Renos Nikolaou

7 exploits Active since Aug 2018
CVE-2018-18382 EXPLOITDB HIGH text WORKING POC
Advanced HRM 1.6 - Remote Code Execution via User Avatar Upload
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVSS 8.8
CVE-2018-17140 EXPLOITDB MEDIUM text WORKING POC
Quizlord < 2.0 - Stored Cross-Site Scripting via Title Parameter in ql_insert Action
The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS via the title parameter in a ql_insert action to wp-admin/admin.php.
CVSS 5.4
CVE-2018-17139 EXPLOITDB HIGH text WORKING POC
UltimatePOS 2.5 - Unauthenticated Remote Code Execution via Arbitrary File Upload
UltimatePOS 2.5 allows users to upload arbitrary files, which leads to remote command execution by posting to a /products URI with PHP code in a .php file with the image/jpeg content type.
CVSS 8.8
CVE-2018-17138 EXPLOITDB MEDIUM text WORKING POC
Jibu Pro < 1.7 - Stored Cross-Site Scripting via Quiz Name Field
The Jibu Pro plugin through 1.7 for WordPress is prone to Stored XSS via the wp-content/plugins/jibu-pro/quiz_action.php name (aka Quiz Name) field.
CVSS 5.4
CVE-2018-17110 EXPLOITDB CRITICAL text WORKING POC
Simple POS 4.0.24 - SQL Injection via Management Panel Search Parameter
Simple POS 4.0.24 allows SQL Injection via a products/get_products/ columns[0][search][value] parameter in the management panel, as demonstrated by products/get_products/1.
CVSS 9.8
CVE-2018-16159 EXPLOITDB CRITICAL text WORKING POC
Gift Vouchers < 2.0.1 - SQL Injection via template_id Parameter
The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request.
CVSS 9.8
EIP-2026-114182 EXPLOITDB text WORKING POC
WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)