A stored cross-site scripting (XSS) vulnerability exists in WordPress Plugin WP Prayer version 1.6.1 and earlier. An authenticated user can inject malicious JavaScript code into the 'prayer_messages' field of the prayer request form. When the form is submitted, the malicious code is stored in the database and is executed when the page with the prayer requests is loaded. This can be used to steal user credentials or perform other malicious actions.
This exploit enables remote access on Ubee EVW327 routers by exploiting a Cross-Site Request Forgery (CSRF) vulnerability. The exploit is executed by submitting a POST request to the router's web interface with the parameters RemoteAccessEnable, RemoteAccessPort, and ApplyRemoteEnableAction set to 1. This will enable remote access on the router and open port 8080.
A malicious file can be run with arbitrary file upload in the profile editing section. A malicious file can be created with php code and uploaded to the profile editing section. The malicious file can then be called with the .projeqtor statement added to the file extension.
LogonTracer 1.2.0 is vulnerable to remote code execution due to an insecure deserialization vulnerability. An attacker can send a malicious payload to the vulnerable endpoint, which will be executed on the server. This exploit uses a python reverse shell payload to connect back to the attacker's machine.
DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field 'Excluded' text box. Successful exploitation will causes application stop working.
Trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php
The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile.
This exploit allows an attacker to execute arbitrary code on a vulnerable PHPFusion 9.03.50 server with 'Allow PHP Execution' enabled. The exploit works by sending a malicious payload encoded in base64 to the target server, which is then decoded and executed. The payload is a reverse shell that connects back to the attacker's machine.
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the 'manage files' functionality, which may result in remote code execution.
Services By CQR