NagisaYumaa

3 exploits Active since Jul 2025
CVE-2025-7431 NOMISEC MEDIUM WRITEUP
WordPress Knowledge Base <2.3.1 - XSS
The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin slug setting in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS 4.4
CVE-2025-9345 NOMISEC MEDIUM WRITEUP
Managefy plugin <1.4.8 - Path Traversal
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
CVSS 4.9
CVE-2025-10377 NOMISEC MEDIUM WORKING POC
WordPress System Dashboard <2.8.20 - CSRF
The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS 4.3