1339 matches found
CVE-2022-28590
A Remote Code Execution RCE vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=installtheme...
Remote code execution
A Remote Code Execution RCE vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=installtheme...
CVE-2022-28590
CVE-2022-28590 affects Pixelimity 1.0. The vulnerability enables remote code execution via admin/admin-ajax.php?action=install_theme. Multiple sources describe an arbitrary file upload path that can lead to code execution, with public PoC showing webshell upload to facilitate further access. The ...
CVE-2022-28590
A Remote Code Execution RCE vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=installtheme...
GHSA-9JQ2-JVWC-P52F Contao core SQL Injection Vulnerability
Contao core prior to 2.11.4 has a SQL injection vulnerability in contao-2.11.3\system\modules\backend\Ajax.php...
Contao core SQL Injection Vulnerability
Contao core prior to 2.11.4 has a SQL injection vulnerability in contao-2.11.3\system\modules\backend\Ajax.php...
zbzcms SQL Injection Vulnerability (CNVD-2022-30430)
zbzcms Station Helper CMS is a content management website of China Station Helper CMS zbzcms Inc. zbzcms version 1.0 has a SQL injection vulnerability, which originates from a SQL injection vulnerability found through the id parameter of /php/ajax.php. No detailed vulnerability details are...
CVE-2022-27129
An arbitrary file upload vulnerability at /admin/ajax.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file...
CVE-2022-27125
zbzcms v1.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the neirong parameter at /php/ajax.php...
Design/Logic Flaw
An arbitrary file upload vulnerability at /admin/ajax.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file...
CVE-2022-27125
CVE-2022-27125 affects zbzcms v1.0, with a stored cross-site scripting (XSS) vulnerability exploitable via the neirong parameter in /php/ajax.php. The NVD entry lists potential impact as partial integrity and low confidentiality, with CVSSv3.1 base score 6.1 (NETWORK, LOW ATTACK COMPLEXITY, USER ...
CVE-2022-27125
zbzcms v1.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the neirong parameter at /php/ajax.php...
CVE-2022-27127
zbzcms v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /php/ajax.php...
CVE-2022-27129
CVE-2022-27129 affects zbzcms v1.0, where an arbitrary file upload vulnerability in /admin/ajax.php can be exploited to execute arbitrary PHP code via a crafted file. The issue enables remote code execution with no authentication and minimal prerequisites, as indicated by the associated CVSS data...
Menubar < 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action available to any authenticated users, leading to a Reflected Cross-Site Scripting " /...
WordPress Easy Cookie Policy 1.6.2 Plugin - Broken Access Control to Stored XSS Vulnerability
Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS Author: 0xB9 Software Link: https://wordpress.org/plugins/easy-cookies-policy/ Version: 1.6.2 Tested on: Windows 10 CVE: CVE-2021-24405 1. Description: Broken access control allows any authenticated use...
WordPress Easy Cookie Policy 1.6.2 Cross Site Scripting
Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS Date: 2/27/2021 Author: 0xB9 Software Link: https://wordpress.org/plugins/easy-cookies-policy/ Version: 1.6.2 Tested on: Windows 10 CVE: CVE-2021-24405 1. Description: Broken access control allows any...
Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection
The plugin does not escape the artID parameter before using it in a SQL statement in the apvcresetcountart AJAX action, available to any authenticated user, leading to a SQL injection v = 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvcresetcountart&artID=sleep10 v 6.1.6 -...
GHSA-W4F3-7F7C-X652 SQL Injection in tribalsystems/zenario
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 and prior allows remote attackers to access the database or delete the plugin. This is accomplished via the ID input field of ajax.php in the Pugin library - delete module...
LearnPress < 4.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the lp-dismiss-notice before outputting it back via the lpbackgroundsingleemail AJAX action, leading to a Reflected Cross-Site Scripting...