EUVD-2024-1950

Malicious code in bioql PyPI...

Exploit for CVE-2025-6934

CVE-2025-6934 – Eksploitasi WordPress Opal Estate Pro 📖...

PT-2024-35979 · Victure · Victure Rx1800 Wifi 6 Router

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: A problem was discovered in Victure RX1800 WiFi 6 Router devices where the TELNET service is enabled by default with admin/admin as default credentials and is exposed over...

CVE-2024-31970

AdTran SRG 834-5 HDC17600021F1 devices with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1 have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with...

WordPress Slider Revolution 4.6.5 Shell Upload

==================================================================================================================================== | Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | | Author : indoushka | | Tested on : windows 10...

CVE-2020-10196

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several o...

CVE-2015-9455

The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfbphotos parameter in a bpfbremovetempimages action...

innebandycuper.se XSS vulnerability

Open Bug Bounty ID: OBB-638038 Description| Value ---|--- Affected Website:| innebandycuper.se Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Other Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

tpl.fr Improper Access Control vulnerability

Open Bug Bounty ID: OBB-635265 Description| Value ---|--- Affected Website:| tpl.fr Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Other Vulnerability Type:| IAC Improper Access Control / CWE-284 CVSSv3 Score:| 6.5...

CVE-2018-9848

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the configuploadclass value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an...

Cross site request forgery (csrf)

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the configuploadclass value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an...

CVE-2018-6357

The acxasmwsaveordercallback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant socialwidgeticonarrayorder XSS...

Design/Logic Flaw

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizarpffreesettingssaveget-users parameter...

WordPress Booking Calendar 7.0 / 7.1 SQL Injection / Local File Inclusion Vulnerabilities

WordPress Booking Calendar plugin versions 7.1, 7.0, and below suffer from remote SQL injection and local file inclusion vulnerabilities. Advisory Title: WordPress Booking Calendar Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Booking...

spacehost.de XSS vulnerability

Vulnerable URL: https://spacehost.de/blog/wp-admin/admin-ajax.php Details: Description| Value ---|--- Patched:| Yes, at 14.05.2017 Latest check for patch:| 14.05.2017 20:49 GMT Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 1786851 VIP website status:| No Check...

Backdoor Account Vulnerability in D-Link DWR-932B LET Router SSH Service

The D-Link DWR-932B LET is a wireless router. A backdoor account vulnerability exists in the SSH service of the D-Link DWR-932B LET router. Since the D-Link wireless router will run the SSH service with two hard-coded secret accounts admin:admin and root:1234 by default, an attacker can exploit t...

Weak Password Vulnerability in Mapper VPN3005C-104 Appliance

The Maipu VPN3005C-104 device is a security gateway developed by Maipu. A weak password vulnerability exists in the Maipu VPN3005C-104 device. It allows an attacker to log in to the system backend and gain administrator privileges by using the account password admin\admin...

正方招生管理系统存在通用型弱口令，可getshell

简要描述： rt 详细说明： 正方的招生管理系统由于使用了eweb的编辑器，而且默认密码都没有改可以直接admin/admin登录，然后修改样式之后上传可getshell 编辑器路径为：editor/admin/login.jsp 用户名/密码：admin/admin 一些案例： http://iczu.zju.edu.cn/zjdxlxszsxt/editor/admin/default.jsp 浙江大学留学生招生系统 http://zspt.jxvtc.edu.cn:8001/zsxt/editor/admin/default.jsp 嘉兴职业技术学院...

CVE-2014-9441

Multiple cross-site request forgery CSRF vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 change plugin settings via unspecified vectors or conduct cross-site scripting XSS attacks via...

WordPress Shareaholic Plugin <= 7.6.0 - XSS

This vulnerability is in admin.php. It allows authenticated users to inject arbitrary web script or HTML via the "locationid" parameter that is in a shareaholicaddlocation action to wp-admin/admin-ajax.php. Solution Update the plugin...