976 matches found
WordPress Plugin Custom post types, Custom Fields & more Cross-site Scripting Vulnerabilities
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress Plugin Custom post types, Custom...
WordPress Plugin Advanced Custom Fields: Extended Cross-Site Scripting Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
PT-2023-32013 · WordPress · Advanced Custom Fields: Extended
Name of the Vulnerable Software and Affected Versions: Advanced Custom Fields: Extended plugin for WordPress versions up to, and including, 0.8.9.3 Description: The issue is related to Stored Cross-Site Scripting via the 'acfe form' shortcode due to insufficient input sanitization and output...
WordPress Just Custom Fields Plugin <= 3.3.2 is vulnerable to Broken Access Control
Software Just Custom Fields Type Plugin Vulnerable versions = 3.3.2 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-46203 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID fc45a795b56e Credits Abdi Pranata Required...
CVE-2023-45147
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation...
Design/Logic Flaw
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation...
CVE-2023-45147 Arbitrary keys can be added to a topic's custom fields by any user in Discourse
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation...
CVE-2023-45147 Arbitrary keys can be added to a topic's custom fields by any user in Discourse
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation...
CVE-2023-45147
Discourse (CVE-2023-45147) allows any user to add arbitrary keys to a topic's custom fields. Impact depends on installed plugins; with default plugins, impact is low/none. Patched in the latest Discourse: upgrade to version 3.1.1 (stable) or 3.2.0.beta2 (beta). If upgrade isn’t possible, disable ...
CVE-2023-45147 Arbitrary keys can be added to a topic's custom fields by any user in Discourse
Discourse is an open source community platform. In affected versions any user can create a topic and add arbitrary custom fields to a topic. The severity of this vulnerability depends on what plugins are installed and how the plugins uses topic custom fields. For a default Discourse installation...
PT-2023-29438 · Discourse · Discourse
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.1.1 Discourse versions prior to 3.2.0.beta2 Description: Discourse is an open source community platform. In affected versions, any user can create a topic and add arbitrary custom fields to a topic. The severity ...
Discourse Information Disclosure Vulnerability
Discourse is an open source community discussion platform. The platform includes features such as communities, email and chat rooms. An information disclosure vulnerability exists in Discourse that originates from allowing any user to create a topic and add arbitrary custom fields to the topic...
Design/Logic Flaw
The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrfldsexportfile function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially...
CVE-2023-4469 Profile Extra Fields by BestWebSoft <= 1.2.7 - Missing Authorization to Sensitive Information Exposure
The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrfldsexportfile function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially...
WordPress Advanced Custom Fields: Extended Plugin <= 0.8.9.3 is vulnerable to Cross Site Scripting (XSS)
Software Advanced Custom Fields: Extended Type Plugin Vulnerable versions = 0.8.9.3 Fixed in 0.8.9.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5292 Patch priority Low CVSS severity Low 6.4 Developer Claim ownership PSID f97577760831 Credits...
CVE-2023-40068
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative...
Cross site scripting
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative...
CVE-2023-40068
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative...
CVE-2023-40068
CVE-2023-40068 is a cross-site scripting vulnerability in Advanced Custom Fields (ACF) and ACF Pro versions 6.1.0–6.1.7. An attacker with administrative privileges (authenticated) can trigger the browser to execute arbitrary scripts on the logged-in user’s session, enabling potential cookie/crede...
WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting
Overview WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability CWE-79. Ryotaro Imamura of SB Technology Corp. and Satoo Nakano reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...