95 matches found
WordPress Plugin Cross-Site Scripting Vulnerability (CNVD-2021-66921)
WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress plugin Wonder Video Embed has a cross-si...
CVE-2021-24540
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks...
Cross site scripting
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks...
CVE-2021-24540 Wonder Video Embed < 1.8 - Contributor+ Stored XSS
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks...
WordPress 插件跨站脚本漏洞
WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress plugin Wonder Video Embed has a cross-si...
WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code
The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues 1. On the dashboard, navigate to WP Courses Courses Add New Video...
WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code
The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues PoC 1. On the dashboard, navigate to WP Courses Courses Add New...
Wonder Video Embed < 1.8 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. PoC wonderpluginvideo iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert1'...
Wonder Video Embed < 1.8 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. wonderpluginvideo iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert1' videocss='animation-name:twentytwentyone-close-button-transition"...
WordPress Video Embed plugin SQL Injection Vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an application plugin for WordPress. A SQL injection vulnerability exists in WordPress Vide...
CVE-2021-24337
The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page available via forced browsing is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection...
CVE-2021-24337
The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page available via forced browsing is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection...
WordPress 插件 SQL注入漏洞
WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an application plugin for WordPress. A SQL injection vulnerability exists in WordPress Vide...
WordPress Video Embed plugin <= 1.0 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability discovered by Syed Sheeraz Ali Code Vigilant Project in WordPress Video Embed plugin versions = 1.0. Solution This plugin has been closed as of April 19, 2021 and is not available for download. This closure is temporary, pending a full review...
Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection
The id GET parameter of one of the plugin's page available via forced browsing is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection. PoC Note: The URL /wp-admin/admin.php?page=edit-video-embed=1 is...
CVE-2020-7642
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...
CVE-2020-7642
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...
Design/Logic Flaw
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...
CVE-2020-7642
CVE-2020-7642 affects lazysizes up to version 5.2.0, where the video-embed plugin fails to sanitize attributes data-vimeo, data-vimeoparams, data-youtube, and data-ytparams, enabling injection of malicious JavaScript. The vulnerability is tied to how untrusted payloads can be executed through the...
CVE-2020-7642
lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...