CVE-2024-6549

The Admin Post Navigation plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1. This is due to the plugin utilizing bootstrap and leaving test files with displayerrors on. This makes it possible for unauthenticated attackers to retrieve the full pat...

CVE-2023-4282

The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'adminpostremove' and 'removeprivatedata' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or...

CVE-2021-25072

The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack...

Car Rental Project Unlimited Upload Vulnerability

Car Rental Project is a car rental program. Car Rental Project has an unlimited upload vulnerability that stems from the lack of valid validation of uploaded files by the parameters img1/img2/img3/img4/img5 in the file /admin/post-avehical.php. No details of the vulnerability are available at thi...

CVE-2025-4926

A vulnerability was found in PHPGurukul Car Rental Project 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/post-avehical.php. The manipulation of the argument img1/img2/img3/img4/img5 leads to unrestricted upload. The attack may be launched...

PHPGurukul Car Rental Project 安全漏洞

Car Rental Project is a car rental program. Car Rental Project has an unlimited upload vulnerability that stems from the lack of valid validation of uploaded files by the parameters img1/img2/img3/img4/img5 in the file /admin/post-avehical.php. No details of the vulnerability are available at thi...

CVE-2025-4541

A vulnerability classified as critical has been found in LmxCMS 1.41. Affected is the function manageZt of the file c\admin\ZtAction.class.php of the component POST Request Handler. The manipulation of the argument sortid leads to sql injection. It is possible to launch the attack remotely. The...

Online News site 安全漏洞

Online News site is an online news site by the individual developer Mobina Jafarian. A security vulnerability exists in Online News site version v1.0, which stems from vulnerability to cross-site scripting XSS attacks and allows an attacker to execute arbitrary code via the title and summary fiel...

WordPress Admin Post Navigation plugin <= 2.1 - Unauthenticated Full Path Disclosure vulnerability

Unauthenticated Full Path Disclosure vulnerability discovered by stealthcopter in WordPress Plugin Admin Post Navigation versions = 2.1...

WordPress Admin Post Navigation Plugin <= 2.1 is vulnerable to Sensitive Data Exposure

Software Admin Post Navigation Type Plugin Vulnerable versions = 2.1 Fixed in N/A OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-6549 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID d9b047850a91 Credits stealthcopter Required...

SeaCMS 跨站脚本漏洞

SeaCMS is a free, open source web content management system written in PHP by SeaCMS, Inc. The system is primarily designed to manage video-on-demand resources. A cross-site scripting vulnerability exists in SeaCMS version 12.9, which stems from the manipulation of the parameter yzm in the file...

CVE-2024-6549

CVE-2024-6549 (Admin Post Navigation, WordPress) enables unauthenticated full path disclosure in all versions up to 2.1 due to bootstrap usage and test files with display_errors enabled. This Information Exposure is not by itself destructive but can aid other attacks; exploitation requires anothe...

CVE-2024-6549 Admin Post Navigation <= 2.1 - Unauthenticated Full Path Disclosure

The Admin Post Navigation plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1. This is due to the plugin utilizing bootstrap and leaving test files with displayerrors on. This makes it possible for unauthenticated attackers to retrieve the full pat...

PT-2024-37706 · WordPress · Admin Post Navigation

Name of the Vulnerable Software and Affected Versions: Admin Post Navigation plugin for WordPress versions up to and including 2.1 Description: The issue allows unauthenticated attackers to retrieve the full path of the web application, which can aid other attacks. This is due to the plugin...

CVE-2023-7138

A vulnerability, which was classified as critical, was found in code-projects Client Details System 1.0. This affects an unknown part of the file /admin of the component HTTP POST Request Handler. The manipulation of the argument username leads to sql injection. The exploit has been disclosed to...

Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export

Description The plugin does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens. curl --url 'http://vulnerable-site.tld/wp-admin/admin-post.php?luv-action=export'...

The vulnerability in the admin-post.php script of the Popup Builder administration panel of the WordPress content management system allows a hacker to execute arbitrary SQL code.

The vulnerability in the admin-post.php script of the Popup Builder administration panel of the WordPress content management system is related to the lack of protection for the SQL query structure when processing the orderby and order parameters. Exploiting this vulnerability allows an attacker t...

EmbedPress < 3.8.3 - Subscriber+ Plugin Settings Delete

Description The plugin does not properly authorize access to its adminpostremove and removeprivatedata actions, allowing low privileged users such as subscribers to delete plugin settings...

HCL Unica Platform Security Vulnerability

HCL Technologies HCL Unica Platform is a state-of-the-art enterprise automated marketing platform from HCL Technologies, USA. No manual effort is required to handle routine marketing tasks and capture the most effective leads. A security vulnerability exists in HCL Unica Platform versions prior t...

MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi

Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note WPScan: The issue was fixed in 1.14.13, however a better patch was done in 1.14.15 a...