Text Exploits
31,386 exploits tracked across all sources.
WordPress Plugin Cookie Law Bar 1.2.1 Stored XSS via clb_bar_msg
Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Attackers can inject script payloads through the plugin settings page that execute in the browsers of all WordPress users viewing the site, enabling cookie theft and sensitive data exfiltration.
by Mesut Cetin
CVSS 6.4
Gadget Works Online Ordering System 1.0 - Cross-Site Scripting via Category Parameter
A Cross Site Scripting (XSS) vulnerabilty exists in Sourcecodester Gadget Works Online Ordering System in PHP/MySQLi 1.0 via the Category parameter in an add function in category/index.php.
by Vinay H C
CVSS 5.4
Shopizer < 2.17.0 - Reflected Cross-Site Scripting via Ref Parameter
A reflected cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL.
by Marek Toth
CVSS 4.8
iDailyDiary 4.30 - Denial of Service via Preferences Tab Name Field Overflow
iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash.
by Ismael Nava
CVSS 7.5
Acer ePowerSvc 6.0.3008.0 - Privilege Escalation
Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup.
by Emmanuel Lujan
CVSS 7.8
DiskBoss Service 12.2.18 - Privilege Escalation
DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup.
by Erick Galindo
CVSS 7.8
redi_restaurant_reservation < 21.0426 - Unauthenticated Stored Cross-Site Scripting via Comment Field
The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded.
by Bastijn Ouwendijk
CVSS 6.1
Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)
by Emir Polat
Shopizer < 2.17.0 - Stored Cross-Site Scripting via Customer Name Field
A stored cross-site scripting (XSS) vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via customer_name in various forms of store administration. It is saved in the database. The code is executed for any user of store administration when information is fetched from the backend, e.g., in admin/customers/list.html.
by Marek Toth
CVSS 4.8
Acer Backup Manager 3.0.0.99 - Code Injection
Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\NTI\Acer Backup Manager\ to inject malicious executables that would run with elevated LocalSystem privileges.
by Emmanuel Lujan
CVSS 7.8
Acer Updater Service 1.2.3500.0 - Privilege Escalation
Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup.
by Emmanuel Lujan
CVSS 7.8
ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path
by Alejandra Sánchez
COVID19 Testing Management System 1.0 - SQL Injection
COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.
by Rohit Burke
CVSS 9.8
COVID19 Testing Management System 1.0 - XSS
COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter.
by Rohit Burke
CVSS 4.8
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting via Blocked Request Output
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
by Hosein Vita
CVSS 6.1
In4Suite ERP <3.2.74.1370 - SQL Injection
SQL injection in In4Suite ERP 3.2.74.1370 allows attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries.
by Gulab Mondal
CVSS 9.1
EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname
EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information.
by Dimitrios Mitakos
CVSS 8.2
Advanced Guestbook 2.4.4 Persistent XSS via Smilies
Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab.
by Abdulkadir AYDOGAN
CVSS 6.4
Printable Staff ID Card Creator System 1.0 - Authenticated Remote Code Execution via Arbitrary File Upload
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
by bwnz
CVSS 9.8
Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
by Vani K G
Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
by Reza Afsahi
Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
by Reza Afsahi
Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
by Vani K G
Billing Management System 2.0 - Union based SQL injection (Authenticated)
by Mohammad Koochaki
By Source