103 matches found
Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in Constant Contact Forms for WordPress 1.8.7 and lower allow high-privileged user Editor+ to inject arbitrary Javascript code or HTML in posts where the malicious form is embed. PoC High-privileged user Editor+ can exploit XSS via Add New Form...
CVE-2020-4047 Authenticated XSS via media attachment page in WordPress
In affected versions of WordPress, authenticated users with upload permissions like authors are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has...
CVE-2020-6643
An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack XSS...
CVE-2019-16289
CVE-2019-16289 concerns the WordPress plugin insert-php (Woody ad snippets) , affected versions prior to 2.2.8. The vulnerability allows authenticated Cross-Site Scripting (XSS) through the winp_item parameter . Red Hat and CVE listings consistently describe the issue as an authenticated XSS flaw...
CVE-2019-16289
The insert-php aka Woody ad snippets plugin before 2.2.8 for WordPress allows authenticated XSS via the winpitem parameter...
CVE-2019-14797
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS...
D-Link 6600-AP XSS / DoS / Information Disclosure
Security Advisory - 22/07/2019 Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware version 4.2.0.14. D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for...
Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS
Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation notice PoC https:///wp-admin/options-general.php?page=smae=remind=Iyc7YWxlcnQoL1hTUy8pOy8v...
Photospace Responsive < 1.1.8 - Authenticated XSS
The Photospace Responsive Gallery WordPress plugin was affected by an Authenticated XSS security vulnerability...
Custom Field Suite <= 2.5.14 - Authenticated Cross-Site Scripting (XSS)
The Custom Field Suite WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
WordPress Smush Image Compression and Optimization plugin <= 2.9.1 - Authenticated XSS & Phar Deserialization vulnerabilities
Authenticated XSS & Phar Deserialization vulnerabilities found by RIPS Technologies in WordPress Smush Image Compression and Optimization plugin versions = 2.9.1. Solution Update the WordPress Smush Image Compression and Optimization plugin to the latest available version at least 3.0.0...
Apache Active MQ 5.0.0 to 5.15.5 Authenticated XSS Vulnerability - Linux
Apache ActiveMQ is prone to an authenticated XSS vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...
Ultimate Form Builder Lite <= 1.3.7 - Multiple Vulnerabilities
Authenticated XSS & SQL Injection...
CVE-2018-10234
Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=umoptions§ion=account page...
CVE-2017-9674
In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on index.php/content/text/1?returnurl=XSS exploitable as a regular or admin user...
CVE-2017-6814
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist shortcode in the wpplaylistshortcode function in wp-includes/media.php and 2 mishandling of meta information in the renderTracks function ...
WordPress Plugin Landing Pages 1.8.4 - Multiple Vulnerabilities
WordPress Plugin Landing Pages 1.8.4 - Multiple Vulnerabilities Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages" Author: Adrián M. F. - adrimf85atgmaildotcom Date: 2015-05-25 Vendor Homepage: https://wordpress.org/plugins/landing-pages/ Active installs: 20,000+...
Plugin Info Card <= 2.3.6 - Authenticated XSS
Authenticated XSS via wppic-list POST parameter in the wppicwidgetrender AJAX method which is also lacking CSRF and authorisation checks, even in the fixed version...
TP-Link TD-W8951ND - Multiple Vulnerabilities
TP-Link TD-W8951ND - Multiple Vulnerabilities ----------- Author: ----------- xistence ------------------------- Affected products: ------------------------- Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923 ------------------------- Affected vendors: -------------------------...
TP-Link TD-W8951ND - Multiple Vulnerabilities
Exploit for hardware platform in category web applications ------------------------- Affected products: ------------------------- Tested on TP-Link TD-W8951ND Firmware 4.0.0 Build 120607 Rel.30923 ------------------------- Affected vendors: ------------------------- TP-Link http://www.tp-link.com...