Cross site scripting

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Thom Stark Eyes Only: User Access Shortcode plugin = 1.8.2 versions...

CVE-2023-25786 WordPress Eyes Only: User Access Shortcode Plugin <= 1.8.2 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Thom Stark Eyes Only: User Access Shortcode plugin = 1.8.2 versions...

CVE-2023-25786

The CVE-2023-25786 issue affects the WordPress plugin Eyes Only: User Access Shortcode (Thom Stark Eyes Only) version 1.8.2 and earlier. The root cause is a Stored Cross-Site Scripting (XSS) vulnerability that requires admin+ privileges to exploit, with an impact limited to confidentiality and in...

OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. osmmap mapborder='3px solid black;background:red;width:100px;height:100px;" onmouseover="alert1"'...

WordPress plugin Eyes Only: User Access Shortcode 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in WordPress...

PT-2023-20302 · WordPress · Thom Stark Eyes Only: User Access Shortcode

Name of the Vulnerable Software and Affected Versions: Thom Stark Eyes Only: User Access Shortcode plugin versions 1.8.2 and earlier Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that requires authentication with admin+ privileges. This vulnerability affects...

CVE-2023-1911

The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example...

CVE-2023-0891

The StagTools WordPress plugin before 2.3.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-1911

Blocksy Companion (WordPress plugin by Creative Themes) before 1.8.82 contains an authorization flaw: posts accessible via a shortcode are not confirmed public, allowing any authenticated user (e.g., subscribers) to view draft content. This exposes draft posts to users who should not have access....

WordPress plugin Blocksy Companion 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

User IP and Location < 2.2.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

ClickFunnels <= 3.1.1 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. clickfunnelsembed url="javascript:alert1"...

ClickFunnels <= 3.1.1 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC clickfunnelsembed url="javascript:alert1"...

WordPress Post Shortcode Plugin <= 2.0.9 is vulnerable to Cross Site Scripting (XSS)

Software Post Shortcode Type Plugin Vulnerable versions = 2.0.9 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0526 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 623dba0711b0 Credits István Márton Require...

URL Params < 2.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC urlparam htmltag='h1' attr='a'...

Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF

The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1...

CVE-2023-0418

The Video Central for WordPress plugin through 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2023-0276

The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

Cross site scripting

The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

Rating Widget <= 3.2.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...