Exploitdb Exploits
50,076 exploits tracked across all sources.
WordPress Plugin Webapp-Builder v2.0 - Info Disclosure
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
by The Martian
CVSS 9.8
WordPress Plugin Mobile-App-Build By Wappress <1.05 - Info Disclosure
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
by The Martian
CVSS 9.8
mobile-friendly-app-builder-by-easytouch 3.0 - Unauthenticated Arbitrary File Upload via images.php
Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content.
by The Martian
CVSS 9.8
WordPress < 4.7.1 - Unauthorized User Information Exposure via REST API
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
by Dctor
CVSS 5.3
pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery
by Yann CAM
pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery
by Yann CAM
wp2android-turn-wp-site-into-android-app 1.1.4 - Unrestricted Upload of File with Dangerous Type
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
by The Martian
CVSS 9.8
EPSON TMNet WebConfig 1.00 - Cross-Site Scripting via W_AD1 Parameter
Cross-site scripting (XSS) vulnerability in EPSON TMNet WebConfig 1.00 allows remote attackers to inject arbitrary web script or HTML via the W_AD1 parameter to Forms/oadmin_1.
by Michael Benich
CVSS 6.1
MDwiki Cross-Site Scripting via Location Hash Parameter
MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context.
by evi1m0
CVSS 6.1
Php Classified OLX Clone Script - 'category' SQL Injection
by Ihsan Sencan
Joomla! Component StreetGuessr Game 1.0 - SQL Injection
by Ihsan Sencan
Joomla! Component Recipe Manager 2.2 - 'id' SQL Injection
by Ihsan Sencan
Joomla! Component Guesser 1.0.4 - 'type' SQL Injection
by Ihsan Sencan
Schneider Electric Conext ComBox 865-1058 Firmware < 3.03 - Denial of Service via Rapid Requests
An issue was discovered in Schneider Electric Conext ComBox, model 865-1058, all firmware versions prior to V3.03 BN 830. A series of rapid requests to the device may cause it to reboot.
by Mark Liapustin & Arik Kublanov
CVSS 7.5
Supsystic Popup Plugin <1.7.6 - CSRF
A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
by Radjnies Bhansingh
CVSS 4.3
Aruba Airwave < 8.2.3.1 - XML External Entity Injection
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation.
by SEC Consult
CVSS 8.8
Aruba Airwave < 8.2.3.1 - Reflected Cross-Site Scripting in VisualRF Component
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a logged-in AirWave administrative user into clicking a link could obtain sensitive information, such as session cookies or passwords. The vulnerability requires that an administrative users click on the malicious link while currently logged into AirWave in the same browser.
by SEC Consult
CVSS 6.1
WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting
by Axel Koolhaas
WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting
by Han Sahin
WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery
by Yorick Koster
WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery
by David Vaartjes
WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting
by Edwin Molenaar
WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting
by Edwin Molenaar
By Source