252 matches found
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-34394
WWBN AVideo (versions 26.0 and prior) is affected by a CSRF vulnerability in the admin/plugin configuration endpoint (admin/save.json.php). The endpoint processes requests without CSRF token validation (no isGlobalTokenValid/verifyToken check), and the app uses SameSite=None cookies, enabling cro...
Grav CMS Admin Direct Install Authenticated Plugin Upload RCE
Grav CMS version use exploit/multi/http/gravadmindirectinstallrcecve202550286 msf exploitgravadmindirectinstallrcecve202550286 show targets ...targets... msf exploitgravadmindirectinstallrcecve202550286 set TARGET msf exploitgravadmindirectinstallrcecve202550286 show options ...show and set...
EUVD-2026-16086
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...
CVE-2026-22524 WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through = 9.5...
CVE-2026-22524 WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through = 9.5...
WordPress plugin Admin and Site Enhancements (ASE) 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
JIZHICMS 代码问题漏洞
JIZHICMS is an open-source content management system developed by JIZHI Corporation in China. Version 1.6.7 of JIZHICMS contains code vulnerabilities; these vulnerabilities stem from a file download vulnerability present in the administrator plugin update endpoint. This vulnerability could allow...
WordPress Frontend Admin by DynamiApps plugin <= 3.24.5 - Unauthenticated Privilege Escalation vulnerability
Unauthenticated Privilege Escalation vulnerability discovered by Max Boll b0lli - Max Boll - IT Security in WordPress Plugin Frontend Admin by DynamiApps versions = 3.24.5...
Cross-site Scripting (XSS)
Overview FluentCMS.Web.Plugins.Admin is a plugin for an ASP.NET Core Blazor Content Management System CMS Affected versions of this package are vulnerable to Cross-site Scripting XSS in the File Management module. An admin user can upload malicious SVG files to execute scripts in the browser of...
CVE-2020-36955
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...
EUVD-2020-30847
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...
CVE-2020-36955
CVE-2020-36955 affects Grav CMS 1.6.30 with Admin Plugin 1.9.18. The issue is a persistent cross-site scripting vulnerability in the page title field that requires an authenticated user. An attacker can create a page whose title contains malicious script, and the script will execute when the page...
CVE-2020-36955 Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...
CVE-2020-36955
Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...
CVE-2026-0682
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audiourl' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to...
CVE-2026-0682
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audiourl' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to...
CVE-2026-0682
The CVE-2026-0682 entry describes an authenticated Administrator+ SSRF against WordPress Church Admin plugin (versions up to 5.0.28) due to insufficient validation of the audio_url parameter. An attacker could cause the web app to issue requests to internal services, enabling querying/modificatio...