Lucene search
K
NucleiMost viewed

4139 matches found

Nuclei
Nuclei
•added 12 hours ago•33 views

WordPress Download Manager < 3.2.44 - Authenticated Cross-Site Scripting

The WordPress Download Manager plugin before version 3.2.44 does not properly sanitize and escape the userids parameter in the stats history dashboard. This allows authenticated attackers to perform Cross-Site Scripting attacks by injecting malicious JavaScript code. id: CVE-2022-2168 info: name:...

6.1CVSS6.4AI score0.0106EPSS
Exploits2References2
Nuclei
Nuclei
•added 12 hours ago•33 views

Flarum < 1.8.5 - Open Redirect

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a trusted domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be...

6.5CVSS6.3AI score0.01067EPSS
Exploits0References3
Nuclei
Nuclei
•added 12 hours ago•33 views

WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery

The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery SSRF via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs. id: CVE-2023-5974 info: nam...

9.8CVSS7.3AI score0.0315EPSS
Exploits2References2
Nuclei
Nuclei
•added 12 hours ago•33 views

SmarterTools SmarterTrack - Cross-Site Scripting

Cross-site Scripting XSS vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. id: CVE-2022-24384 info: name: SmarterTools SmarterTrack - Cross-Site Scripting author: E1A severity: medium description: | Cross-site Scripting XSS vulnerability in...

8.8CVSS6.4AI score0.04737EPSS
Exploits0References2
Nuclei
Nuclei
•added 12 hours ago•33 views

Rukovoditel <= 3.2.1 - Cross-Site Scripting

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Add Page function at /index.php?module=helppages/pages&entitiesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title fiel...

5.4CVSS6.2AI score0.01049EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•33 views

WordPress Sunshine Photo Cart <2.9.15 - Cross-Site Scripting

WordPress Sunshine Photo Cart plugin before 2.9.15 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affecte...

6.1CVSS6.4AI score0.00902EPSS
Exploits1References5
Nuclei
Nuclei
•added 12 hours ago•33 views

Aajoda Testimonials < 2.2.2 - Cross-Site Scripting

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. id: CVE-2023-2178 info: name: Aajoda Testimonials...

4.8CVSS6.3AI score0.00773EPSS
Exploits2References3
Nuclei
Nuclei
•added 12 hours ago•33 views

Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update

YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization. id: CVE-2022-28666 info: name: Custom Product Tabs for...

5.3CVSS6.1AI score0.01226EPSS
Exploits1References1
Nuclei
Nuclei
•added 12 hours ago•33 views

Joomla! Component Joomla! Flickr 1.0 - Local File Inclusion

A directory traversal vulnerability in joomlaflickr.php in the Joomla! Flickr comjoomlaflickr component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1980 info: name: Joomla! Component...

7.5CVSS6.2AI score0.18835EPSS
Exploits3References5
Nuclei
Nuclei
•added 12 hours ago•33 views

Novius OS 5.0.1-elche - Open Redirect

Novius OS 5.0.1 Elche allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login. id: CVE-2015-5354 info: name: Novius OS 5.0.1-elche - Open Redirect author: 0xAkoko severity: medium description: Novius OS...

5.8CVSS6.1AI score0.12523EPSS
Exploits2References5
Nuclei
Nuclei
•added 12 hours ago•33 views

WordPress Plugin File Manager (wp-file-manager) Backup Disclosure

mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fmbackups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken...

7.5CVSS7AI score0.15906EPSS
Exploits2References5
Nuclei
Nuclei
•added 12 hours ago•33 views

Error Log Viewer by BestWebSoft < 1.0.6 - Cross-Site Scripting

The error-log-viewer plugin before 1.0.6 for WordPress has multiple XSS issues. id: CVE-2017-18562 info: name: Error Log Viewer by BestWebSoft 1.0.6 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The error-log-viewer plugin before 1.0.6 for WordPress has multiple XSS...

6.1CVSS6.4AI score0.01384EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•33 views

Joomla! Harmis Messenger 1.2.2 - Local File Inclusion

Joomla! Harmis Messenger 1.2.2 is vulnerable to local file inclusion which could give an attacker read access to arbitrary files. id: CVE-2019-9922 info: name: Joomla! Harmis Messenger 1.2.2 - Local File Inclusion author: 0xAkoko severity: high description: Joomla! Harmis Messenger 1.2.2 is...

7.5CVSS6.7AI score0.1059EPSS
Exploits0References5
Nuclei
Nuclei
•added 12 hours ago•33 views

Joomla! Component Matamko 1.01 - Local File Inclusion

A directory traversal vulnerability in the Matamko commatamko component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1495 info: name: Joomla! Component Matamko 1.01 - Local File Inclusion author: daffainfo...

7.5CVSS6.1AI score0.18938EPSS
Exploits1References5
Nuclei
Nuclei
•added 12 hours ago•33 views

WordPress Plugin Download Monitor < 3.3.5.9 - Cross-Site Scripting

A cross-site scripting vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. id: CVE-2012-4768 info: name: WordPress Plugin Download Monitor 3.3.5.9 - Cross-Site...

4.3CVSS6AI score0.10456EPSS
Exploits2References5
Nuclei
Nuclei
•added 12 hours ago•33 views

Chyrp 2.x - Local File Inclusion

A directory traversal vulnerability in includes/lib/gz.php in Chyrp 2.0 and earlier allows remote attackers to read arbitrary files via a .. dot dot in the file parameter, a different vulnerability than CVE-2011-2744. id: CVE-2011-2780 info: name: Chyrp 2.x - Local File Inclusion author: daffainf...

5CVSS6.1AI score0.12991EPSS
Exploits1References6
Nuclei
Nuclei
•added 12 hours ago•33 views

PHPJabbers Food Delivery Script - SQL Injection

PHPJabbers Food Delivery Script 3.0 has a SQL injection SQLi vulnerability in the "q" parameter of index.php. id: CVE-2023-40748 info: name: PHPJabbers Food Delivery Script - SQL Injection author: ritikchaddha severity: critical description: | PHPJabbers Food Delivery Script 3.0 has a SQL injecti...

9.8CVSS7.2AI score0.02904EPSS
Exploits0References2
Nuclei
Nuclei
•added 12 hours ago•33 views

Prodigy Commerce <= 3.3.0 - Local File Inclusion

Prodigy Commerce WordPress plugin = 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameterstemplatename' parameter, letting unauthenticated attackers include and execute arbitrary files remotely. id: CVE-2026-0926 info: name: Prodigy Commerce = 3.3.0 - Local File...

9.8CVSS6.1AI score0.09396EPSS
Exploits5References2
Nuclei
Nuclei
•added 12 hours ago•33 views

Sympa version =>6.2.16 - Cross-Site Scripting

Sympa version 6.2.16 and later contains a URL Redirection to Untrusted Site vulnerability in the referer parameter of the wwsympa fcgi login action that can result in open redirection and reflected cross-site scripting via data URIs. id: CVE-2018-1000671 info: name: Sympa version =6.2.16 -...

6.1CVSS6.6AI score0.03982EPSS
Exploits0References5
Nuclei
Nuclei
•added 12 hours ago•33 views

WordPress Gwyn's Imagemap Selector <=0.3.3 - Cross-Site Scripting

Wordpress Gwyn's Imagemap Selector plugin 0.3.3 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize the id and class parameters before returning them back in attributes. id: CVE-2022-1221 info: name: WordPress Gwyn's Imagemap Selector =0.3.3 - Cross-Site...

6.1CVSS6.3AI score0.02002EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•33 views

ThemeREX Addons - Remote Code Execution

ThemeREX Addons plugin before 2020-03-09 for WordPress contains an access control vulnerability in the /trxaddons/v2/get/sclayout REST API endpoint, allowing any users to execute PHP functions because includes/plugin.rest-api.php calls trxaddonsrestgetsclayout with an unsafe sc parameter, letting...

9.8CVSS7.4AI score0.08877EPSS
Exploits2References3
Nuclei
Nuclei
•added 12 hours ago•33 views

WatchGuard Fireware AD Helper Component - Credentials Disclosure

WatchGuard Fireware Threat Detection and Response TDR service contains a credential-disclosure vulnerability in the AD Helper component that allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext. id: CVE-2020-10532 info: name: WatchGuard Fireware ...

7.5CVSS7.1AI score0.02785EPSS
Exploits1References3
Nuclei
Nuclei
•added yesterday•33 views

n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution

n8n versions = 0.123.0 and = 0.123.0 and = 0.123.0 and 1.121.3 contain a critical authenticated remote code execution vulnerability via arbitrary file write. An authenticated user can exploit the Git node to overwrite critical files and execute untrusted code on the n8n server, potentially leadin...

9.9CVSS8.2AI score0.05258EPSS
Exploits1References2
Nuclei
Nuclei
•added yesterday•33 views

Resourcespace - Cross-Site Scripting

ResourceSpace before 9.6 rev 18290 is affected by a reflected cross-site scripting vulnerability in plugins/wordpresssso/pages/index.php via the wordpressuser parameter. id: CVE-2021-41951 info: name: Resourcespace - Cross-Site Scripting author: coldfish severity: medium description: ResourceSpac...

6.1CVSS6.3AI score0.77892EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•33 views

ReadToMyShoe - Generation of Error Message Containing Sensitive Information

ReadToMyShoe generates an error message containing sensitive information prior to commit 8533b01. If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, it will include the full URL of the request, which...

7.4CVSS6.6AI score0.03857EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•33 views

WordPress Stop Spammers <2021.9 - Cross-Site Scripting

WordPress Stop Spammers plugin before 2021.9 contains a reflected cross-site scripting vulnerability. It does not escape user input when blocking requests such as matching a spam word, thus outputting it in an attribute after sanitizing it to remove HTML tags. id: CVE-2021-24245 info: name:...

6.1CVSS6.3AI score0.05721EPSS
Exploits5References5
Nuclei
Nuclei
•added yesterday•33 views

Trixbox - 2.8.0.4 OS Command Injection

Trixbox 2.8.0.4 is vulnerable to OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php. id: CVE-2017-14535 info: name: Trixbox - 2.8.0.4 OS Command Injection author: pikpikcu severity: high description: Trixbox 2.8.0.4 is vulnerable to OS command...

9CVSS7.2AI score0.50069EPSS
Exploits4References5
Nuclei
Nuclei
•added yesterday•33 views

Sender by BestWebSoft < 1.2.1 - Cross-Site Scripting

The sender plugin before 1.2.1 for WordPress has multiple XSS issues. id: CVE-2017-18564 info: name: Sender by BestWebSoft 1.2.1 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The sender plugin before 1.2.1 for WordPress has multiple XSS issues. impact: | Authenticat...

6.1CVSS6.4AI score0.0139EPSS
Exploits1References4
Nuclei
Nuclei
•added yesterday•33 views

Prestashop Blockwishlist 2.1.0 SQL Injection

Prestashop Blockwishlist module version 2.1.0 suffers from a remote authenticated SQL injection vulnerability. id: CVE-2022-31101 info: name: Prestashop Blockwishlist 2.1.0 SQL Injection author: mastercho severity: high description: | Prestashop Blockwishlist module version 2.1.0 suffers from a...

8.8CVSS7.3AI score0.24146EPSS
Exploits6References3
Nuclei
Nuclei
•added yesterday•33 views

Auerswald COMpact 5500R 7.8A and 8.0B Devices Backdoor

Auerswald COMpact 5500R 7.8A and 8.0B devices contain an unauthenticated endpoint "https://192.168.1.2/aboutstate", enabling the bad actor to gain backdoor access to a web interface that allows for resetting the administrator password. id: CVE-2021-40859 info: name: Auerswald COMpact 5500R 7.8A a...

10CVSS7.4AI score0.71979EPSS
Exploits6References4
Nuclei
Nuclei
•added 2023/06/05 7:3 a.m.•33 views

Purchase Order Management v1.0 - SQL Injection

Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchaseorder/classes/Master.php?f=deletesupplier. id: CVE-2022-28023 info: name: Purchase Order Management v1.0 - SQL Injection author: theamanrawat severity: critical description: | Purchase Order...

9.8CVSS9.9AI score0.03008EPSS
Exploits1References5
Nuclei
Nuclei
•added 12 hours ago•32 views

SuperWebMailer 9.31.0.01799 - Cross-Site Scripting

SuperWebMailer v9.31.0.01799 was discovered to contain a reflected cross-site scripting XSS vulenrability via the component api.php. id: CVE-2024-24131 info: name: SuperWebMailer 9.31.0.01799 - Cross-Site Scripting author: DhiyaneshDK severity: medium description: | SuperWebMailer v9.31.0.01799 w...

6.1CVSS6.2AI score0.00924EPSS
Exploits1References2
Nuclei
Nuclei
•added 12 hours ago•32 views

Journyx - XML External Entities Injection (XXE)

The "soapcgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. id: CVE-2024-6893 info: name: Journyx - XML...

7.5CVSS7AI score0.32916EPSS
Exploits3
Nuclei
Nuclei
•added 12 hours ago•32 views

Store Locator WordPress < 1.4.13 - Cross-Site Scripting

The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-4151 info: name: Store Locator...

6.1CVSS6.4AI score0.00645EPSS
Exploits1References2
Nuclei
Nuclei
•added 12 hours ago•32 views

Joomla! Component Percha Fields Attach 1.0 - Directory Traversal

A directory traversal vulnerability in the Percha Fields Attach comperchafieldsattach component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impacts via a .. dot dot in the controller parameter to index.php. id: CVE-2010-2036 info: name:...

7.5CVSS6.1AI score0.1321EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•32 views

Hongdian H8922 3.0.5 - Information Disclosure

Hongdian H8922 3.0.5 is susceptible to information disclosure. An attacker can access cli.conf with the administrator password and other sensitive data via /backup2.cgi and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2021-28150 info:...

5.5CVSS6.2AI score0.02584EPSS
Exploits1References5
Nuclei
Nuclei
•added 12 hours ago•32 views

WordPress English Admin <1.5.2 - Open Redirect

WordPress English Admin plugin before 1.5.2 contains an open redirect vulnerability. The plugin does not validate the admincustomlanguagereturnurl before redirecting users to it. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id:...

6.1CVSS6.5AI score0.01873EPSS
Exploits2References3
Nuclei
Nuclei
•added 12 hours ago•32 views

Pinterest by BestWebSoft < 1.0.5 - Cross-Site Scripting

The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS issues. id: CVE-2017-18517 info: name: Pinterest by BestWebSoft 1.0.5 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS issues...

6.1CVSS6.4AI score0.01621EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•32 views

Metinfo 7.0.0 beta - SQL Injection

Metinfo 7.0.0 beta is susceptible to SQL Injection in app/system/product/admin/productadmin.class.php via the admin/?n=product&c=productadmin&a=dopara&apptype=shop id parameter. id: CVE-2019-16996 info: name: Metinfo 7.0.0 beta - SQL Injection author: ritikchaddha severity: high description:...

7.2CVSS7.1AI score0.12443EPSS
Exploits1References5
Nuclei
Nuclei
•added 12 hours ago•32 views

Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure

Export WP Page to Static HTML & PDF WordPress plugin = 4.3.4 contains a sensitive information exposure caused by publicly exposed cookies.txt files with authentication cookies, letting unauthenticated attackers access sensitive authentication data, exploit requires site administrator to trigger...

9.8CVSS5.8AI score0.01954EPSS
Exploits0References2
Nuclei
Nuclei
•added 12 hours ago•32 views

WordPress JobWP Plugin <= 2.3.9 - SQL Injection

The JobWP - Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwpuploadresume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

7.5CVSS7.2AI score0.01549EPSS
Exploits0References2
Nuclei
Nuclei
•added 12 hours ago•32 views

TurboMeeting - Post-Authentication Command Injection

The Certificate Signing Request CSR feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The...

7.2CVSS6.2AI score0.03216EPSS
Exploits1References2
Nuclei
Nuclei
•added 12 hours ago•32 views

Issabel PBX 4.0.0-6 - Directory Listing

An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory id: CVE-2023-37599 info: name: Issabel PBX 4.0.0-6 - Directory Listing author: ritikchaddha severity: high description: | An issue in issabel-pbx v.4.0.0-6 allows a remote attacker...

7.5CVSS7.1AI score0.03009EPSS
Exploits1References2
Nuclei
Nuclei
•added 12 hours ago•32 views

Apache NiFi - Information Disclosure

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

5.4CVSS6.2AI score0.03095EPSS
Exploits0
Nuclei
Nuclei
•added 12 hours ago•32 views

Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload

The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE. id: CVE-2023-4666 info: name: Form-Maker 1.15.20 - Unauthenticated Arbitrary File Upload author: pussycat0x severity: critical...

9.8CVSS7.3AI score0.03283EPSS
Exploits3References1
Nuclei
Nuclei
•added 12 hours ago•32 views

Pichome 2.1.0 - Arbitrary File Read

A vulnerability, which was classified as critical, was found in zyx0814 Pichome 2.1.0. This affects an unknown part of the file /index.php?mod=textviewer. The manipulation of the argument src leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed t...

6.9CVSS5.9AI score0.0161EPSS
Exploits0References2
Nuclei
Nuclei
•added 12 hours ago•32 views

FileMage Gateway - Directory Traversal

Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component. id: CVE-2023-39026 info: name: FileMage Gateway - Directory Traversal author: DhiyaneshDk severity:...

7.5CVSS7.1AI score0.10562EPSS
Exploits4References5
Nuclei
Nuclei
•added 12 hours ago•32 views

Nova Lite < 1.3.9 - Cross-Site Scripting

Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site scripting via search.php. id: CVE-2020-17362 info: name: Nova Lite 1.3.9 - Cross-Site Scripting author: daffainfo severity: medium description: Nova Lite before 1.3.9 for WordPress is susceptible to reflected cross-site...

6.1CVSS6.3AI score0.02873EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•32 views

WordPress Stop User Enumeration <=1.3.7 - Cross-Site Scripting

WordPress Stop User Enumeration 1.3.7 and earlier are vulnerable to unauthenticated reflected cross-site scripting. id: CVE-2017-18536 info: name: WordPress Stop User Enumeration =1.3.7 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress Stop User Enumeration 1.3.7 an...

6.1CVSS6AI score0.0203EPSS
Exploits1References4
Nuclei
Nuclei
•added 12 hours ago•32 views

WordPress Ninja Forms <3.3.18 - Cross-Site Scripting

WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begindate, enddate, or formid parameters. This can allow an attacker to steal cookie-based authentication credentials a...

6.1CVSS6.4AI score0.08903EPSS
Exploits5References5
Total number of security vulnerabilities4139