Kaimi

6 exploits Active since Jan 2017
CVE-2018-25436 EXPLOITDB CRITICAL text WORKING POC
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
CVSS 9.8
CVE-2018-25434 EXPLOITDB HIGH text WRITEUP
WP AutoSuggest 0.24 - Unauthenticated SQL Injection via wpas_keys Parameter
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables.
CVSS 8.2
CVE-2017-18346 EXPLOITDB CRITICAL text WRITEUP
CMS Web-Gooroo < 2013-01-19 - SQL Injection via wbg_login Parameter
SQL injection vulnerability in /wbg/core/_includes/authorization.inc.php in CMS Web-Gooroo through 2013-01-19 allows remote attackers to execute arbitrary SQL commands via the wbg_login parameter.
CVSS 9.8
CVE-2016-4340 EXPLOITDB HIGH text WORKING POC
GitLab 8.2.0-8.6.7 Authenticated Privilege Escalation via Impersonate
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
CVSS 8.8
EIP-2026-113533 EXPLOITDB text WORKING POC
WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection
EIP-2026-113575 EXPLOITDB text WORKING POC
WordPress Plugin Audio Record 1.0 - Arbitrary File Upload