116 matches found
CVE-2022-4763
The Icon Widget WordPress plugin before 1.3.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege...
WordPress Amr Shortcode Any Widget Plugin <= 4.0 is vulnerable to Cross Site Scripting (XSS)
Software Amr Shortcode Any Widget Type Plugin Vulnerable versions = 4.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-4458 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 612057d81855 Credits Lana Codes...
WordPress Birthdays Widget plugin跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress Birthdays Widget plugin version 1.7.18 and earlier is vulnerable to a cross-site scripting...
The vulnerability of the Widget plugin and the Undo feature of the CKEditor WYSIWYG editor allows attackers to compromise data integrity.
The vulnerability of the Widget plugin and the Undo feature of the CKEditor WYSIWYG editor is related to the lack of measures taken to protect the structure of web pages. Exploiting this vulnerability allows an attacker to compromise the integrity of data...
Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution
The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment ie with DISALLOWFILEEDIT, DISALLOWFILEMODS and DISALLOWUNFILTEREDHTML set to true via the 'widgetrrmsimilarpostscondition' widget setting of the plugin. Vendor was notified in July 2021, the issue was...
WordPress Social Gallery and Widget plugin <= 2.2.5 - Unauthorized Plugin Setting Change vulnerability
Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Social Gallery and Widget plugin versions = 2.2.5. Solution Update the WordPress Social Gallery and Widget plugin to the latest available version at least 2.3...
CVE-2021-20814
Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type Movable Type 7 r.4903 and earlier Movable Type 7 Series, Movable Type Advanced 7 r.4903 and earlier Movable Type Advanced 7 Series, and Movable Type Premium 1.44 and earlier allows remote...
CVE-2021-20814
Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type Movable Type 7 r.4903 and earlier Movable Type 7 Series, Movable Type Advanced 7 r.4903 and earlier Movable Type Advanced 7 Series, and Movable Type Premium 1.44 and earlier allows remote...
Cross site scripting
Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type Movable Type 7 r.4903 and earlier Movable Type 7 Series, Movable Type Advanced 7 r.4903 and earlier Movable Type Advanced 7 Series, and Movable Type Premium 1.44 and earlier allows remote...
CVE-2021-20814
CVE-2021-20814 is a Cross-site scripting vulnerability in Movable Type’s ContentType Information Widget Plugin “Setting” screen. The issue affects Movable Type 7 (r.4903 and earlier), Movable Type Advanced 7 (r.4903 and earlier), and Movable Type Premium 1.44 and earlier, where an attacker can in...
Widget feature vulnerability allowing to execute JavaScript code using undo functionality
Affected packages The vulnerability has been discovered in Widget plugin if used alongside Undo feature. Impact A potential vulnerability has been discovered in CKEditor 4 Widget package. The vulnerability allowed to abuse undo functionality using malformed widget HTML, which could result in...
CVE-2021-32808
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...
CVE-2021-32808
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...
Spoofing
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...
CVE-2021-32808 Cross-site scripting in ckeditor via abuse of undo functionality
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...
MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting
Exploit Title: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting Date: 11/28/2018 Author: 0xB9 Software Link: https://github.com/zainali99/trends-widget Version: 1.2 Tested on: Windows 10 1. Description: This plugin shows the most trending threads. Trending thread titles aren't sanitized to...
CVE-2020-24314
Fahad Mahmood RSS Feed Widget Plugin v2.7.9 and lower does not sanitize the value of the "t" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL...
Cross site scripting
Fahad Mahmood RSS Feed Widget Plugin v2.7.9 and lower does not sanitize the value of the "t" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL...
CVE-2020-24314
Fahad Mahmood RSS Feed Widget Plugin v2.7.9 and lower does not sanitize the value of the "t" GET parameter before echoing it back out inside an input tag. This results in a reflected XSS vulnerability that attackers can exploit with a specially crafted URL...
CVE-2020-24314
Affected software: Fahad Mahmood RSS Feed Widget Plugin for WordPress, v2.7.9 and earlier. Vulnerability: Reflected XSS via the GET parameter "t" that is echoed into an input tag without sanitization. Impact: Attackers can craft a URL to trigger XSS (no exploitation details beyond this). Exploita...