Tom Adams

15 exploits Active since Jun 2014
CVE-2014-2559 EXPLOITDB WORKING POC
Twitget < 3.3.1 - Cross-Site Request Forgery via Plugin Options Change
Multiple cross-site request forgery (CSRF) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that change unspecified plugin options via a request to wp-admin/options-general.php.
CVE-2015-10133 METASPLOIT HIGH ruby WORKING POC
Subscribe to Comments for WordPress <=2.1.2 - Local File Inclusion
The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.
CVSS 7.2
CVE-2014-2995 EXPLOITDB text WORKING POC
twitget < 3.3.1 - Authenticated Cross-Site Scripting via twitget_consumer_key Parameter
Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors, as demonstrated by the twitget_consumer_key parameter to wp-admin/options-general.php.
EIP-2026-113754 EXPLOITDB html WORKING POC
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery / Cross-Site Scripting
EIP-2026-113755 EXPLOITDB html WORKING POC
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery / Cross-Site Scripting
CVE-2014-4030 EXPLOITDB text WRITEUP
JW Player for Flash & HTML5 Video Plugin < 2.1.4 - Cross-Site Request Forgery via Player Deletion
Cross-site request forgery (CSRF) vulnerability in the JW Player plugin before 2.1.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that remove players via a delete action to wp-admin/admin.php.
CVE-2014-6312 EXPLOITDB text WORKING POC
Login Widget With Shortcode < 3.2.1 - CSRF and Stored XSS via custom_style_afo
Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php.
EIP-2026-113605 EXPLOITDB text WRITEUP
WordPress Plugin BP Group Documents 1.2.1 - Multiple Vulnerabilities
EIP-2026-113912 EXPLOITDB html WORKING POC
WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery
EIP-2026-113925 EXPLOITDB text WORKING POC
WordPress Plugin NextGEN Gallery - 'jqueryFileTree.php' Directory Traversal
CVE-2014-2598 EXPLOITDB text WORKING POC
WordPress Quick Page/Post Redirect <5.0.5 - CSRF
Cross-site request forgery (CSRF) vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the quickppr_redirects[request][] parameter in the redirect-updates page to wp-admin/admin.php.
EIP-2026-113994 EXPLOITDB html WORKING POC
WordPress Plugin Quiz And Survey Master 4.5.4/4.7.8 - Cross-Site Request Forgery
EIP-2026-113891 EXPLOITDB html WORKING POC
WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery
EIP-2026-113610 EXPLOITDB text WORKING POC
WordPress Plugin BuddyPress Activity Plus 1.5 - Cross-Site Request Forgery
CVE-2014-4163 EXPLOITDB text WORKING POC
WordPress Featured Comments 1.2.1 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in the Featured Comments plugin 1.2.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that change the (1) buried or (2) featured status of a comment via a request to wp-admin/admin-ajax.php.