ShortCode Addons - Unauthenticated Options Update

WordPress plugin Shortcode Addons = 3.0.2 contains an unauthenticated arbitrary option update caused by insufficient access controls in the plugin, letting attackers modify options without authentication. id: CVE-2022-34487 info: name: ShortCode Addons - Unauthenticated Options Update author:...

Simple URLs < 115 - Cross Site Scripting

The plugin does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-0099 info: name: Simple URLs 115 - Cross Site Scripting author: r3Y3r53 severit...

EUVD-2026-4865

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the imagereplacementfromurl function that is hooked to the erifromurl AJAX action. This makes it possible for authenticated...

PT-2026-5061

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the image replacement from url function that is hooked to the eri from url AJAX action. This makes it possible for...

Drupal 11.0.x < 11.1.9 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. - Drupal core contains a...

Drupal 8.0.x < 10.4.9 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. - Drupal core contains a...

Drupal Multiple Vulnerabilities (SA-CORE-2025-005 - SA-CORE-2025-008)

Drupal is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:drupal:drupal"; ifdescription...

DRUPAL-CORE-2025-007

By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement. The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content such as branding is rendered...

Drupal 8.x/9.x/10.x < 10.4.9 / 10.5.x < 10.5.6 / 11.1.x < 11.1.9 / 11.2.x < 11.2.8 Multiple Vulnerabilities (drupal-2025-11-12)

According to its self-reported version, the instance of Drupal running on the remote web server is 8.x, 9.x, or 10.4.x prior to 10.4.9, 10.5.x prior to 10.5.6, 11.1.x prior to 11.1.9, or 11.2.x prior to 11.2.8. It is, therefore, affected by multiple vulnerabilities. - Drupal core contains a chain...

CVE-2025-64095 DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files...

EUVD-2021-29064

Malicious code in bioql PyPI...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through the idformulaire parameter. An attacker can manipulate the web content viewed by other users by injecting malicious scripts into the URL. That can allow stealing cookies from an authenticated user by...

CVE-2025-27632

A Host Header Injection vulnerability in TRMTracker application may allow an attacker by modifying the host header value in an HTTP request to leverage multiple attack vectors, including defacing the site content through web-cache poisoning...

U.S. Dept Of Defense: Stored XSS at https://www.█████████.mil

Summary: Stored XSS exists at https://www.██████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. Description: Stored XSS exists at https://www.████.mil. A user can fill out the form and upload a file containing javascript code to trigger XSS. Impact ...

CrimeOps of the KashmirBlack Botnet – Part I

Introduction Being in a research team exposes us to a variety of attacks on different platforms, of different types, scope, and volume. It also gives us the opportunity to select particularly interesting attacks that target our customers and to analyze them. This blog will give you a taste of the...

Nextcloud: http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement

Good day, I truly hope it treats you well on your side of the screen : I have found that your website uses the flash file: swfupload.swf to allow your users to upload files. The tl;dr version of this bug report is it allows an open redirect to any site a non kind person may want to exploit or...

Zen Cart Shopping Cart App Plugs Big XSS Vulnerability

Popular open source shopping cart app Zen Cart is warning its users of dozens of cross-site scripting vulnerabilities found in its software. Affected websites, security experts say, risk exposing customers to malware, theft of cookies data and site defacement. Researchers at the security firm...

Jupiter CMS <= 1.1.5 - Multiple XSS Attack Vectors

No description provided by source. Jupiter CMS = 1.1.5 multiple XSS attack vectors. Discovered by: Nomenumbra/0x4F4C Date: 3/11/2006 impact:high privilege escalation,site defacement Jupiter CMS http://www.highstrike.net/ is a dynamic CMS system like mambo or limbo, allowing users to subscribe and...

Server with 335 websites got hacked by PakH3X0r

Server with 335 websites got hacked by PakH3X0r An Indian Server with 335 websites has been hacked by PakH3X0r and all sites get defaced . The list of sites are given at : https://pastebin.com/BEChkwD9...

jspwiki-xss.txt

Application: JSPWiki Multiple Vulnerabilities Version: 2.4.103 and 2.5.139 Credit: Jason Kratzer Date: 9/24/2007 Background ------------------------------------------------------------ JSPWiki is wiki software built around the standard J2EE components of Java, servlets and JSP. It was written by...