Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,062cataloged exploits
31,617CVEs with public exploitation
0lab-tested
4,187 exploits
Nucleimedium
WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
Multiple cross-site scripting (XSS) vulnerabilities in the Calls to Action plugin before 2.5.1 for WordPress allow remot
18RISK
open
Nucleimedium
Atlassian Confluence <5.8.17 - Information Disclosure
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName p
50RISK
open
Nucleihigh
Joomla HTTP Header Unauthenticated - Remote Code Execution
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbi
60RISK
open
Nucleihigh
Umbraco <7.4.0- Server-Side Request Forgery
The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 a
23RISK
open
Nucleimedium
NewStatPress <=1.0.4 - Cross-Site Scripting
The newstatpress plugin before 1.0.5 for WordPress has XSS related to an IMG element.
18RISK
open
Nucleicritical
404 to 301 <= 2.0.2 - Authenticated Blind SQL Injection
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
50RISK
open
Nucleihigh
mTheme Unus < 2.3 - Directory Traversal
Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary
30RISK
open
Nucleimedium
WordPress Symposium <=15.8.1 - Cross-Site Scripting
The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?
18RISK
open
Nucleihigh
BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
18RISK
open
Nucleihigh
WordPress RobotCPA 5 - Directory Traversal
The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter.
23RISK
open
Nucleicritical
WordPress ShowBiz Pro <= 1.7.1 - Authenticated Arbitrary File Upload to RCE
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
23RISK
open
Nucleihigh
Adobe AEM Dispatcher <4.15 - Rules Bypass
Dispatcher before 4.1.5 in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 does not properly implement a URL filter, wh
30RISK
open
Nucleimedium
WordPress Admin Font Editor <=1.8 - Cross-Site Scripting
Reflected XSS in wordpress plugin admin-font-editor v1.8
18RISK
open
Nucleimedium
WordPress AJAX Random Post <=2.00 - Cross-Site Scripting
Reflected XSS in wordpress plugin ajax-random-post v2.00
18RISK
open
Nucleimedium
WordPress anti-plagiarism <=3.60 - Cross-Site Scripting
Reflected XSS in wordpress plugin anti-plagiarism v3.60
18RISK
open
Nucleimedium
WordPress defa-online-image-protector <=3.3 - Cross-Site Scripting
Reflected XSS in wordpress plugin defa-online-image-protector v3.3
18RISK
open
Nucleimedium
WordPress e-search <=1.0 - Cross-Site Scripting
Reflected XSS in wordpress plugin e-search v1.0
18RISK
open
Nucleimedium
WordPress e-search <=1.0 - Cross-Site Scripting
Reflected XSS in wordpress plugin e-search v1.0
18RISK
open
Nucleimedium
WordPress enhanced-tooltipglossary 3.2.8 - Cross-Site Scripting
Reflected XSS in wordpress plugin enhanced-tooltipglossary v3.2.8
18RISK
open
Nucleimedium
WordPress forget-about-shortcode-buttons 1.1.1 - Cross-Site Scripting
Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1
18RISK
open
Nucleimedium
WordPress HDW Video Gallery <=1.2 - Cross-Site Scripting
Reflected XSS in wordpress plugin hdw-tube v1.2
18RISK
open
Nucleimedium
WordPress HDW Video Gallery <=1.2 - Cross-Site Scripting
Reflected XSS in wordpress plugin hdw-tube v1.2
18RISK
open
Nucleimedium
WordPress heat-trackr 1.0 - Cross-Site Scripting
Reflected XSS in wordpress plugin heat-trackr v1.0
18RISK
open
Nucleimedium
WordPress Hero Maps Pro 2.1.0 - Cross-Site Scripting
Reflected XSS in wordpress plugin hero-maps-pro v2.1.0
18RISK
open
Nucleimedium
WordPress Admin Font Editor <=1.8 - Cross-Site Scripting
Reflected XSS in wordpress plugin indexisto v1.0.5
18RISK
open
Nucleimedium
WordPress Infusionsoft Gravity Forms <=1.5.11 - Cross-Site Scripting
Reflected XSS in wordpress plugin infusionsoft v1.5.11
18RISK
open
Nucleimedium
WordPress New Year Firework <=1.1.9 - Cross-Site Scripting
Reflected XSS in wordpress plugin new-year-firework v1.1.9
18RISK
open
Nucleimedium
WordPress Page Layout builder v1.9.3 - Cross-Site Scripting
Reflected XSS in wordpress plugin page-layout-builder v1.9.3
18RISK
open
Nucleimedium
WordPress MW Font Changer <=4.2.5 - Cross-Site Scripting
Reflected XSS in wordpress plugin parsi-font v4.2.5
18RISK
open
Nucleimedium
WordPress Photoxhibit 2.1.8 - Cross-Site Scripting
Reflected XSS in wordpress plugin photoxhibit v2.1.8
18RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.