Roberto Soares Espreto

30 exploits Active since Aug 2014
CVE-2015-9499 WRITEUP CRITICAL WORKING POC
Showbiz Pro < 1.7.1 - Unauthenticated PHP File Upload via ZIP Archive
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
CVSS 9.8
CVE-2015-20067 WRITEUP HIGH WORKING POC
WP Attachment Export < 0.2.4 - Unauthenticated Sensitive Data Exposure via XML Export
The WP Attachment Export WordPress plugin before 0.2.4 does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress
CVSS 7.5
CVE-2025-34126 METASPLOIT HIGH ruby WORKING POC
RIPS Scanner <0.54 - Path Traversal
A path traversal vulnerability exists in RIPS Scanner version 0.54. The vulnerability allows remote attackers to read arbitrary files on the system with the privileges of the web server by sending crafted HTTP GET requests to the 'windows/code.php' script with a manipulated 'file' parameter. This can lead to disclosure of sensitive information.
CVE-2015-9406 METASPLOIT HIGH ruby WORKING POC
mTheme-Unus < 2.3 - Path Traversal via CSS File Parameter
Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary files via a .. (dot dot) in the files parameter to css/css.php.
CVSS 7.5
CVE-2015-9538 METASPLOIT MEDIUM ruby WORKING POC
NextGEN Gallery < 2.1.15 - Path Traversal via Path Selection
The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection.
CVSS 6.5
CVE-2014-9707 METASPLOIT ruby WORKING POC
EmbedThis GoAhead <3.4.1 - Path Traversal
EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.
CVE-2015-10133 METASPLOIT HIGH ruby WORKING POC
Subscribe to Comments for WordPress <=2.1.2 - Local File Inclusion
The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.
CVSS 7.2
CVE-2014-8799 METASPLOIT ruby WORKING POC
dukapress < 2.5.3 - Path Traversal via src Parameter in dp_image.php
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
CVE-2014-5337 METASPLOIT ruby WORKING POC
WordPress Mobile Pack < 2.0.2 - Unauthenticated Information Disclosure via Export Articles Action
The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php.
CVE-2015-10136 METASPLOIT HIGH ruby WORKING POC
GI-Media Library <3.0 - Path Traversal
The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS 7.5
CVE-2017-12635 METASPLOIT CRITICAL ruby SCANNER
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
CVSS 9.8
CVE-2014-7816 METASPLOIT ruby WORKING POC
WildFly Directory Traversal
Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.
CVE-2015-10134 METASPLOIT HIGH ruby WORKING POC
Simple Backup <2.7.10 - Arbitrary File Download
The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.
CVSS 7.5
CVE-2014-5460 METASPLOIT ruby WORKING POC
Tribulant Slideshow Gallery < 1.4.7 - Authenticated Arbitrary File Upload
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
CVE-2015-10135 METASPLOIT CRITICAL ruby WORKING POC
WPshop 2 - E-Commerce < 1.3.9.6 - Unauthenticated Arbitrary File Upload via ajaxUpload Function
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS 9.8
CVE-2015-10140 METASPLOIT HIGH ruby WORKING POC
Ajax Load More <2.8.1.2 - Auth Bypass
The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files.
CVSS 8.8
CVE-2015-10138 METASPLOIT CRITICAL ruby WORKING POC
The Work The Flow File Upload plugin - Path Traversal
The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS 9.8
CVE-2012-10019 METASPLOIT CRITICAL ruby WORKING POC
Front End Editor <2.3 - File Upload
The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS 9.8
CVE-2015-10137 METASPLOIT CRITICAL ruby WORKING POC
Website Contact Form With File Upload <1.3.4 - RCE
The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS 9.8
CVE-2015-7309 METASPLOIT ruby WORKING POC
Bolt < 2.2.5 - Authenticated Remote Code Execution via Theme Editor File Rename
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.
CVE-2015-4133 METASPLOIT ruby WORKING POC
reflex_gallery < 3.1.3 - Unauthenticated Arbitrary PHP File Upload via FileUploader
Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in uploads/ directory.
CVE-2014-8739 METASPLOIT CRITICAL ruby WORKING POC
Creative Contact Form < 1.0.0 - Unauthenticated Arbitrary File Upload via jQuery File Upload Plugin
Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.
CVSS 9.8
CVE-2015-6967 METASPLOIT ruby WORKING POC
Nibbleblog < 4.0.4 - Remote Code Execution via My Image Plugin File Upload
Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.
CVE-2015-7309 EXPLOITDB ruby WORKING POC
Bolt < 2.2.5 - Authenticated Remote Code Execution via Theme Editor File Rename
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.
EIP-2026-104793 EXPLOITDB ruby WORKING POC
WordPress Plugin Work The Flow - Arbitrary File Upload (Metasploit)