Milad Karimi (Ex3ptionaL)

27 exploits Active since Apr 2022
CVE-2025-4664 NOMISEC MEDIUM WORKING POC
Google Chrome <136.0.7103.113 - Info Disclosure
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
13 stars
CVSS 4.3
CVE-2024-58349 EXPLOITDB CRITICAL python SCANNER
WordPress Theme Travelscape 1.0.3 Arbitrary File Upload
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation.
CVSS 9.8
CVE-2024-58348 EXPLOITDB CRITICAL text WORKING POC
WordPress Background Image Cropper 1.2 Remote Code Execution
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server.
CVSS 9.8
CVE-2023-54352 EXPLOITDB CRITICAL python WORKING POC
WP Travel Kit Travelscape - WordPress Seotheme Remote Code Execution Unauthenticated
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access.
CVSS 9.8
CVE-2023-54350 EXPLOITDB HIGH python WORKING POC
WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.
CVSS 7.5
EIP-2026-120684 EXPLOITDB text WRITEUP
AVAST Antivirus 25.11 - Unquoted Service Path
CVE-2025-34499 EXPLOITDB MEDIUM text WRITEUP
AnyDesk 7.0.15,9.0.1 - Code Injection
AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted service path configuration to inject malicious executables that will be run with high-level system permissions.
CVE-2024-0353 EXPLOITDB HIGH text WRITEUP
ESET Endpoint Antivirus < 8.1.2062.0 - Local Privilege Escalation via File Deletion
Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission.
CVSS 7.8
CVE-2024-0353 EXPLOITDB HIGH text WRITEUP
ESET Endpoint Antivirus < 8.1.2062.0 - Local Privilege Escalation via File Deletion
Local privilege escalation vulnerability potentially allowed an attacker to misuse ESET’s file operations to delete files without having proper permission.
CVSS 7.8
CVE-2023-54331 EXPLOITDB HIGH text WRITEUP
Outline 1.6.0 - Privilege Escalation
Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions.
CVSS 7.8
EIP-2026-117928 EXPLOITDB text WRITEUP
SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path
CVE-2023-29336 EXPLOITDB HIGH c WORKING POC
Windows 10 1507 < 10.0.10240.19926 and 1607 < 10.0.14393.5921 - Use-After-Free in Win32k
Win32k Elevation of Privilege Vulnerability
CVSS 7.8
EIP-2026-117488 EXPLOITDB text WRITEUP
Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path
CVE-2024-21338 EXPLOITDB HIGH c WORKING POC
Windows Kernel - Privilege Escalation
Windows Kernel Elevation of Privilege Vulnerability
CVSS 7.8
CVE-2024-49138 EXPLOITDB HIGH c WORKING POC
Windows Common Log File System Driver - Elevation of Privilege via Heap-based Buffer Overflow
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVSS 7.8
CVE-2024-38193 EXPLOITDB HIGH WORKING POC
Windows Ancillary Function Driver - Privilege Escalation
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVSS 7.8
CVE-2025-21333 EXPLOITDB HIGH c WORKING POC
Windows Hyper-V NT Kernel Integration VSP - Elevation of Privilege via Heap-based Buffer Overflow
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
CVSS 7.8
EIP-2026-117730 EXPLOITDB text WRITEUP
Oracle Database 12c Release 1 - Unquoted Service Path
CVE-2023-2745 EXPLOITDB MEDIUM python WORKING POC
WordPress < 6.2 - Unauthenticated Directory Traversal via wp_lang Parameter
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
CVSS 5.4
CVE-2022-4395 EXPLOITDB CRITICAL text WORKING POC
Membership For WooCommerce <2.1.7 - Unauthenticated RCE
The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.
CVSS 9.8
CVE-2021-25094 EXPLOITDB HIGH python WORKING POC
Tatsu Wordpress Plugin RCE
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
CVSS 8.1
CVE-2024-28000 EXPLOITDB CRITICAL python WORKING POC
WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin
Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1.
CVSS 9.8
CVE-2024-45440 EXPLOITDB MEDIUM python SCANNER
Drupal 10.3.0-10.3.5 - Full Path Disclosure via Missing hash_salt File
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
CVSS 5.3
CVE-2023-41425 EXPLOITDB MEDIUM python WORKING POC
WonderCMS Remote Code Execution
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
CVSS 6.1
CVE-2025-25257 EXPLOITDB CRITICAL text WORKING POC
Fortinet FortiWeb - SQL Injection
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
CVSS 9.8