README.md

TO-DO

• SQLi-1: Custom 404 Pro ≤ 3.7.2 - Unauthenticated SQL Injection

• CVE-2023-29432: Houzez ≤ 2.8.2 - Unauthenticated SQL Injection

• CVE-2023-26540: Houzez ≤ 2.7.1 - Privilege Escalation

• CVE-2023-24000: GamiPress ≤ 2.5.7 - Unauthenticated SQL Injection

VulnBox

CVE

• CVE-2023-32243: Essential Addons for Elementor ≤ 5.7.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation - May 11, 2023

• CVE-2023-30869: Easy Digital Downloads ≤ 3.1.1.4.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation - May 2, 2023

• CVE-2023-28787: Quiz and Survey Master ≤ 8.1.4 - Unauthenticated SQL Injection - April 26, 2023

• CVE-2023-26009: Houzez Login Register ≤ 2.6.3 - Privilege Escalation - April 27, 2023

• CVE-2023-3203: MStore API <= 3.9.6 - Cross-Site Request Forgery to Product Limit Update - June 13, 2023

• CVE-2023-3202: MStore API <= 3.9.6 - Cross-Site Request Forgery to Firebase Server Key Update - June 13, 2023

• CVE-2023-3201: MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Title Update - June 13, 2023

• CVE-2023-3200: MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Message Update - June 13, 2023

• CVE-2023-3199: MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Title Update - June 13, 2023

• CVE-2023-3198: MStore API ≤ 3.9.6 - Cross-Site Request Forgery to Order Status Update - June 13, 2023

• CVE-2023-2982: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) ≤ 7.6.4 - Authentication Bypass - July 04, 2023

• CVE-2023-2734: MStore API ≤ 3.9.1 - Authentication Bypass - May 31, 2023

• CVE-2023-2733: MStore API ≤ 3.9.0 - Authentication Bypass - May 31, 2023

• CVE-2023-2732: MStore API ≤ 3.9.2 - Authentication Bypass - May 24, 2023

• CVE-2023-2027: ZM Ajax Login & Register ≤ 2.0.2 - Authentication Bypass - April 26, 2023

• CVE-2023-1874: WP Data Access ≤ 5.3.7 - Authenticated (Subscriber+) Privilege Escalation - April 26, 2023

• CVE-2023-1597: tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation - April 26, 2023

• CVE-2023-1596: tagDiv Composer ≤ 3.9 - Reflected Cross-site Scripting (RXSS) - April 26, 2023

• CVE-2023-0600: WP Visitor Statistics (Real Time Traffic) ≤ 6.8.1 - Unauthenticated SQL Injection - May 16, 2023

• CVE-2022-3477: tagDiv Composer ≤ 3.4 - Unauthorized Account Access and Privilege Escalation - April 26, 2023

Others

• PrivEsc-2023-0002: WP Post Author ≤ 3.2.3 - Privilege Escalation - July 02, 2023

• PrivEsc-1: Elementor Pro ≤ 3.11.6 - Authenticated(Subscriber+) Privilege Escalation via update_page_option - April 26, 2023

Proof-of-Concept Channel

To view the detailed Proof-of-Concept (PoC), you need to make a payment for it at https://paypal.me/TRU0CPHAN with the following description: <Vulnerability-ID> <Your-Discord-Username>#<Your-Discord-ID>

Example: To view the detailed PoC of the "PrivEsc-1: Elementor Pro ≤ 3.11.6 - Authenticated (Subscriber+) Privilege Escalation via update_page_option" vulnerability, you need to make a payment with the following description: PrivEsc-1 YourDiscordUsername#1234

Terms and Policies

1. The PoC is for research or educational purposes only. We will not be responsible if you use it for any other malicious purposes.
2. Do not share any content about Proof-of-Concept anywhere with anyone.

If you violate the terms and policies, you will be banned and cannot view any purchased Proof-of-Concept (PoC)