Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting via AJAX Action

The plugin does not sanitise and escape POSted parameters sent to the wpassetcleanupfetchactivepluginsicons AJAX action available to admin users, leading to a Reflected Cross-Site Scripting issue alert/XSS/" / var form1 = document.getElementById'hack'; form1.submit;...

Domain Check < 1.0.17 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=domain-check-profile&domain=alert/XSS/...

Insight Core <= 1.0 - Subscriber+ PHP Object Injection & Stored XSS

The plugin does not have any authorisation and CSRF checks in the insightcustomizeroptionsimport available to any authenticated user, does not validate user input before passing it to unserialize, nor sanitise and escape it before outputting it in the response. As a result, it could allow users...

Tutor LMS < 1.9.12 - Reflected Cross-Site Scripting

The plugin does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=tutorannouncements&search=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D...

WP Extra File Types < 0.5.1 - CSRF to Stored Cross-Site Scripting

The plugin does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks var form1 = document.getElementById'hack'; form1.submit;...

WP Post Page Clone < 1.2 - Unauthorised Post Access

The plugin allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. Go to All Posts, find the post to clone, click "Click to Clone" then edit the cloned post to see its content...

CVE-2021-38019

Insufficient policy enforcement in CORS in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page...

Aver EVC300 Firmware 00.10.16.36 Hardcoded Secrets Vulnerability

Aver EVC300 firmware version 00.10.16.36 suffers from having multiple hard-coded secrets that can allow for access bypass. Firmware for Aver EVC300 multipoint video conferencing system v00.10.16.36 and others as well as firmware for several other devices manufactured by Aver, potentially all...

Event Calendar < 1.1.51 - Reflected Cross-Site Scripting

The plugin does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues And move the mouse over the 'Untitled' text Firefox only:...

Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)

The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=cff-top&cffaccesstoken=xox%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3E&cfffinalresponse=true...

Croogo 3.0.2 Shell Upload

Exploit Title: Croogo 3.0.2 - Unrestricted File Upload Date: 06/12/2021 Exploit Author: Enes Özeser Vendor Homepage: https://croogo.org/ Software Link: https://downloads.croogo.org/v3.0.2.zip Version: 3.0.2 Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 == 'setting-43'...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

log4j-jndi-be-gone A Byte Buddy Jav...

Exploit for Path Traversal in Grafana

Grafana V8. Arbitrary File Reading Vulnerability – Multi-t...

TestLink 1.19 - Arbitrary File Download (Unauthenticated)

Exploit Title: TestLink 1.19 - Arbitrary File Download Unauthenticated Google Dork: inurl:/testlink/ Date: 07/12/2021 Exploit Author: Gonzalo Villegas Cl34r Exploit Author Homepage: https://nch.ninja Vendor Homepage: https://testlink.org/ Version:1.16 = 1.19 CVSS:...

WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update

The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory h...

Aiven Ltd: Apache Flink RCE via GET jar/plan API Endpoint

Summary: Aiven has not restricted access to the GET jars/jarid/plan API. This endpoint can be used to load java class files with the specified arguments that are in the java classpath on the server. This can be abused to gain RCE on the Apache Flink Server. Steps To Reproduce: The video below sho...

Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape user input before outputting it back in HTML attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wcmp-setting-admin&tab=vendor'alert/XSS/...

OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal

The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin As admin, put the following payload in the "Fonts Cache Directory" setting of the plugin: ../wp-includes, tick the "Remo...

Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection

The getquery function of the plugin, used by the niwoocosajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber POST...

Kudos Donations < 3.1.2 - Arbitrary Items Deletion via CSRF

The plugin has a logic flaw in its CSRF checks when deleting items such as Donors, Transactions, Subscriptions etc, allowing attackers to make a logged in admin delete them https://example.com/wp-admin/admin.php?page=kudos-transactions&action=delete&id=1...