High-Tech Bridge SA

EIP-2026-113546 EXPLOITDB text WORKING POC

WordPress Plugin Ajax Category Dropdown 0.1.5 - Multiple Vulnerabilities

View Code

CVE-2015-8351 EXPLOITDB CRITICAL text WRITEUP

Gwolle Guestbook < 1.5.3 - Authenticated Remote File Inclusion via abspath Parameter

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

CVSS 9.0

View Code

CVE-2014-6242 EXPLOITDB text WORKING POC

All In One WP Security & Firewall <3.8.3 - SQL Injection

Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

View Code

EIP-2026-113801 EXPLOITDB text WORKING POC

WordPress Plugin GRAND Flash Album Gallery 0.55 - Multiple Vulnerabilities

View Code

EIP-2026-113833 EXPLOITDB text WRITEUP

WordPress Plugin Inline Gallery 0.3.9 - 'do' Cross-Site Scripting

View Code

EIP-2026-113451 EXPLOITDB html WORKING POC

Wolf CMS 0.6.0b - Multiple Vulnerabilities

View Code

EIP-2026-113469 EXPLOITDB text WORKING POC

WonderCMS 0.3.3 - 'editText.php' Cross-Site Scripting

View Code

EIP-2026-113512 EXPLOITDB text WORKING POC

WordPress Plugin 1 Flash Gallery 0.2.5 - Cross-Site Scripting / SQL Injection

View Code

EIP-2026-113431 EXPLOITDB text WORKING POC

Wikipad 1.6.0 - Cross-Site Scripting / HTML Injection / Information Disclosure

View Code

CVE-2014-1854 EXPLOITDB text WORKING POC

WordPress AdRotate Pro/FREE <3.9.5/3.9.4 - SQL Injection

SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.

View Code

EIP-2026-113843 EXPLOITDB text WORKING POC

WordPress Plugin IWantOneButton 3.0.1 - Multiple Vulnerabilities

View Code

CVE-2012-1835 EXPLOITDB text WORKING POC

All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

View Code

CVE-2015-5533 EXPLOITDB HIGH text WORKING POC

WordPress Count Per Day <3.4.1 - SQL Injection

SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

CVSS 7.2

View Code

EIP-2026-113679 EXPLOITDB text WORKING POC

WordPress Plugin Daily Maui Photo Widget 0.2 - Multiple Cross-Site Scripting Vulnerabilities

View Code

EIP-2026-113721 EXPLOITDB text WORKING POC

WordPress Plugin eShop 6.2.8 - Multiple Cross-Site Scripting Vulnerabilities

View Code

EIP-2026-113638 EXPLOITDB text WRITEUP

WordPress Plugin Comment Rating 2.9.23 - Multiple Vulnerabilities

View Code

CVE-2012-1835 EXPLOITDB text WORKING POC

All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

View Code

EIP-2026-113738 EXPLOITDB text WRITEUP

WordPress Plugin Fast Secure Contact Form 3.0.3.1 - 'index.php' Cross-Site Scripting

View Code

EIP-2026-113983 EXPLOITDB text WRITEUP

WordPress Plugin Pretty Link 1.4.56 - Multiple Cross-Site Scripting Vulnerabilities

View Code

CVE-2012-1835 EXPLOITDB text WORKING POC

All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

View Code

EIP-2026-113783 EXPLOITDB text WORKING POC

WordPress Plugin GD Star Rating 1.9.7 - 'wpfn' Cross-Site Scripting

View Code

EIP-2026-113859 EXPLOITDB text WORKING POC

WordPress Plugin Lazyest Gallery 1.0.26 - 'image' Cross-Site Scripting

View Code

EIP-2026-113956 EXPLOITDB text WORKING POC

WordPress Plugin PhotoSmash Galleries 1.0.x - 'action' Cross-Site Scripting

View Code

CVE-2012-1835 EXPLOITDB text WORKING POC

All-in-One Event Calendar 1.4-1.5 - Cross-Site Scripting via Multiple Parameters

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

View Code

CVE-2011-1047 EXPLOITDB text WORKING POC

VastHTML Forum Server 1.6.1 and 1.6.5 - SQL Injection via Search Max Parameter

Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php.

View Code