CVE-2018-8710

A remote code execution issue was discovered in the WooCommerce Products Filter aka WOOF plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woofredrawwoof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication...

CVE-2018-8710

A remote code execution issue was discovered in the WooCommerce Products Filter aka WOOF plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woofredrawwoof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication...

WOOF WooCommerce Products Filter 1.1.9 LFI / Code Execution

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Arbitrary Shortcode Execution & Local File Inclusion product: WOOF - WooCommerce Products Filter PluginUs.Net vulnerable version: 1.1.9 fixed version: 2.2.0 CVE number:...

WordPress SQL Shortcode SQL Injection

SQL Injection vulnerability in WordPress SQL Shortcode plugin shortcode parameter Vulnerability Type: SQL Injection For the exploit source code contact DSquare Security sales team...

WordPress EZ SQL Reports Shortcode Widget and DB Backup RCE

Remote command execution vulnerability in WordPress EZ SQL Reports Shortcode Widget and DB Backup plugin shortcode parameter Vulnerability Type: Remote Command Execution For the exploit source code contact DSquare Security sales team...

Automattic: Stored XSS Using Media

Hi, Summary: This exploits an XSS vulnerability on polldaddy.com Steps to Reproduce: 1. Create a multiple-choice question quiz on Polldaddy 2. Insert stored XSS payload into Media Embed such that it matches the shortcode format Payload: 3. When someone goes on the quiz page through the quiz share...

Cross-site Scripting (XSS)

WordPress is vulnerable to cross-site scripting XSS attacks. The library does not escape tags in shortcode previews in the TinyMCE editor, allowing a malicious user to inject and execute arbitrary web script...

WordPress SQL Shortcode plugin <=1.1 - Authenticated SQL Execution vulnerability

Authenticated SQL Execution vulnerability found by Paul Dannewitz in WordPress SQL Shortcode plugin version 1.1 and earlier versions. This vulnerability allows users with low privileges to execute SQL. Solution SQL Shortcode plugin removed from WordPress plugin repository. Use plugin with caution...

SQL Shortcode <= 1.1 - Authenticated SQL Execution

It's not an SQL injection actually, it's just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all. This https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html great article will help understanding how to exploit shortcodes and...

I Recommend This <= 3.8.1 - Authenticated SQL Injection

Plugin description: "This plugin allows your visitors to simply like/recommend your posts instead of comment on it." Active installs according to https://wordpress.org/plugins/i-recommend-this/: 40.000+ It's possible to inject SQL into the dotrecommends shortcode, if the check for IP addresses is...

Cross-Site Scripting (XSS)

WordPress is vulnerable to cross-site scripting XSS attacks. The attacks are possible because the application does not filter unclosed HTML elements in attributes during the processing of shortcode tags...

WP Statistics SQL Injection vulnerability

Security experts at Sucuri have discovered a SQL Injection vulnerability in WP Statistics, one of the most popular WordPress plugins, that is currently installed on over 300,000 websites. The SQL Injection vulnerability in WP Statistics could be exploited by attackers, with at least a subscriber...

WordPress pdfjs-viewer-shortcode plugin cross-site scripting vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress pdfjs-viewer-shortcode plugin, where the program fails to...

CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist shortcode in the wpplaylistshortcode function in wp-includes/media.php and 2 mishandling of meta information in the renderTracks function ...

CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist shortcode in the wpplaylistshortcode function in wp-includes/media.php and 2 mishandling of meta information in the renderTracks function ...

UBUNTU-CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist shortcode in the wpplaylistshortcode function in wp-includes/media.php and 2 mishandling of meta information in the renderTracks function ...

DEBIAN-CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist shortcode in the wpplaylistshortcode function in wp-includes/media.php and 2 mishandling of meta information in the renderTracks function ...

CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting XSS via Media File Metadata. This is demonstrated by both 1 mishandling of the playlist shortcode in the wpplaylistshortcode function in wp-includes/media.php and 2 mishandling of meta information in the renderTracks function ...

festagro.org XSS vulnerability

Vulnerable URL: http://festagro.org/wp-content/themes/themerush/inc/plugins/shortcode/shortcodepopup.php?get=' Details: Description| Value ---|--- Patched:| No Latest check for patch:| 28.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 23102320 VIP website...

tabrix.ir XSS vulnerability

Vulnerable URL: http://tabrix.ir/wp-content/themes/themerush/inc/plugins/shortcode/shortcodepopup.php?get=' Details: Description| Value ---|--- Patched:| No Latest check for patch:| 28.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 3590646 VIP website...