Ulysses Saicha

research notes

Latest

All posts
CVE-2025-13997: Unauthenticated API Key Disclosure in King Addons for Elementor A King Addons for Elementor issue where API keys were exposed in rendered page source. CVE-2025-13587: Two-Factor Authentication Bypass in Two Factor via Email A WordPress 2FA plugin issue where token handling could let a user skip the email second factor. CVE-2024-6288: Reflected XSS in Conversios WooCommerce Tracking A reflected cross-site scripting issue in the Conversios WooCommerce tracking plugin. CVE-2023-6875: POST SMTP Mailer Authorization Bypass to Admin Account Takeover My POST SMTP Mailer authorization bypass finding, the proof-of-concept flow, and why the impact was high. CVE-2023-7048: CSRF to Contact Lead Export in My Sticky Bar A My Sticky Bar CSRF issue that could trigger contact lead CSV export from an administrator's browser. dCTF 2021: Behind The Scenes Solving a dCTF image challenge by using Depix and carefully cropping pixelated text. dCTF 2021: Company Leak Using ZIP internals and bkcrack to approach a nested encrypted archive challenge. dCTF 2021: Discord PingPong Investigating a Go Discord bot binary and recovering the path to the challenge flag. dCTF 2021: My First CTF Notes from my first live CTF: the team, the search trail, and a few side discoveries from the weekend. dCTF 2021: Injection Finding a Flask/Jinja SSTI, reading source files, and decoding the final password.

Showing 10 of 15 posts. Browse the archive.