Nuclei Templates v10.3.5 - Release Notes

New Templates Added: 57 | CVEs Added: 33

🔥 Release Highlights 🔥

• [CVE-2025-55182] React Server Components - Remote Code Execution [critical] 🔥 (vKEV)
• [CVE-2024-6220] WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload (@hnd3884) [critical] 🔥 (vKEV)
• [CVE-2023-37999] HT Mega <= 2.2.0 - Missing Auth to Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-30869] Easy Digital Downloads - Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-3277] MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-2734] MStore API <= 3.9.1 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2022-34487] ShortCode Addons - Unauthenticated Options Update (@Sourabh-Sahu) [critical] 🔥 (vKEV)
• [CVE-2022-33198] WordPress Accordions - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2021-36888] WordPress Image Hover Ultimate - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2021-4073] RegistrationMagic <= 5.0.1.7 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2019-25213] WordPress Advanced Access Manager - Path Traversal (@riteshs4hu) [critical] 🔥 (vKEV)

What's Changed

Bug Fixes

• Fixed path for CVE-2022-28666 from 2021 to 2022 directory (PR #14183)
• Fixed path for CVE-2021-4449 (PR #14182)
• Fixed path for CVE-2024-47308 (PR #14180)
• Corrected file naming for CVE-2021-35211 (PR #14162)
• Updated CVE-2024-9161 template (PR #14159)
• Updated CSP script-src wildcard template (PR #14117)

False Negatives

• Fixed false negative in CVE-2022-31181 by adding product to wishlist functionality (Issue #13938, PR #14112)
• Corrected username and password in CVE-2022-0206 to reduce false negatives (PR #14148)
• Corrected username and password in CVE-2015-4063 to reduce false negatives (PR #14133)

False Positives

• Removed mailgun-takeover template due to false positive detections (Issue #13900, PR #14113)
• Fixed false positive in wp-functions-php-disclosure.yaml (PR #14124)
• Prevented false positive matches in CVE-2024-55591 (PR #14106)
• Reduced false positives in CVE-2021-45467 (PR #14086)

Enhancements

• Enhanced CVE-2025-55182 template with updated authors and details (PR #14235)
• Updated POC for CVE-2025-55182 (PR #14229)
• Added new templates, fixed false positives, and enhanced existing templates (PR #14081)

Templates Added

• [CVE-2025-55182] React Server Components - Remote Code Execution (@dhiyaneshdk, @princechaddha, @assetnote, @lachlan2k, @maple3142, @Iamnooob) [critical] 🔥 (vKEV)
• [CVE-2025-51586] PrestaShop - Information Disclosure (@mastercho) [medium] 🔥
• [CVE-2025-47445] WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download (@hnd3884) [high] 🔥 (vKEV)
• [CVE-2025-11307] WP Google Maps < 9.0.48 - Cross-Site Scripting (@0x_Akoko) [high] 🔥
• [CVE-2025-10211] ChanCMS <= 3.3.0 - Server-Side Request Forgery (@Yu_Bao) [medium]
• [CVE-2025-10210] ChanCMS <= 3.3.0 - SQL Injection (@Yu_Bao) [medium]
• [CVE-2025-5301] ONLYOFFICE Docs (DocumentServer) - Reflected Cross-Site Scripting (@theamanrawat) [medium]
• [CVE-2024-47308] Templately <= 3.1.2 - Broken Access Control (@popcorn94) [medium] 🔥 (vKEV)
• [CVE-2024-9161] Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion (@Kazgangap) [medium] 🔥 (vKEV)
• [CVE-2024-6555] WP Popups - Information Disclosure (@theamanrawat) [medium]
• [CVE-2024-6220] WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload (@hnd3884) [critical] 🔥 (vKEV)
• [CVE-2023-41954] ProfilePress <= 4.13.1 — Unauthenticated Privilege Escalation (@daffainfo) [high] 🔥 (vKEV)
• [CVE-2023-40211] Post Grid <= 2.2.50 - Information Exposure via REST API (@daffainfo) [high]
• [CVE-2023-38875] PHP Login System 2.0.1 - Cross-Site Scripting (@0x_Akoko) [medium]
• [CVE-2023-37999] HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-30869] Easy Digital Downloads - Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-5815] News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion (@daffainfo) [high]
• [CVE-2023-3277] MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-2734] MStore API <= 3.9.1 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2022-34487] ShortCode Addons - Unauthenticated Options Update (@Sourabh-Sahu) [critical] 🔥 (vKEV)
• [CVE-2022-33198] WordPress Accordions - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2022-31101] Prestashop Blockwishlist 2.1.0 SQL Injection (@mastercho) [high] 🔥
• [CVE-2022-28666] Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update (@Sourabh-Sahu) [medium]
• [CVE-2022-0879] Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting (@0x_Akoko) [medium]
• [CVE-2021-36888] WordPress Image Hover Ultimate - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2021-23394] elFinder < 2.1.58 - Remote Code Execution (@0xanis) [high]
• [CVE-2021-4073] RegistrationMagic <= 5.0.1.7 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2020-11732] Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion (@Sourabh-Sahu) [high]
• [CVE-2019-25213] WordPress Advanced Access Manager - Path Traversal (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2019-17671] WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts (@0x_Akoko) [medium]
• [CVE-2019-14950] WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting (@daffainfo) [medium]
• [CVE-2019-10647] ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE) (@Sourabh-Sahu) [critical]
• [CVE-2018-17082] Apache2 - Transfer-Encoding Chunked XSS (@dhiyaneshdk) [medium]
• [google-storage-csp-bypass] Content-Security-Policy Bypass - Google Storage (@0x_Akoko) [medium]
• [spf-limit-lookup] SPF record DNS lookup limit (@theamanrawat) [info]
• [redis-commander-default-login] Redis Commander - Default Login (@dhiyaneshdk) [high]
• [ship-manager-dnv] Ship Manager DNV - Panel (@rxerium) [info]
• [apache-hive-config] Apache Hive Configuration - Exposure (@icarot) [medium]
• [codeclimate-config-exposure] CodeClimate Configuration File - Exposure (@0x_Akoko) [info]
• [deprecated-feature-policy] Deprecated Feature-Policy Header - Detection (@ritikchaddha) [info]
• [expect-ct-misconfigured] Expect-CT Header - Misconfigured (@theamanrawat) [info]
• [jenkins-users-exposure] Jenkins Users - Exposure (@theamanrawat) [info]
• [kafka-api-cluster] Kafka Operation API - Cluster (@dhiyaneshdk) [high]
• [unauth-munin] Munin Monitoring Dashboard - Exposure (@0x_Akoko) [medium]
• [weak-csp-detect] Weak Content Security Policy - Detect (@pussycat0x) [low]
• [apache-hive-detect] Apache Hive - Detect (@icarot) [info]
• [apache-httpd-eol] Apache HTTP Server End-of-Life - Detect (@Shivam Kamboj) [info]
• [laravel-eol] Laravel End-of-Life Detection (@Shivam Kamboj) [info]
• [nginx-eol] Nginx End-of-Life - Detect (@Shivam Kamboj) [info]
• [php-eol] PHP End-of-Life - Detect (@Shivam Kamboj) [info]
• [sharepoint-lists-api-disclosure] Microsoft SharePoint - List API Disclosure (@theamanrawat) [low]
• [wp-bbpress-fpd] WordPress bbPress Plugin - Full Path Disclosure (@0x_Akoko) [info]
• [wp-fastest-cache-fpd] WordPress WP Fastest Cache Plugin - Full Path Disclosure (@0x_Akoko) [info]
• [wp-mailchimp-for-wp-fpd] WordPress Mailchimp for WordPress Plugin - Full Path Disclosure (@0x_Akoko) [info]
• [wp-twentyfifteen-fpd] WordPress Twenty Fifteen Theme - Full Path Disclosure (@0x_Akoko) [info]
• [dameng-detect] Dameng Database - Detect (@pussycat0x) [info]
• [vnc-workflow] VNC Security Checks (@pussycat0x) [unknown]

New Contributors

• @murataslan1 made their first contribution in #14113

Full Changelog: v10.3.4...v10.3.5