400 matches found
Simple Theme Options < 1.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any of textarea field settings of the plugin such as 'Google Analytics':...
Multiple Themes - Reflected Cross-Site Scripting via Customizer Notify
The qualitycustomizernotifydismissaction and ticustomizernotifydismissrecommendedplugins AJAX actions names can differ depending on the theme, available to authenticated users in multiple themes do not validate or escape the id parameter before outputting it back in the response, leading to...
Multiple Themes - Reflected Cross-Site Scripting via Customizer Notify
The qualitycustomizernotifydismissaction and ticustomizernotifydismissrecommendedplugins AJAX actions names can differ depending on the theme, available to authenticated users in multiple themes do not validate or escape the id parameter before outputting it back in the response, leading to...
WordPress Import / Export Customizer Settings plugin <= 1.0.3 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found by Jerome Bruandet NinTechNet in WordPress Import / Export Customizer Settings plugin versions = 1.0.3. Solution Update the WordPress Import / Export Customizer Settings plugin to the latest available version at least 1.0.4...
Fedora 31 : wordpress (2020-7701f49327)
WordPress 5.4.1 Security Updates Seven security issues affect WordPress versions 5.4 and earlier. If you havent yet updated to 5.4, all WordPress versions since 3.7 have also been updated to fix the following security issues : - Props to Muaz Bin Abdus Sattar and Jannes who both independently...
Fedora 30 : wordpress (2020-fa71ca92f8)
WordPress 5.4.1 Security Updates Seven security issues affect WordPress versions 5.4 and earlier. If you havent yet updated to 5.4, all WordPress versions since 3.7 have also been updated to fix the following security issues : - Props to Muaz Bin Abdus Sattar and Jannes who both independently...
WordPress Cross-Site Scripting Vulnerability (CNVD-2020-27078)
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the Customizer navigation section in WordPress versions 4.7...
WordPress XSS Vulnerability (May 2020) - Windows
WordPress is prone to a cross-site scripting vulnerability. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress";...
Cross-site Scripting (XSS)
Wordpress is vulnerable to cross-site scripting XSS. The navigation section of Customizer accepts the user-provided malicious scripts without proper handling, allowing an attacker to inject and execute arbitrary Javascript in a user's browser...
DEBIAN-CVE-2020-11025
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
CVE-2020-11025
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
CVE-2020-11025
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
CVE-2020-11025
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
Cross site scripting
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
UBUNTU-CVE-2020-11025
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
CVE-2020-11025
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
CVE-2020-11025
Summary of CVE-2020-11025 : In affected WordPress versions, there is an authenticated XSS vulnerability in the Customizer navigation section that allows JavaScript execution. The issue is due to improper input handling in the navigation UI and requires an authenticated user to exploit. It has bee...
CVE-2020-11025 Authenticated cross-site scripting (XSS) in WordPress Customizer
In affected versions of WordPress, a cross-site scripting XSS vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a min...
WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
Description Authenticated users could corrupt JSON data in the Customizer of other users' to inject malicious JavaScript...
PT-2020-3600 · WordPress · Wordpress
Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 5.4.1 WordPress versions 5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33 Description: A cross-site scripting XSS vulnerability in t...