Nxploited

156 exploits Active since Nov 2023
CVE-2025-6389 NOMISEC CRITICAL WORKING POC
Sneeit Framework <= 8.3 - Unauthenticated Remote Code Execution via sneeit_articles_pagination_callback
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts.
CVSS 9.8
CVE-2025-68001 NOMISEC CRITICAL WORKING POC
garidium g-FFL Checkout <2.1.0 - Unrestricted File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server.This issue affects g-FFL Checkout: from n/a through <= 2.1.0.
CVSS 10.0
CVE-2026-0920 NOMISEC CRITICAL WORKING POC
LA-Studio Element Kit - Privilege Escalation
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.
CVSS 9.8
CVE-2025-15521 NOMISEC CRITICAL WORKING POC
Academy LMS - WordPress LMS Plugin <3.5.0 - Privilege Escalation
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
CVSS 9.8
CVE-2025-15403 NOMISEC CRITICAL WORKING POC
RegistrationMagic <6.0.7.1 - Privilege Escalation
The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.
CVSS 9.8
CVE-2025-29009 NOMISEC CRITICAL WORKING POC
Webkul Medical Prescription Attachment Plugin <1.2.3 - RCE
Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce medical-prescription-attachment-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Medical Prescription Attachment Plugin for WooCommerce: from n/a through <= 1.2.3.
CVSS 10.0
CVE-2025-53580 NOMISEC CRITICAL WORKING POC
Simple Business Directory Pro - Privilege Escalation
Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through < 15.6.9.
CVSS 9.8
CVE-2026-1492 NOMISEC CRITICAL WORKING POC
WordPress User Registration & Membership Plugin <=5.1.2 - Privilege Escalation
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
CVSS 9.8
CVE-2026-1937 NOMISEC HIGH WORKING POC
YayMail WooCommerce Email Customizer <=4.3.2 - Privilege Escalation
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS 7.2
CVE-2026-27542 NOMISEC CRITICAL WORKING POC
WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability
Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a through <= 2.0.3.1.
CVSS 9.8
CVE-2026-39987 NOMISEC CRITICAL SCANNER
marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
CVSS 9.8
CVE-2026-4484 NOMISEC HIGH WORKING POC
Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
CVSS 8.8
CVE-2025-49901 NOMISEC CRITICAL SCANNER
quantumcloud Simple Link Directory <14.8.1 - Auth Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Authentication Abuse.This issue affects Simple Link Directory: from n/a through < 14.8.1.
CVSS 9.8
CVE-2025-2563 NOMISEC HIGH WORKING POC
User Registration & Membership <= 4.1.1 - Unauthenticated Privilege Escalation
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
CVSS 8.1
CVE-2025-15030 NOMISEC CRITICAL WORKING POC
User Profile Builder <3.15.2 - Info Disclosure
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
CVSS 9.8
CVE-2025-13342 NOMISEC CRITICAL WORKING POC
Frontend Admin by DynamiApps <3.28.20 - Info Disclosure
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
CVSS 9.8
CVE-2025-14364 NOMISEC HIGH WORKING POC
Demo Importer Plus <2.0.8 - Privilege Escalation
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.
CVSS 8.8
CVE-2026-3891 NOMISEC CRITICAL WORKING POC
Pix for WooCommerce <=1.5.0 - Arbitrary File Upload
The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2025-39459 NOMISEC HIGH WORKING POC
Contempo Themes Real Estate <3.5.2 - Privilege Escalation
Incorrect Privilege Assignment vulnerability in contempoinc Real Estate 7 realestate-7 allows Privilege Escalation.This issue affects Real Estate 7: from n/a through <= 3.5.2.
CVSS 7.3
CVE-2026-2631 NOMISEC CRITICAL WORKING POC
Datalogics Ecommerce Delivery <2.6.60 - Privilege Escalation
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
CVSS 9.8
CVE-2026-1357 NOMISEC CRITICAL WORKING POC
WPvivid Backup & Migration <0.9.123 - Unauthenticated RCE
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the decrypted payload without sanitization, enabling directory traversal to escape the protected backup directory. This makes it possible for unauthenticated attackers to upload arbitrary PHP files to publicly accessible directories and achieve Remote Code Execution via the wpvivid_action=send_to_site parameter.
CVSS 9.8
CVE-2025-39459 NOMISEC HIGH WORKING POC
Contempo Themes Real Estate <3.5.2 - Privilege Escalation
Incorrect Privilege Assignment vulnerability in contempoinc Real Estate 7 realestate-7 allows Privilege Escalation.This issue affects Real Estate 7: from n/a through <= 3.5.2.
CVSS 7.3
CVE-2026-1405 NOMISEC CRITICAL WORKING POC
Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload via slider_future_handle_image_upload
The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS 9.8
CVE-2025-4796 GITHUB HIGH python WORKING POC
Eventin < 4.0.35 - Unauthenticated Privilege Escalation via SpeakerController Email Update
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
CVSS 8.8
CVE-2025-6758 GITHUB CRITICAL python WORKING POC
Imithemes Real Spaces - WordPress Properties Directory Theme <= 3.6 - Privilege Escalation
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration.
CVSS 9.8