0xB9

52 exploits Active since Apr 2018
CVE-2021-24247 EXPLOITDB MEDIUM text WRITEUP
Mooveagency Contact Form Check Tester < 1.0.2 - XSS
The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.
CVSS 5.4
CVE-2021-24174 EXPLOITDB HIGH html WORKING POC
Database-backups < 1.2.2.6 - CSRF
The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.
CVSS 8.1
CVE-2021-24405 EXPLOITDB MEDIUM text WORKING POC
Izsoft Easy Cookies Policy < 1.6.2 - Incorrect Authorization
The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.
CVSS 6.5
CVE-2021-24272 EXPLOITDB MEDIUM html WORKING POC
Codeinitiator Fitness Calculators < 1.9.6 - CSRF
The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue
CVSS 4.3
CVE-2021-24488 EXPLOITDB MEDIUM text WORKING POC
Pickplugins Post Grid < 2.1.8 - XSS
The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
CVSS 6.1
CVE-2021-24300 EXPLOITDB MEDIUM text WORKING POC
Pickplugins Product Slider For Woocommerce < 1.13.22 - XSS
The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue
CVSS 6.1
CVE-2021-24286 EXPLOITDB MEDIUM text WORKING POC
Mooveagency Redirect 404 TO Parent < 1.3.1 - XSS
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
CVSS 6.1
CVE-2018-10366 EXPLOITDB MEDIUM text WRITEUP
October CMS Users <1.4.5 - XSS
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
CVSS 6.1
CVE-2019-9650 EXPLOITDB MEDIUM text WRITEUP
MyBB <1.33 - XSS
An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event.
CVSS 6.1
CVE-2018-14575 EXPLOITDB HIGH text WORKING POC
Trash Bin plugin 1.1.3 for MyBB - XSS/CSRF
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.
CVSS 8.8
EIP-2026-109736 EXPLOITDB text WORKING POC
MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting
CVE-2018-10365 EXPLOITDB MEDIUM text WORKING POC
Threads to Link plugin 1.3 - MyBB - XSS
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
CVSS 5.4
CVE-2018-14888 EXPLOITDB MEDIUM text WRITEUP
Eldenroot Thank You/Like <3.1.0 - XSS
inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.
CVSS 6.1
CVE-2018-11715 EXPLOITDB MEDIUM text WRITEUP
Recent Threads < 1.1 - XSS
The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.
CVSS 5.4
EIP-2026-109727 EXPLOITDB text WORKING POC
MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting
CVE-2019-3501 EXPLOITDB MEDIUM text WRITEUP
Ougc Awards < 1.8.19 - XSS
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.
CVSS 4.8
CVE-2018-14392 EXPLOITDB MEDIUM text WORKING POC
MyBB <1.2 - XSS
The New Threads plugin before 1.2 for MyBB has XSS.
CVSS 6.1
CVE-2018-11502 EXPLOITDB MEDIUM text WORKING POC
Moderator Log Notes - CSRF
An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF.
CVSS 6.5
CVE-2018-10580 EXPLOITDB MEDIUM text WORKING POC
MyBB Latest Posts on Profile 1.1 - XSS
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
CVSS 5.4
CVE-2019-6979 EXPLOITDB MEDIUM text WRITEUP
MyBB 1.0.2 - XSS
An issue was discovered in the User IP History Logs (aka IP_History_Logs) plugin 1.0.2 for MyBB. There is XSS via the admin/modules/tools/ip_history_logs.php useragent field.
CVSS 6.1
CVE-2021-3337 EXPLOITDB HIGH text WRITEUP
Hide Thread Content - Incorrect Authorization
The Hide-Thread-Content plugin through 2021-01-27 for MyBB allows remote attackers to bypass intended content-reading restrictions by clicking on reply or quote in the postbit.
CVSS 7.5
CVE-2018-15596 EXPLOITDB MEDIUM text WRITEUP
Mybb - XSS
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.
CVSS 6.1
CVE-2018-11532 EXPLOITDB MEDIUM text WORKING POC
Changuondyu Advanced Statistics - XSS
An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB. changstats.php has XSS, as demonstrated by a subject field.
CVSS 6.1
CVE-2018-17996 EXPLOITDB MEDIUM text WORKING POC
Layerbb - CSRF
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
CVSS 6.5
CVE-2019-16531 EXPLOITDB HIGH html WORKING POC
LayerBB <1.1.4 - CSRF
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.
CVSS 8.8