Exploitdb Exploits
31,337 exploits tracked across all sources.
WordPress Plugin Spider Facebook - 'facebook.php' SQL Injection
by Claudio Viviani
WordPress Plugin Like Dislike Counter 1.2.3 - SQL Injection
by Att4ck3r.ir
Phponlinechat - XSS
Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.
by N0 Feel
Loadedcommerce Loaded7 - SQL Injection
The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.
by Breaking.Technology
CVSS 8.8
Invision Power Board (IP.Board) 3.x - Cross-Site Request Forgery / Token Hjiacking
by Piotr S.
WordPress Plugin Premium Gallery Manager - Configuration Access
by Hannaichi
MyBB User Social Networks Plugin 1.2 - Persistent Cross-Site Scripting
by Fikri Fadzil
Huge-IT Image Gallery <1.0.1 - SQL Injection
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.
by Claudio Viviani
Adiscon Loganalyzer < 3.6.5 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
by Dolev Farhi
Slider Revolution <4.2 - Path Traversal
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
by Hugo Santiago
Zohocorp Manageengine Eventlog Analyzer - Path Traversal
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.
by Hans-Martin Muench
Tribulant Tibulant Slideshow Gallery - Improper Input Validation
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
by Jesus Ramirez Pichardo
Elegant Themes Divi - Path Traversal
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
by Hugo Santiago
Arachni Web Application Scanner Web UI - Persistent Cross-Site Scripting
by Prakhar Prasad
Zohocorp Manageengine Eventlog Analyzer - Access Control
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
by Hans-Martin Muench
Zohocorp Manageengine Desktop Central < 9.0 - Path Traversal
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
by Pedro Ribeiro
CVSS 9.8
F5 Arx - Authentication Bypass
The rsync daemon in F5 BIG-IP 11.6 before 11.6.0, 11.5.1 before HF3, 11.5.0 before HF4, 11.4.1 before HF4, 11.4.0 before HF7, 11.3.0 before HF9, and 11.2.1 before HF11 and Enterprise Manager 3.x before 3.1.1 HF2, when configured in failover mode, does not require authentication, which allows remote attackers to read or write to arbitrary files via a cmi request to the ConfigSync IP address.
by Security-Assessment.com
Werdswords Download Shortcode < 0.2.3 - Path Traversal
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
by Mehdi Karout & Christian Galeone
Manageengine Device Expert < 5.9 - Information Disclosure
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
by Pedro Ribeiro
WordPress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
by Mike Manzotti
Joomla! Component spidervideoplayer - 'theme' SQL Injection
by Claudio Viviani
Ntopng < 1.2.0 - XSS
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
by Steffen Bauch
By Source