Public exploitation

Exploit catalog

Every public exploit we catalog, in one index. Search by CVE, exploit name or technology — and see, right beside it, what the flaw is actually worth: severity, exploitation probability, and whether it’s already under attack.

71,180cataloged exploits
31,691CVEs with public exploitation
0lab-tested
4,190 exploits
Nucleicritical
WordPress Secure Copy Content Protection and Content Locking <2.8.2 - SQL Injection
Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
60RISK
open
Nucleimedium
Visual CSS Style Editor < 7.5.4 - Cross-Site Scripting
Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
WordPress Persian Woocommerce <=5.8.0 - Cross-Site Scripting
Persian Woocommerce <= 5.8.0 - Reflected Cross-Site Scripting
18RISK
open
Nucleicritical
Registrations for the Events Calendar < 2.7.6 - SQL Injection
Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection
18RISK
open
Nucleicritical
WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
60RISK
open
Nucleimedium
WordPress Responsive Vector Maps < 6.4.2 - Arbitrary File Read
RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read
18RISK
open
Nucleimedium
Blog2Social < 6.8.7 - Cross-Site Scripting
Blog2Social < 6.8.7 - Reflected Cross-Site Scripting
18RISK
open
Nucleihigh
WordPress All-In-One Video Gallery <2.5.0 - Local File Inclusion
All-In-One-Gallery < 2.5.0 - Admin+ Local File Inclusion
18RISK
open
Nucleimedium
Paid Memberships Pro < 2.6.6 - Cross-Site Scripting
Paid Memberships Pro < 2.6.6 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
WordPress Super Socializer <7.13.30 - Cross-Site Scripting
Super Socializer < 7.13.30 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting
WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
WordPress Guppy <=1.1 - Information Disclosure
WP Guppy < 1.3 - Sensitive Information Disclosure
18RISK
open
Nucleicritical
WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution
WPCargo < 6.9.0 - Unauthenticated RCE
50RISK
open
Nucleimedium
The Code Snippets WordPress Plugin < 2.14.3 - Cross-Site Scripting
Code Snippets < 2.14.3 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
Chaty < 2.8.2 - Cross-Site Scripting
Chaty < 2.8.3 - Reflected Cross-Site Scripting
18RISK
open
Nucleimedium
WordPress Event Tickets < 5.2.2 - Open Redirect
Event Tickets < 5.2.2 - Open Redirect
18RISK
open
Nucleicritical
PublishPress Capabilities < 2.3.1 - Missing Authorization
PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise
38RISK
open
Nucleimedium
Noptin < 1.6.5 - Open Redirect
Noptin < 1.6.5 - Open Redirect
18RISK
open
Nucleihigh
WordPress Button Generator <2.3.3 - Remote File Inclusion
Button Generator < 2.3.3 - RFI leading to RCE via CSRF
18RISK
open
Nucleimedium
WordPress FeedWordPress < 2022.0123 - Authenticated Cross-Site Scripting
FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
18RISK
open
Nucleimedium
WordPress Contact Form 7 Skins <=2.5.0 - Cross-Site Scripting
Contact Form 7 Skins < 2.5.1 - Reflected Cross-Site Scripting (XSS)
18RISK
open
Nucleimedium
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)
18RISK
open
Nucleimedium
Landing Page Builder < 1.4.9.6 - Cross-Site Scripting
Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)
18RISK
open
Nucleimedium
WordPress WebP Converter for Media < 4.0.3 - Unauthenticated Open Redirect
WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
18RISK
open
Nucleilow
WordPress Duplicate Page or Post <1.5.1 - Cross-Site Scripting
Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS
18RISK
open
Nucleimedium
Affiliates Manager < 2.9.0 - Cross Site Scripting
Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting
18RISK
open
Nucleimedium
Contact Form Entries < 1.2.4 - Cross-Site Scripting
Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting
18RISK
open
Nucleicritical
WordPress Popup Builder < 4.0.7 - Remote Code Execution
Popup Builder < 4.0.7 - LFI to RCE
18RISK
open
Nucleimedium
WOOF WordPress plugin - Cross-Site Scripting
WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting
18RISK
open
Nucleihigh
Wordpress Tatsubuilder <= 3.3.11 - Remote Code Execution
Tatsu < 3.3.12 - Unauthenticated RCE
60RISK
open

We index only the public link to the proof of concept — we never host or redistribute exploitation code. Sources: PoC-in-GitHub, Exploit-DB, Nuclei, Metasploit and VulnCheck XDB. A public PoC existing does not mean the flaw is exploitable in your environment.