Việt Hùng

2 exploits Active since Apr 2022
CVE-2022-1329 NOMISEC HIGH WORKING POC
Elementor Website Builder 3.6.0-3.6.2 - Authenticated Remote Code Execution via Onboarding Module AJAX Actions
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
CVSS 8.8
CVE-2022-1565 NOMISEC HIGH WORKING POC
WP All Import < 3.6.8 - Authenticated Arbitrary File Upload via wp_all_import_get_gz.php
The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
CVSS 7.2