Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
4,188 exploits
Nucleicritical
WordPress Workreap - Remote Code Execution
Workreap theme < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
50RISK
open
Nucleimedium
WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting
MF Gig Calendar < 1.2 - Reflected Cross-Site Scripting (XSS)
18RISK
open
Nucleimedium
ProfilePress < 3.1.11 - Cross-Site Scripting
ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget
18RISK
open
Nucleicritical
Profile Builder < 3.4.9 - Improper Authentication
Profile Builder < 3.4.9 - Admin Access via Password Reset
18RISK
open
Nucleihigh
WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection
Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection
18RISK
open
Nucleihigh
G Auto-Hyperlink <= 1.0.1 - SQL Injection
G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection
18RISK
open
Nucleihigh
Images to WebP < 1.9 - Authenticated Local File Inclusion
Images to WebP < 1.9 - Authenticated Local File Inclusion
18RISK
open
Nucleihigh
Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
38RISK
open
Nucleimedium
Limit Login Attempts WordPress - Stored Cross-site Scripting
Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting
18RISK
open
Nucleicritical
WordPress Podlove Podcast Publisher <3.5.6 - SQL Injection
Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection
18RISK
open
Nucleimedium
Duplicate Page WordPress - Stored Cross-Site Scripting
Duplicate Page <= 4.4.2 - Admin+ Stored Cross-Site Scripting
18RISK
open
Nucleicritical
Pie Register < 3.7.1.6 - SQL Injection
Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
18RISK
open
Nucleimedium
WordPress Sassy Social Share Plugin <3.3.40 - Cross-Site Scripting
Sassy Social Share < 3.3.40 - Reflected Cross-Site Scripting
18RISK
open
Nucleihigh
WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection
50RISK
open
Nucleicritical
WordPress Perfect Survey <1.5.2 - SQL Injection
Perfect Survey < 1.5.2 - Unauthenticated SQL Injection
60RISK
open
Nucleihigh
Download Monitor < 4.4.5 - SQL Injection
Download Monitor < 4.4.5 - Admin+ SQL Injection
61RISK
open
Nucleihigh
Header Footer Code Manager < 1.1.14 - Admin+ SQL Injection
Header Footer Code Manager < 1.1.14 - Admin+ SQL Injections
18RISK
open
Nucleicritical
WordPress Asgaros Forum <1.15.13 - SQL Injection
Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
23RISK
open
Nucleimedium
WordPress AnyComment <0.3.5 - Open Redirect
AnyComment < 0.3.5 - Open Redirect
18RISK
open
Nucleicritical
WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection
18RISK
open
Nucleihigh
WordPress RegistrationMagic <5.0.1.6 - Authenticated SQL Injection
RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
60RISK
open
Nucleimedium
WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting
eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
Registrations for The Events Calendar < 2.7.5 - Authenticated Reflected Cross-Site Scripting
Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting
Elementor < 3.4.8 - DOM Cross-Site-Scripting
23RISK
open
Nucleimedium
WordPress Transposh Translation <1.0.8 - Cross-Site Scripting
Transposh WordPress Translation < 1.0.8 - Reflected Cross-Site Scripting
18RISK
open
Nucleicritical
Contest Gallery < 13.1.0.6 - SQL injection
Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure
23RISK
open
Nucleihigh
WordPress Qubely < 1.8.6 - Unauthenticated Email Sending
Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending
18RISK
open
Nucleihigh
WordPress WPS Hide Login <1.9.1 - Information Disclosure
WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header
40RISK
open
Nucleimedium
WordPress Domain Check <1.0.17 - Cross-Site Scripting
Domain Check < 1.0.17 - Reflected Cross-Site Scripting
43RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.