Khaled_alenazi (Nxploited)

6 exploits Active since May 2025
CVE-2025-4334 NOMISEC CRITICAL WORKING POC
Najeebmedia Simple User Registration - Improper Privilege Management
The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insufficient restrictions on user meta values that can be supplied during registration. This makes it possible for unauthenticated attackers to register as an administrator.
7 stars
CVSS 9.8
CVE-2025-6934 NOMISEC CRITICAL WORKING POC
Opal Estate Pro - Property Management and Submission <=1.7.5 - Privilege Escalation
The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the 'on_regiser_user' function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering.
6 stars
CVSS 9.8
CVE-2025-5288 NOMISEC CRITICAL WORKING POC
WP plugin <2.0.3 - Privilege Escalation
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an arbitrary import_api URL, import specially crafted JSON, and thereby create a new user with full Administrator privileges.
3 stars
CVSS 9.8
CVE-2025-49029 NOMISEC CRITICAL WRITEUP
bitto.Kazi Custom Login And Signup Widget <1.0 - Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
2 stars
CVSS 9.1
CVE-2025-5287 NOMISEC HIGH WRITEUP
Likes and Dislikes Plugin <1.0.0 - SQL Injection
The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
1 stars
CVSS 7.5
CVE-2025-6934 NOMISEC CRITICAL WORKING POC
Opal Estate Pro - Property Management and Submission <=1.7.5 - Privilege Escalation
The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the 'on_regiser_user' function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering.
CVSS 9.8