Panagiotis Vagenas

23 exploits Active since May 2015
CVE-2019-25734 EXPLOITDB MEDIUM html WORKING POC
Contact Form by WD 1.13.1 CSRF to Local File Inclusion
Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions.
CVSS 4.0
CVE-2015-4038 EXPLOITDB WRITEUP
Wpmembership - Access Control
The WP Membership plugin 1.2.3 for WordPress allows remote authenticated users to gain administrator privileges via an iv_membership_update_user_settings action to wp-admin/admin-ajax.php.
CVE-2015-4153 EXPLOITDB text WRITEUP
zM Ajax Login & Register < 1.0.9 - Path Traversal via Template Parameter
Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the template parameter in a load_template action to wp-admin/admin-ajax.php.
EIP-2026-114158 EXPLOITDB text WORKING POC
WordPress Plugin User Meta Manager 3.4.6 - Privilege Escalation
EIP-2026-114163 EXPLOITDB text WRITEUP
WordPress Plugin Users Ultra 1.5.50 - Blind SQL Injection
EIP-2026-114164 EXPLOITDB text WORKING POC
WordPress Plugin Users Ultra 1.5.50 - Persistent Cross-Site Scripting
EIP-2026-114165 EXPLOITDB WORKING POC
WordPress Plugin Users Ultra 1.5.50 - Unrestricted Arbitrary File Upload
EIP-2026-114193 EXPLOITDB python WORKING POC
WordPress Plugin WooCommerce Store Toolkit 1.5.5 - Privilege Escalation
EIP-2026-114199 EXPLOITDB text WORKING POC
WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery
CVE-2015-4039 EXPLOITDB MEDIUM text WRITEUP
WP Membership 1.2.3 - Authenticated Cross-Site Scripting via Profile Fields or New Post Content
Multiple cross-site scripting (XSS) vulnerabilities in the WP Membership plugin 1.2.3 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via unspecified (1) profile fields or (2) new post content. NOTE: CVE-2015-4038 can be used to bypass the administrator confirmation step for vector 2.
CVSS 5.4
EIP-2026-114245 EXPLOITDB python WORKING POC
WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload
CVE-2015-4465 EXPLOITDB text WRITEUP
Zanematthew ZM Ajax Login & Register < 1.0.9 - XSS
Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
EIP-2026-114071 EXPLOITDB text WORKING POC
WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery
EIP-2026-114156 EXPLOITDB text WORKING POC
WordPress Plugin User Meta Manager 3.4.6 - Blind SQL Injection
EIP-2026-114157 EXPLOITDB text WORKING POC
WordPress Plugin User Meta Manager 3.4.6 - Information Disclosure
EIP-2026-113642 EXPLOITDB text WORKING POC
WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion
EIP-2026-113643 EXPLOITDB text WORKING POC
WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion
EIP-2026-113732 EXPLOITDB python WORKING POC
WordPress Plugin Extra User Details 0.4.2 - Privilege Escalation
CVE-2015-4084 EXPLOITDB text WRITEUP
Free Counter 1.1 - Cross-Site Scripting via value_ Parameter
Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.
EIP-2026-113611 EXPLOITDB text WORKING POC
WordPress Plugin Bulk Delete 5.5.3 - Privilege Escalation
EIP-2026-113537 EXPLOITDB text WORKING POC
WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation
EIP-2026-113632 EXPLOITDB text WORKING POC
WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation
EIP-2026-102608 EXPLOITDB WRITEUP
Gnome Nautilus 3.16 - Denial of Service