WordPress Page Builder – Qards Security Vulnerabilities

GHSA-VR64-R9QJ-H27F vulnerabilities

Vulnerabilities for packages:...

CVE-2024-22871 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-4940

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others....

CVE-2024-4940

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others....

CVE-2024-4940 Open Redirect in gradio-app/gradio

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others....

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

CVE-2024-4874 Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2024-5966

The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5966

The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5965

The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with.....

CVE-2024-5965

The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with.....

CVE-2024-5965 Mosaic <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode

The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with.....

CVE-2024-5966 Grey Opaque <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Download-Button Shortcode

The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5346

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user...

CVE-2024-4313

The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-4313

The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-5346

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user...

CVE-2024-2484

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-2484

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-4313 Table Addons for Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id Parameter

The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2484 Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2024-5346 Flatsome | Multi-Purpose Responsive WooCommerce Theme <= 3.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user...

CVE-2022-42974

In Kostal PIKO 1.5-1 MP plus HMI OEM p 1.0.1, the web application for the Solar Panel is vulnerable to a Stored Cross-Site Scripting (XSS) attack on /file.bootloader.upload.html. The application fails to sanitize the parameter filename, in a POST request to /file.bootloader.upload.html for a...

CVE-2022-42974

In Kostal PIKO 1.5-1 MP plus HMI OEM p 1.0.1, the web application for the Solar Panel is vulnerable to a Stored Cross-Site Scripting (XSS) attack on /file.bootloader.upload.html. The application fails to sanitize the parameter filename, in a POST request to /file.bootloader.upload.html for a...

Exploit for Code Injection in Openplcproject Openplc V3 Firmware

This script automatically exploits vulnerability in OpenPLC Web...

CVE-2023-39517

Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (packages/renderer/htmlUtils.ts::sanitizeHtml) preserves &lt;map&gt; <a...

CVE-2023-39517

Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (packages/renderer/htmlUtils.ts::sanitizeHtml) preserves &lt;map&gt; <a...

CVE-2024-36281

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Use mlx5_ipsec_rx_status_destroy to correctly delete status rules rx_create no longer allocates a modify_hdr instance that needs to be cleaned up. The mlx5_modify_header_dealloc call will lead to a NULL pointer...

CVE-2023-39517 Cross site scripting (XSS) when clicking on an untrusted `<map>` link in Joplin

Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (packages/renderer/htmlUtils.ts::sanitizeHtml) preserves &lt;map&gt; <a...

CVE-2024-37671

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page...

CVE-2024-37671

Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page...

CVE-2024-3080: ASUS warns Customers about the latest Authentication Bypass Vulnerability detected Across seven Router Models

ASUS announces major Firmware Update ASUS recently issued a firmware update to resolve a critical security vulnerability affecting seven different variants of its router models. Identified as CVE-2024-3080 with a CVSS v3 severity score of 9.8 (critical), the vulnerability permits remote attackers.....

CVE-2022-38055

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through...

CVE-2022-38055

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through...

CVE-2022-38055 WordPress wpForo Forum plugin <= 2.0.9 - Auth. HTML Injection vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through...

CVE-2024-37230

Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Book Landing Page.This issue affects Book Landing Page: from n/a through...

CVE-2024-37230

Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Book Landing Page.This issue affects Book Landing Page: from n/a through...

CVE-2022-45803

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

CVE-2022-45803

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

CVE-2024-37230 WordPress Book Landing Page theme <= 1.2.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Book Landing Page.This issue affects Book Landing Page: from n/a through...

CVE-2022-45803 WordPress Gutenberg Forms plugin <= 2.2.8.3 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

CVE-2022-45803 WordPress Gutenberg Forms plugin <= 2.2.8.3 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

CVE-2024-35768

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

CVE-2024-35766

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through...

CVE-2024-35766

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through...

CVE-2024-35768

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...