ZSECURE

2 exploits Active since May 2022
CVE-2024-4351 NOMISEC HIGH WORKING POC
Tutor LMS Pro <= 2.7.0 - Authenticated Missing Authorization in Authenticate Function
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.
CVSS 8.8
CVE-2022-29359 NOMISEC MEDIUM WORKING POC
School Club Application System 0.1 - Stored Cross-Site Scripting via Firstname Parameter
A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.
CVSS 6.1