Text Exploits
31,394 exploits tracked across all sources.
WordPress Plugin W3 Total Cache - 'admin.php' Cross-Site Request Forgery
by Voxel@Night
WordPress Plugin Bulk Delete Users by Email 1.0 - Cross-Site Request Forgery
by Fikri Fadzil
phpmyfaq < 2.8.13 - CAPTCHA Bypass via Request Replay
phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request.
by smash
CVSS 5.3
mpay24 < 1.5.1 - Unauthenticated Sensitive Information Exposure via Direct Request to API Log
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
by Wireghoul
WordPress Plugin Spider Facebook - 'facebook.php' SQL Injection
by Claudio Viviani
WordPress Plugin Like Dislike Counter 1.2.3 - SQL Injection
by Att4ck3r.ir
PhpOnlineChat 3.0 - Cross-Site Scripting via Canned Operator Message Field
Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.
by N0 Feel
Loaded Commerce 7 - Authenticated SQL Injection via Address Book Fields
The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.
by Breaking.Technology
CVSS 8.8
Invision Power Board (IP.Board) 3.x - Cross-Site Request Forgery / Token Hjiacking
by Piotr S.
WordPress Plugin Premium Gallery Manager - Configuration Access
by Hannaichi
MyBB User Social Networks Plugin 1.2 - Persistent Cross-Site Scripting
by Fikri Fadzil
Huge-IT Image Gallery <1.0.1 - SQL Injection
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.
by Claudio Viviani
Adiscon LogAnalyzer < 3.6.6 - Cross-Site Scripting via Hostname Parameter
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
by Dolev Farhi
Slider Revolution <4.2 - Path Traversal
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
by Hugo Santiago
ManageEngine EventLog Analyzer 9.0/8.2 - Remote Code Execution via ZIP Traversal
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.
by Hans-Martin Muench
Tribulant Slideshow Gallery < 1.4.7 - Authenticated Arbitrary File Upload
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
by Jesus Ramirez Pichardo
Elegant Themes Divi - Path Traversal
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.
by Hugo Santiago
Arachni Web Application Scanner Web UI - Persistent Cross-Site Scripting
by Prakhar Prasad
ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 - Authenticated Database Access via Direct Request
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
by Hans-Martin Muench
By Source