inc2734

3 exploits Active since Mar 2024
CVE-2025-10137 WRITEUP MEDIUM WRITEUP
Snow Monkey <= 29.1.5 - Unauthenticated Server-Side Request Forgery via request() Function
The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS 5.4
CVE-2024-1995 WRITEUP MEDIUM WRITEUP
Smart Custom Fields <= 4.2.2 - Authenticated Unauthorized Data Access via relational_posts_search()
The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private.
CVSS 4.3
CVE-2025-10137 WRITEUP MEDIUM WRITEUP
Snow Monkey <= 29.1.5 - Unauthenticated Server-Side Request Forgery via request() Function
The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS 5.4