140 matches found
WordPress Plugin "Related YouTube Videos" vulnerable to cross-site request forgery
Overview WordPress Plugin "Related YouTube Videos" provided by Chris Doerr contains a cross-site request forgery vulnerability CWE-352. Shoichiro Ishikawa of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability...
A map plugin for Mincraft server "Dynmap" fails to restrict access permissions
Overview A map plugin for Mincraft server "Dynmap" fails to restrict access permissions CWE-284. RyotaK directly reported this vulnerability to the developer and coordinated on his own. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer f...
JVN#89046645: A map plugin for Minecraft server "Dynmap" fails to restrict access permissions
A map plugin for Minecraft server "Dynmap" fails to restrict access permissions CWE-284. Impact Under the circumstance where a user is required to login Dynmap, a remote attacker may bypass the login authentication and be able to see a map image that requires authentication. Solution Update the...
WordPress Plugin "Contest Gallery" vulnerable to cross-site request forgery
Overview WordPress Plugin "Contest Gallery" provided by Contest-Gallery contains a cross-site request forgery vulnerability CWE-352. Okazawa Yoshihiro of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to...
PT-2019-11736 · Jenkins +1 · Jenkins Electricflow Plugin +2
Name of the Vulnerable Software and Affected Versions: Jenkins ElectricFlow Plugin version 1.1.6 and earlier CloudBees CD Plugin affected versions not specified Description: A reflected cross-site scripting issue allows attackers to inject arbitrary HTML and JavaScript into job configuration form...
JVN#96988995: Multiple vulnerabilities in WordPress Plugin "Online Lesson Booking"
WordPress Plugin "Online Lesson Booking" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5972 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2|...
JVN#88962935: Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"
WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5962 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N|...
WordPress Contact Form by WPForms plugin <= 1.4.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Stored Cross-Site Scripting XSS vulnerability found by RIPS Technologies in WordPress Contact Form by WPForms plugin versions = 1.4.7. Solution Update the WordPress Contact Form by WPForms plugin to the latest available versions at least 1.4.8...
WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
Overview The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a stored cross-site scripting vulnerability CWE-79. Yuta Kitaoka of TokyoDenkiUniversity Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early...
WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting
Overview The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting
Overview The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...
WordPress plugin "WP Google Map Plugin" vulnerable to cross-site scripting
Overview The WordPress plugin "WP Google Map Plugin" provided by Flipper Code contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An...
WordPress plugin "Events Manager" vulnerable to cross-site scripting
Overview The WordPress plugin "Events Manager" provided by NetWebLogic contains a stored cross-site scripting vulnerability CWE-79. Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA. JPCERT/CC...
JVN#85531148: WordPress plugin "Events Manager" vulnerable to cross-site scripting
The WordPress plugin "Events Manager" provided by NetWebLogic contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the...
WordPress plugin "WP All Import" vulnerable to cross-site scripting
Overview The WordPress plugin "WP All Import" provided by Soflyy contains a cross-site scripting vulnerability CWE-79 in the file upload function. Note that this vulnerability is different from JVN60032768. Mardan Muhidin of Gehirn Inc. reported this vulnerability to IPA. JPCERT/CC coordinated wi...
WordPress plugin "MTS Simple Booking C" vulnerable to cross-site scripting
Overview The WordPress plugin "MTS Simple Booking C" provided by MT Systems Co., Ltd. contains a stored cross-site scripting vulnerability CWE-79. Daichi Takaki of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to...
WordPress Splashing Images plugin <=2.1 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found by Nicolas Buzy-Debat in WordPress Splashing Images plugin versions =2.1. Possible remote injection of arbitrary web script or HTML via the search parameter to wp-admin/upload.php. Solution Update the WordPress Splashing Images plugin to the latest...
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Overview The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability CWE-79 in multiple pages due to a flaw in processing HTTP Referer headers. Note that this vulnerability is different from JVN77253951. Gen Sato of Mitsui Bussan Secure...
WordPress 'wp_ajax_update_plugin' function directory traversal vulnerability
WordPress is a blogging platform developed using the PHP language by the WordPress Software Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in the 'wpajaxupdateplugin' function in the wp-admin/includes/ajax-actions.ph...
CVE-2016-10148
The CVE-2016-10148 entry concerns WordPress before 4.6. The vulnerable component is wp_ajax_update_plugin in wp-admin/includes/ajax-actions.php. The root cause is that a get_plugin_data call is performed before checking the update_plugins capability, allowing remote authenticated users to bypass ...