Text Exploits

31,394 exploits tracked across all sources.

Sort: Activity Stars
EIP-2026-114180 EXPLOITDB text VERIFIED
WordPress Plugin W3 Total Cache - 'admin.php' Cross-Site Request Forgery
by Voxel@Night
EIP-2026-113612 EXPLOITDB text
WordPress Plugin Bulk Delete Users by Email 1.0 - Cross-Site Request Forgery
by Fikri Fadzil
EIP-2026-113008 EXPLOITDB text
vBulletin 5.1.x - Persistent Cross-Site Scripting
by smash
CVE-2014-6050 EXPLOITDB MEDIUM text
phpmyfaq < 2.8.13 - CAPTCHA Bypass via Request Replay
phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request.
by smash
CVSS 5.3
EIP-2026-110373 EXPLOITDB text VERIFIED
osCommerce 2.3.4 - Multiple Vulnerabilities
by smash
CVE-2014-2009 EXPLOITDB text
mpay24 < 1.5.1 - Unauthenticated Sensitive Information Exposure via Direct Request to API Log
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
by Wireghoul
EIP-2026-105277 EXPLOITDB text VERIFIED
Atmail Webmail 7.2 - Multiple Vulnerabilities
by smash
EIP-2026-104291 EXPLOITDB text
Jenkins 1.578 - Multiple Vulnerabilities
by JoeV
EIP-2026-102075 EXPLOITDB text
TP-Link TL-WR841N / TL-WR841ND - Multiple Vulnerabilities
by smash
EIP-2026-102067 EXPLOITDB text
TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities
by smash
EIP-2026-114086 EXPLOITDB text VERIFIED
WordPress Plugin Spider Facebook - 'facebook.php' SQL Injection
by Claudio Viviani
EIP-2026-113867 EXPLOITDB text VERIFIED
WordPress Plugin Like Dislike Counter 1.2.3 - SQL Injection
by Att4ck3r.ir
CVE-2014-100017 EXPLOITDB text
PhpOnlineChat 3.0 - Cross-Site Scripting via Canned Operator Message Field
Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.
by N0 Feel
CVE-2014-5140 EXPLOITDB HIGH text
Loaded Commerce 7 - Authenticated SQL Injection via Address Book Fields
The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.
by Breaking.Technology
CVSS 8.8
EIP-2026-107918 EXPLOITDB text
Invision Power Board (IP.Board) 3.x - Cross-Site Request Forgery / Token Hjiacking
by Piotr S.
EIP-2026-113981 EXPLOITDB text
WordPress Plugin Premium Gallery Manager - Configuration Access
by Hannaichi
EIP-2026-109740 EXPLOITDB text
MyBB User Social Networks Plugin 1.2 - Persistent Cross-Site Scripting
by Fikri Fadzil
CVE-2014-7153 EXPLOITDB text
Huge-IT Image Gallery <1.0.1 - SQL Injection
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.
by Claudio Viviani
CVE-2014-6070 EXPLOITDB text
Adiscon LogAnalyzer < 3.6.6 - Cross-Site Scripting via Hostname Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
by Dolev Farhi
CVE-2014-9734 EXPLOITDB text VERIFIED
Slider Revolution <4.2 - Path Traversal
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
by Hugo Santiago
CVE-2014-6037 EXPLOITDB text
ManageEngine EventLog Analyzer 9.0/8.2 - Remote Code Execution via ZIP Traversal
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.
by Hans-Martin Muench
CVE-2014-5460 EXPLOITDB text
Tribulant Slideshow Gallery < 1.4.7 - Authenticated Arbitrary File Upload
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
by Jesus Ramirez Pichardo
CVE-2015-1579 EXPLOITDB text VERIFIED
Elegant Themes Divi - Path Traversal
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
by Hugo Santiago
CVE-2014-5469 EXPLOITDB text VERIFIED
Arachni Web Application Scanner Web UI - Persistent Cross-Site Scripting
by Prakhar Prasad
CVE-2014-6043 EXPLOITDB text
ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 - Authenticated Database Access via Direct Request
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
by Hans-Martin Muench