Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Exploits - exploit.company
header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

WordPress Plugin Background Image Cropper v1.2 – Remote Code Execution

The vulnerability in Wordpress Plugin Background Image Cropper v1.2 allows remote attackers to execute arbitrary code on the target system. By uploading a malicious PHP file, an attacker can run commands on the server remotely. This vulnerability has a CVE ID pending assignment.

WordPress File Upload < 4.23.3 Stored XSS

A Stored Cross-Site Scripting (XSS) vulnerability exists in WordPress File Upload plugin version 4.23.3 and prior. By inserting a malicious shortcode in a post, an attacker can trigger an XSS attack when a file is uploaded, leading to potential script execution in the victim's browser. This vulnerability has been assigned CVE-2023-4811.

WordPress Plugin – Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

The vulnerability allows unauthenticated attackers to upload arbitrary files leading to remote code execution. An attacker can exploit this vulnerability by uploading a malicious file containing PHP code. This vulnerability has a CVE assigned: CVE-2024-XXXXX.

Stored Cross-Site Scripting (XSS) in WordPress Plugin WP Video Playlist 1.1.1

The Wordpress Plugin WP Video Playlist 1.1.1 is vulnerable to stored cross-site scripting (XSS) attack. An attacker can inject malicious scripts into the 'videoFields[post_type]' input field, leading to the execution of arbitrary code in the context of the user's browser. This can result in cookie theft, session hijacking, or other malicious activities.

POC-CVE-2023-3244

The Comments Like Dislike plugin for WordPress <= 1.2.0 allows unauthorized modification of data due to a missing capability check on the restore_settings function called through an AJAX action. Authenticated attackers with minimal permissions, such as subscribers, can reset the plugin's settings. The issue was only partially patched in version 1.2.0, making the nonce still accessible to subscriber-level users.

WordPress Augmented-Reality – Remote Code Execution Unauthenticated

The exploit allows remote attackers to execute arbitrary code on the target system without authentication. By leveraging a vulnerability in Wordpress Augmented-Reality plugin, an attacker can upload and execute malicious PHP code.

WordPress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)

The Wordpress Canto plugin before 3.0.5 is vulnerable to Remote File Inclusion (RFI) through the 'wp_abspath' parameter, allowing unauthenticated attackers to execute arbitrary remote code on the server if allow_url_include is enabled. The issue arises from the improper handling of the 'wp_abspath' variable in the 'download.php' code.

WordPress Plugin Admin Bar & Dashboard Access Control 1.2.8 Stored Cross-Site Scripting (XSS)

An attacker can inject malicious scripts into the 'Dashboard Redirect' field of WordPress Plugin Admin Bar & Dashboard Access Control version 1.2.8. When a user triggers the stored payload, the injected JavaScript executes, leading to a successful XSS attack.

Advanced Page Visit Counter 1.0 – Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)

The Advanced Page Visit Counter plugin for WordPress version 8.0.5 is vulnerable to Stored Cross-Site Scripting (XSS) attacks. A high privilege user such as an admin can execute malicious scripts in the plugin's settings, even if the unfiltered_html capability is restricted.

Recent Exploits: