841

Name of the Vulnerable Software and Affected Versions Maian Support Helpdesk version 4.3 Description The software contains a cross-site request forgery condition that permits attackers to create administrative accounts without needing to authenticate. Attackers can construct malicious HTML forms ...

5.3CVSS5.2AI score0.0015EPSS
Exploits0References5
EUVD
EUVD
added 2026/01/31 12:30 a.m.5 views

EUVD-2020-30933

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative...

5.3CVSS5.8AI score0.00179EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/01/30 10:7 p.m.25 views

CVE-2020-37046 Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative...

5.3CVSS0.00179EPSS
Exploits0References4
CVE
CVE
added 2026/01/30 10:7 p.m.15 views

CVE-2020-37046

The Vuln is CSRF in Sistem Informasi Pengumuman Kelulusan Online 1.0, exploitable via the tambahuser.php endpoint to add unauthorized admin accounts. The issue allows craftable HTML forms to submit admin credentials without victim consent. Concrete details across connected records identify the vu...

5.3CVSS5.8AI score0.00179EPSS
Exploits0References4
Rows per page
Query Builder