Better Search < 2.5.3 - CSRF Nonce Bypass in Import/Export

The plugin did not properly check the CSRF nonces when exporting and importing settings, allowing attackers to make a logged in user with the manageoptions capability export and import arbitrary settings by not providing the nonce parameter in the request POST...

Better Search < 2.5.3 - CSRF Nonce Bypass in Import/Export

The plugin did not properly check the CSRF nonces when exporting and importing settings, allowing attackers to make a logged in user with the manageoptions capability export and import arbitrary settings by not providing the nonce parameter in the request PoC POST...

Custom Banners < 3.3 - CSRF Nonce Bypass in saveCustomFields

The plugin did not properly check the CSRF nonce in the saveCustomFields method, which could allow attackers to make a logged in user with the editpost capability to save custom fields in a post. Numerous sanitisation fixes were also added to v3.3 Send a request without the my-custom-fieldswpnonc...

nss: ECDSA timing attack mitigation bypass

A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDS...

nss: Side channel attack on ECDSA signature generation

A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDS...

nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function

A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this...

Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure

The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...

WordPress ElasticPress plugin <= 3.5.3 - Nonce Check Bypass vulnerability

Nonce Check Bypass vulnerability found by Felipe Elia in WordPress ElasticPress plugin versions = 3.5.3. Solution Update the WordPress ElasticPress plugin to the latest available version at least 3.5.4...

WordPress Post SMTP Mailer/Email Log plugin <= 2.0.20 - Cross-Site Request Forgery (CSRF) nonce validation vulnerability

Cross-Site Request Forgery CSRF nonce validation vulnerability found in WordPress Post SMTP Mailer/Email Log plugin versions = 2.0.20. Solution Update the WordPress Post SMTP Mailer/Email Log plugin to the latest available version at least 2.0.21...

ElasticPress 3.5.2 - 3.5.3 - CSRF Nonce Bypass

A user could bypass the nonce check associated with re-sending the unaltered default search query to ElasticPress.io that is used for providing Autosuggest queries. Impacted plugin and version: ElasticPress versions 3.5.2 and 3.5.3. Fixed in version 3.5.4...

CVE-2020-35943

A Cross-Site Request Forgery CSRF issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload. It is possible to bypass CSRF protection by simply not including a nonce parameter...

CVE-2020-35942

A Cross-Site Request Forgery CSRF issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. It is possible to bypass CSRF protection by simply not including a nonce parameter...

CVE-2021-25834

Cosmos Network Ethermint = v0.4.0 is affected by a transaction replay vulnerability in the EVM module. If the victim sends a very large nonce transaction, the attacker can replay the transaction through the application...

NextGen Gallery < 3.5.0 - CSRF allows File Upload

It was possible to bypass the "validateajaxrequest" function used to control access to ajax functions by sending a request without a nonce parameter. This could be used to upload arbitrary code to an image file. Although the uploaded file must be a valid image, it is possible to include PHP code ...

PT-2021-16809 · Cosmos +1 · Cosmos Network Ethermint +1

Name of the Vulnerable Software and Affected Versions: Cosmos Network Ethermint versions = v0.4.0 Description: The issue is related to a transaction replay vulnerability in the EVM module. If a victim sends a very large nonce transaction, an attacker can replay the transaction through the...

KamiD Cosmos Network Ethermint Security Vulnerability

KamiD Cosmos Network Ethermint is a pre-alpha software from the American Bcamarneiro KamiD personal organization. It provides a scalable, high-throughput proof-of-stake blockchain that is fully compatible and interoperable with Ethermint. A security vulnerability exists in KamiD Cosmos Network...

Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request coul...

Custom Global Variables <= 1.0.5 - Stored Cross-Site Scripting (XSS)

The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also used the lack of CSRF nonce and check to make a logged in administrator add the payload and make them perform further unwanted actions. PoC The...

Glassdoor: Reflected XSS on https://www.glassdoor.com/parts/header.htm

Reflected XSS was reported on https://www.glassdoor.com/parts/header.htm via the nonce parameter. Thanks, @0x7 for reporting the finding and also reporting additional endpoints affected by this - added a bonus for reporting those additional endpoints and also for your collaboration with us in the...

WP24 Domain Check < 1.6.3 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin version 1.6.2 and possibly below, was vulnerable to Stored Cross-Site Scripting XSS in the plugin's fieldnameDomain settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability. PoC In the plugin's advanced settings...