BIT-DISCOURSE-2021-43850 Denial of Service in discourse

Discourse is an open source platform for community discussion. In affected versions admins users can trigger a Denial of Service attack via the /message-bus/diagnostics path. The impact of this vulnerability is greater on multisite Discourse instances where multiple forums are served from a singl...

BIT-DISCOURSE-2023-28107 Discourse vulnerable to multisite DoS by spamming backups

Discourse is an open-source discussion platform. Prior to version 3.0.2 of the stable branch and version 3.1.0.beta3 of the beta and tests-passed branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a...

BIT-DISCOURSE-2023-30606 Multisite denial of service through unsanitized dynamic dispatch to SiteSetting in Discourse

Discourse is an open source platform for community discussion. In affected versions a user logged as an administrator can call arbitrary methods on the SiteSetting class, notably clearcache! and notifychanged!, which when done on a multisite instance, can affect the entire cluster resulting in a...

BIT-DISCOURSE-2023-38498 Discourse vulnerable to DoS via defer queue

Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patche...

BIT-DISCOURSE-2023-41043 Discourse DoS via SvgSprite cache

Discourse is an open-source discussion platform. Prior to version 3.1.1 of the stable branch and version 3.2.0.beta1 of the beta and tests-passed branches, a malicious admin could create extremely large icons sprites, which would then be cached in each server process. This may cause server...

Ebook Store < 5.8002 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-0611

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slides callback functionality in all versions up to, and including, 3.9.5. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web...

CVE-2024-1977

The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inje...

CVE-2024-0689

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a meta import in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the meta values. This makes it possible for authenticated attackers, with...

CVE-2024-0656

The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Captcha Site Key in all versions up to, and including, 2.6.6 due to insufficient input sanitization and output escaping...

CVE-2024-0658

The Insert PHP Code Snippet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's name when accessing the insert-php-code-snippet-manage page in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible f...

CVE-2024-0621

The Simple Share Buttons Adder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2024-0604

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-0602

The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2024-15752 · WordPress · Custom Field Suite

Name of the Vulnerable Software and Affected Versions: Custom Field Suite plugin for WordPress versions up to, and including, 2.6.4 Description: The issue is related to Stored Cross-Site Scripting via a meta import due to insufficient input sanitization and output escaping on the meta values. Thi...

PT-2024-18465 · WordPress · The Restaurant Solutions – Checklist

Name of the Vulnerable Software and Affected Versions: The Restaurant Solutions – Checklist plugin for WordPress version 1.0.0 Description: The issue is related to Stored Cross-Site Scripting via the Checklist points due to insufficient input sanitization and output escaping. This allows...

CVE-2023-7115

The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-7167

The Persian Fonts WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross site scripting

The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Cross site scripting

The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...