Lucene search
K

252 matches found

Cvelist
Cvelist
added 2026/03/31 8:39 p.m.23 views

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS0.00233EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:39 p.m.6 views

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/31 8:39 p.m.5 views

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

8.1CVSS6AI score0.00233EPSS
Exploits1References1
CVE
CVE
added 2026/03/31 8:39 p.m.12 views

CVE-2026-34394

WWBN AVideo (versions 26.0 and prior) is affected by a CSRF vulnerability in the admin/plugin configuration endpoint (admin/save.json.php). The endpoint processes requests without CSRF token validation (no isGlobalTokenValid/verifyToken check), and the app uses SameSite=None cookies, enabling cro...

8.1CVSS6AI score0.00233EPSS
Exploits1References1Affected Software1
Metasploit
Metasploit
added 2026/03/31 7:2 p.m.203 views

Grav CMS Admin Direct Install Authenticated Plugin Upload RCE

Grav CMS version use exploit/multi/http/gravadmindirectinstallrcecve202550286 msf exploitgravadmindirectinstallrcecve202550286 show targets ...targets... msf exploitgravadmindirectinstallrcecve202550286 set TARGET msf exploitgravadmindirectinstallrcecve202550286 show options ...show and set...

8.1CVSS6.5AI score0.09319EPSS
Exploits7
EUVD
EUVD
added 2026/03/26 6:30 a.m.6 views

EUVD-2026-16086

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...

7.2CVSS6.2AI score0.00533EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/25 4:14 p.m.3 views

CVE-2026-22524 WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through = 9.5...

7.1CVSS5.8AI score0.00175EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/25 4:14 p.m.24 views

CVE-2026-22524 WordPress Legacy Admin plugin <= 9.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in themepassion Legacy Admin legacy-admin allows Reflected XSS.This issue affects Legacy Admin: from n/a through = 9.5...

7.1CVSS0.00175EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/13 12:0 a.m.9 views

WordPress plugin Admin and Site Enhancements (ASE) 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

5.4CVSS5.8AI score0.00168EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/05 12:0 a.m.6 views

JIZHICMS 代码问题漏洞

JIZHICMS is an open-source content management system developed by JIZHI Corporation in China. Version 1.6.7 of JIZHICMS contains code vulnerabilities; these vulnerabilities stem from a file download vulnerability present in the administrator plugin update endpoint. This vulnerability could allow...

8.8CVSS6AI score0.00687EPSS
Exploits1References3
Patchstack
Patchstack
added 2026/02/03 9:40 a.m.11 views

WordPress Frontend Admin by DynamiApps plugin <= 3.24.5 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Max Boll b0lli - Max Boll - IT Security in WordPress Plugin Frontend Admin by DynamiApps versions = 3.24.5...

8.1CVSS5.3AI score0.00529EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/01/29 8:50 p.m.2 views

Cross-site Scripting (XSS)

Overview FluentCMS.Web.Plugins.Admin is a plugin for an ASP.NET Core Blazor Content Management System CMS Affected versions of this package are vulnerable to Cross-site Scripting XSS in the File Management module. An admin user can upload malicious SVG files to execute scripts in the browser of...

4.8CVSS5.3AI score0.00226EPSS
Exploits1References2
NVD
NVD
added 2026/01/26 6:16 p.m.9 views

CVE-2020-36955

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...

6.4CVSS0.00567EPSS
Exploits0References3
EUVD
EUVD
added 2026/01/26 5:42 p.m.4 views

EUVD-2020-30847

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...

6.4CVSS5.8AI score0.00567EPSS
Exploits0References3
CVE
CVE
added 2026/01/26 5:42 p.m.8 views

CVE-2020-36955

CVE-2020-36955 affects Grav CMS 1.6.30 with Admin Plugin 1.9.18. The issue is a persistent cross-site scripting vulnerability in the page title field that requires an authenticated user. An attacker can create a page whose title contains malicious script, and the script will execute when the page...

6.4CVSS5.8AI score0.00567EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/26 5:42 p.m.34 views

CVE-2020-36955 Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...

6.4CVSS0.00567EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/01/26 5:42 p.m.8 views

CVE-2020-36955

Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the pag...

6.4CVSS5.8AI score0.00567EPSS
Exploits0References3
NVD
NVD
added 2026/01/17 4:16 a.m.7 views

CVE-2026-0682

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audiourl' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to...

2.2CVSS0.00245EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/01/17 3:24 a.m.4 views

CVE-2026-0682

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audiourl' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to...

2.2CVSS5.6AI score0.00245EPSS
Exploits0References7
CVE
CVE
added 2026/01/17 3:24 a.m.21 views

CVE-2026-0682

The CVE-2026-0682 entry describes an authenticated Administrator+ SSRF against WordPress Church Admin plugin (versions up to 5.0.28) due to insufficient validation of the audio_url parameter. An attacker could cause the web app to issue requests to internal services, enabling querying/modificatio...

2.2CVSS5.4AI score0.00245EPSS
Exploits0References6
Rows per page
Query Builder