WordPress Plugin Denis Buka Content Repeater – Custom Posts Simplified 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerabilit...

WordPress Weaver Xtreme 5.0.7 / Weaver Show Posts 1.6 Cross Site Scripting Vulnerability

WordPress Weaver Xtreme theme versions 5.0.7 and below and Weaver Show Posts plugin versions 1.6 and below suffer from a persistent cross site scripting vulnerability. On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical...

CVE-2023-1371

The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them...

CVE-2023-1426

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

CVE-2023-1426

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

CVE-2023-1426 WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

CVE-2023-1426

CVE-2023-1426 affects the WordPress plugin WP Tiles up to version 1.1.2. The vulnerability arises because the plugin’s display logic does not ensure that posts shown are not drafts or private, allowing any authenticated user (e.g., subscribers) to retrieve the titles of draft/private posts and po...

Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access

The plugin does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example PoC Run the below command in the developer console of the web browser while being on the blog as a...

CVE-2022-4936

The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping...

CVE-2022-4936

The WCFM Marketplace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.11 due to missing nonce checks on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of actions such as modifying shipping...

Design/Logic Flaw

The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as...

CVE-2022-43769

creationtimestamp| type| source ---|---|--- 2023-04-03 22:25:06+00:00| seen| https://t.me/cibsecurity/61355 2023-04-08 20:04:44+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/8078 2023-05-11 14:42:41+00:00| seen|...

Reddit: RichText parser vulnerability in scheduled posts allows XSS

Hyperlinks were not being filtered on the server-side in Reddit's scheduled post feature, allowing an attacker to modify a request with a normal hyperlink that embeds a malicious link using a javascript scheme. This could result in an XSS attack if an admin clicked on the malicious link while...

Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting

The plugin does not properly escape the profile display name, leading to stored Cross-Site Scripting vulnerabilities...

Shoplazza 1.1 - Stored Cross-Site Scripting Vulnerability

Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting XSS Exploit Author: Andrey Stoykov Software Link: https://github.com/Shoplazza/LifeStyle Version: 1.1 Tested on: Ubuntu 20.04 Stored XSS 1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" - "Manage...

Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)

Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting XSS Exploit Author: Andrey Stoykov Software Link: https://github.com/Shoplazza/LifeStyle Version: 1.1 Tested on: Ubuntu 20.04 Stored XSS 1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" - "Manage...

CVE-2023-26008

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Ajay D'Souza Top 10 – Popular posts plugin for WordPress plugin = 3.2.4 versions...

CVE-2023-26008

CVE-2023-26008 affects the WordPress plugin Top 10 – Popular posts (

WordPress Plugin Popular posts 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

CVE-2023-0890

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or...