EUVD-2024-1950

Malicious code in bioql PyPI...

Exploit for CVE-2025-6934

CVE-2025-6934 – Eksploitasi WordPress Opal Estate Pro 📖...

PT-2024-35979 · Victure · Victure Rx1800 Wifi 6 Router

Name of the Vulnerable Software and Affected Versions: Victure RX1800 WiFi 6 Router version EN V1.0.0 r12 110933 Description: A problem was discovered in Victure RX1800 WiFi 6 Router devices where the TELNET service is enabled by default with admin/admin as default credentials and is exposed over...

CVE-2024-31970

AdTran SRG 834-5 HDC17600021F1 devices with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1 have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time when the device is being set up, it uses a default username and password combination of admin/admin with...

WordPress Slider Revolution 4.6.5 Shell Upload

==================================================================================================================================== | Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | | Author : indoushka | | Tested on : windows 10...

CVE-2020-10196

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several o...

CVE-2015-9455

The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfbphotos parameter in a bpfbremovetempimages action...

innebandycuper.se XSS vulnerability

Open Bug Bounty ID: OBB-638038 Description| Value ---|--- Affected Website:| innebandycuper.se Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Other Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

tpl.fr Improper Access Control vulnerability

Open Bug Bounty ID: OBB-635265 Description| Value ---|--- Affected Website:| tpl.fr Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Other Vulnerability Type:| IAC Improper Access Control / CWE-284 CVSSv3 Score:| 6.5...

Cross site request forgery (csrf)

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the configuploadclass value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an...

CVE-2018-9848

In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the configuploadclass value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an...

CVE-2018-6357

The acxasmwsaveordercallback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant socialwidgeticonarrayorder XSS...

Design/Logic Flaw

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizarpffreesettingssaveget-users parameter...

WordPress Booking Calendar 7.0 / 7.1 SQL Injection / Local File Inclusion Vulnerabilities

WordPress Booking Calendar plugin versions 7.1, 7.0, and below suffer from remote SQL injection and local file inclusion vulnerabilities. Advisory Title: WordPress Booking Calendar Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Booking...

spacehost.de XSS vulnerability

Vulnerable URL: https://spacehost.de/blog/wp-admin/admin-ajax.php Details: Description| Value ---|--- Patched:| Yes, at 14.05.2017 Latest check for patch:| 14.05.2017 20:49 GMT Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 1786851 VIP website status:| No Check...

Backdoor Account Vulnerability in D-Link DWR-932B LET Router SSH Service

The D-Link DWR-932B LET is a wireless router. A backdoor account vulnerability exists in the SSH service of the D-Link DWR-932B LET router. Since the D-Link wireless router will run the SSH service with two hard-coded secret accounts admin:admin and root:1234 by default, an attacker can exploit t...

Weak Password Vulnerability in Mapper VPN3005C-104 Appliance

The Maipu VPN3005C-104 device is a security gateway developed by Maipu. A weak password vulnerability exists in the Maipu VPN3005C-104 device. It allows an attacker to log in to the system backend and gain administrator privileges by using the account password admin\admin...

正方招生管理系统存在通用型弱口令，可getshell

简要描述： rt 详细说明： 正方的招生管理系统由于使用了eweb的编辑器，而且默认密码都没有改可以直接admin/admin登录，然后修改样式之后上传可getshell 编辑器路径为：editor/admin/login.jsp 用户名/密码：admin/admin 一些案例： http://iczu.zju.edu.cn/zjdxlxszsxt/editor/admin/default.jsp 浙江大学留学生招生系统 http://zspt.jxvtc.edu.cn:8001/zsxt/editor/admin/default.jsp 嘉兴职业技术学院...

CVE-2014-9441

Multiple cross-site request forgery CSRF vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 change plugin settings via unspecified vectors or conduct cross-site scripting XSS attacks via...

WordPress Shareaholic Plugin <= 7.6.0 - XSS

This vulnerability is in admin.php. It allows authenticated users to inject arbitrary web script or HTML via the "locationid" parameter that is in a shareaholicaddlocation action to wp-admin/admin-ajax.php. Solution Update the plugin...