72 matches found
CVE-2023-4648
The WP Customer Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...
CVE-2023-5621
The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Title field in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2023-30606 Multisite denial of service through unsanitized dynamic dispatch to SiteSetting in Discourse
Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the SiteSetting class, notably clearcache! and notifychanged!, which when done on a multisite instance, can affect the entire cluster resulting in a...
PT-2023-16771 · WordPress · Simple Giveaways
Name of the Vulnerable Software and Affected Versions: The Simple Giveaways WordPress plugin versions prior to 2.45.1 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for...
CVE-2022-2473
The WP-UserOnline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘templatesbrowsingpagetext' parameter in versions up to, and including, 2.87.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with...
PT-2022-16060 · WordPress · Wp-Dbmanager
Name of the Vulnerable Software and Affected Versions: WP-DBManager versions prior to 2.80.8 Description: The issue allows administrators to run arbitrary commands on the server in multisite installations, where only super-administrators should have this capability. Recommendations: For versions...
CVE-2022-1321
The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example ...
CVE-2022-1772
The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing th...
CVE-2022-21663 Authenticated Object Injection in Multisites in WordPress
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3...
PT-2022-15017 · WordPress +1 · Wordpress +1
Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 5.8.3 WordPress versions prior to 3.7.37 Description: The issue concerns a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin ro...
CVE-2021-39356
The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo'd out via the /templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web...
WordPress 插件 跨站脚本漏洞
WordPress Plugin is an open source application plugin for WordPress. The WordPress plugin suffers from a security vulnerability that stems from insufficient input validation and cleanup of several parameters found in the /admin/jobsfunction.php file of the job-portal plugin, which is susceptible ...