506 matches found
WordPress 插件安全漏洞
WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. WordPress Page/Post Content Shortcode plugin in and prior versions is vulnerable to an authorization...
PT-2021-16333 · WordPress · Insert Pages
Name of the Vulnerable Software and Affected Versions: Insert Pages WordPress plugin versions prior to 3.7.0 Description: The issue allows users with a role as low as Contributor to access content and metadata from arbitrary posts or pages, regardless of their author and status, including private...
CVE-2021-24840
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...
CVE-2021-24840
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...
Design/Logic Flaw
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...
CVE-2021-24840 Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...
Bulk Datetime Change < 1.12 - Missing Authorisation
The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. PoC Run on "Bulk Datetime Change" page:...
CVE-2021-24677
The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...
CVE-2021-24677 Find My Blocks < 3.4.0 - Private Post Titles Disclosure
The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...
CVE-2021-24677
The CVE concerns the WordPress plugin Find My Blocks prior to version 3.4.0, where the REST API lacks authorization checks. This allows unauthenticated users to enumerate titles of private posts via the plugin’s REST endpoints (e.g., private post title disclosure). Impact is limited to affected s...
Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure
The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. PoC POST /wp-json/csco/v1/more-posts Accept:...
Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure
The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. POST /wp-json/csco/v1/more-posts Accept:...
Find My Blocks < 3.4.0 - Private Post Titles Disclosure
The plugin does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. PoC Create a private post with at least one Gutenburg paragraph block and go to https://example.com/wp-json/find-my-blocks/blocks/?name=core/paragraph...
Far-Right Platform Gab Has Been Hacked—Including Private Data
The transparency group DDoSecrets says it will make the 70 GB of passwords, private posts, and more available to researchers, journalists, and social scientists...
WordPress 5.3.x < 5.3.3 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Six cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An remote attacker can exploit these, by convincing a user to click a...
WordPress 3.7.x < 3.7.33 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Six cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An remote attacker can exploit these, by convincing a user to click a...
WordPress 4.9.x < 4.9.14 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Six cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An remote attacker can exploit these, by convincing a user to click a...
WordPress 4.3.x < 4.3.23 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Six cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An remote attacker can exploit these, by convincing a user to click a...
WordPress 4.0.x < 4.0.30 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Six cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An remote attacker can exploit these, by convincing a user to click a...
WordPress 4.7.x < 4.7.17 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - Six cross-site scripting XSS vulnerabilities exist due to improper validation of user-supplied input. An remote attacker can exploit these, by convincing a user to click a...