Github Exploits
1,000 exploits tracked across all sources.
bitto.Kazi Custom Login And Signup Widget <1.0 - Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0.
by Boshe99
CVSS 9.1
StoreKeeper <14.4.4 - Unrestricted Upload
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
by Boshe99
CVSS 10.0
Holest Engineering Spreadsheet Price Changer <2.4.37 - Privilege Es...
Incorrect Privilege Assignment vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Privilege Escalation.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
by Boshe99
CVSS 9.8
Themewinter Eventin < 4.0.35 - IDOR
The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
by Boshe99
CVSS 8.8
Gilblas Ngunte Possi PSW Front-end Login & Registration <1.13 - Inf...
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Registration: from n/a through <= 1.13.
by Boshe99
CVSS 9.8
Themewinter Eventin < 4.0.27 - Incorrect Privilege Assignment
Incorrect Privilege Assignment vulnerability in Arraytics Eventin wp-event-solution allows Privilege Escalation.This issue affects Eventin: from n/a through <= 4.0.26.
by Boshe99
CVSS 9.8
Profitori WordPress <2.1.1.3 - Privilege Escalation
The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the save_object_as_user() function for objects whose '_datatype' is set to 'users',. This allows unauthenticated attackers to write arbitrary strings straight into the user’s wp_capabilities meta field, potentially elevating the privileges of an existing user account or a newly created one to that of an administrator.
by Boshe99
CVSS 9.8
Najeebmedia Simple User Registration - Improper Privilege Management
The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insufficient restrictions on user meta values that can be supplied during registration. This makes it possible for unauthenticated attackers to register as an administrator.
by Boshe99
CVSS 9.8
WordPress CSV Mass Importer <1.2 - Privilege Escalation
The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
by Boshe99
CVSS 7.2
WPFactory Custom CSS, JS & PHP <2.4.1 - CSRF
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP custom-css allows Remote Code Inclusion.This issue affects Custom CSS, JS & PHP: from n/a through <= 2.4.1.
by Boshe99
CVSS 9.6
Quentn WP <1.2.8 - Privilege Escalation
Weak Authentication vulnerability in Quentn.com GmbH Quentn WP quentn-wp allows Privilege Escalation.This issue affects Quentn WP: from n/a through <= 1.2.8.
by Boshe99
CVSS 9.8
WP-Advanced-Search <3.3.9.3 - Code Injection
Unrestricted Upload of File with Dangerous Type vulnerability in Mathieu Chartier WP-Advanced-Search wp-advanced-search allows Upload a Web Shell to a Web Server.This issue affects WP-Advanced-Search: from n/a through <= 3.3.9.4.
by Boshe99
CVSS 6.6
aidraw I Draw <1.0 - RCE
Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw idraw allows Using Malicious Files.This issue affects I Draw: from n/a through <= 1.0.
by Boshe99
CVSS 9.1
WordPress <1.5 - RCE
The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unauthenticated attackers to execute any callable function on the site, such as phpinfo().
by Boshe99
CVSS 8.3
Frontend Login & Registration Blocks <1.0.7 - Privilege Escalation
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
by Boshe99
CVSS 9.8
Flynax Bridge < 2.2.0 - Missing Authorization
The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
by Boshe99
CVSS 9.8
RomanCode MapSVG Lite <8.5.34 - RCE
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through <= 8.6.4.
by Boshe99
CVSS 9.9
Anant Addons for Elementor <1.1.5 - CSRF
Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor anant-addons-for-elementor allows Cross Site Request Forgery.This issue affects Anant Addons for Elementor: from n/a through <= 1.1.8.
by Boshe99
CVSS 9.6
termel PDF 2 Post <2.4.0 - Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0.
by Boshe99
CVSS 9.9
SoftClever Limited Sync Posts <1.0 - RCE
Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts sync-posts allows Upload a Web Shell to a Web Server.This issue affects Sync Posts: from n/a through <= 1.0.
by Boshe99
CVSS 9.9
LABCAT Processing Projects <1.0.2 - RCE
Unrestricted Upload of File with Dangerous Type vulnerability in LABCAT Processing Projects processing-projects allows Upload a Web Shell to a Web Server.This issue affects Processing Projects: from n/a through <= 1.0.2.
by Boshe99
CVSS 9.1
Nirmal Kumar Ram WP Remote Thumbnail <1.3.1 - RCE
Unrestricted Upload of File with Dangerous Type vulnerability in Nirmal Kumar Ram WP Remote Thumbnail wp-remote-thumbnail allows Upload a Web Shell to a Web Server.This issue affects WP Remote Thumbnail: from n/a through <= 1.3.2.
by Boshe99
CVSS 9.9
NiteoThemes CMP - Unrestricted Upload
Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance cmp-coming-soon-maintenance allows Using Malicious Files.This issue affects CMP – Coming Soon & Maintenance: from n/a through <= 4.1.14.
by Boshe99
CVSS 9.1
Buddypress Humanity <1.2 - CSRF
Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity buddypress-humanity allows Cross Site Request Forgery.This issue affects Buddypress Humanity: from n/a through <= 1.2.
by Boshe99
CVSS 9.8
SureTriggers - All-in-One Automation Platform < 1.0.78 - Authentication Bypass
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
by Boshe99
CVSS 8.1
By Source