0xnemian

2 exploits Active since Jun 2021

CVE-2025-13486 NOMISEC CRITICAL STUB

Advanced Custom Fields: Extended <0.9.1.1 - RCE

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

CVSS 9.8

View Code

CVE-2021-23394 NOMISEC HIGH WORKING POC

Std42 Elfinder < 2.1.58 - Unrestricted File Upload

The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.

CVSS 8.1

View Code