WordPress WP Custom Admin Interface plugin <= 7.42 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hhhai in WordPress Plugin WP Custom Admin Interface versions = 7.42...

EUVD-2015-9419

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with...

CVE-2015-20119

CVE-2015-20119 affects RealtyScript 4.0.2 (Next Click Ventures). It is a stored cross-site scripting vulnerability in the pages.php admin interface: an authenticated attacker can submit crafted iframe payloads via the text parameter to the add page action, storing malicious content that executes ...

CVE-2015-20119

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with...

CVE-2015-20119 RealtyScript 4.0.2 Stored Cross-Site Scripting via text Parameter in pages.php

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with...

CVE-2026-25529

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

CVE-2026-25529 Postal has HTML injection / XSS in message view

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

CVE-2026-25529 Postal has HTML injection / XSS in message view

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

CVE-2026-25529 Postal has HTML injection / XSS in message view

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

CVE-2026-25529

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

EUVD-2026-11603

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

CVE-2026-25529

Postal is an open source SMTP server. CVE-2026-25529 affects versions before 3.3.5, where unescaped data could be injected into the admin interface, primarily via the API’s send/raw method. This HTML injection could permit arbitrary HTML and potentially unauthorised JavaScript execution in the ad...

PT-2026-25008

Postal is an open source SMTP server. Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method. This could allow arbitrary HTML to be...

📄 Vvveb CMS 1.0.5 Insecure Direct Object Reference

A one liner of details for how to leverage the insecure direct object reference vulnerability in Vvveb CMS version 1.0.5. The research later discovered this also affects version 1.0.7.3...

CVE-2026-3759 projectworlds Online Art Gallery Shop adminHome.php sql injection

A security vulnerability has been detected in projectworlds Online Art Gallery Shop 1.0. This affects an unknown part of the file /admin/adminHome.php. Such manipulation of the argument reachnm leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly an...

EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface

Vulnerability Allowing MFA Bypass Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication 2FA and log in to the administrative...

GHSA-7RHV-H82H-VPJH EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface

Vulnerability Allowing MFA Bypass Affected EC-CUBE Versions Versions: 4.1.0 – 4.3.1 Vulnerability Overview If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication 2FA and log in to the administrative...

CVE-2026-28223 Wagtail: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area...

CVE-2026-28223 Wagtail: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area...

GHSA-P4V8-RW59-93CQ Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface

Impact A stored Cross-site Scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, cause...