Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

CVE-2026-39392

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Pages module does not apply the htmlpurify validation rule to content fields during create and update operations, while the Blog...

CVE-2026-25486

Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is n...

CVE-2026-25488

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories Name & Descripti...

GHSA-H9R9-2PXG-CX9M Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation

Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone Name & Description fields in the Store Management section are not properly sanitized before being displayed in the admin panel...

CVE-2019-12398

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected...

WordPress Add Admin JavaScript plugin <= 2.0 - Unauthenticated Full Path Dislcosure vulnerability

Unauthenticated Full Path Dislcosure vulnerability discovered by stealthcopter in WordPress Plugin Add Admin JavaScript versions = 2.0...

WordPress Add Admin JavaScript Plugin <= 2.0 is vulnerable to Sensitive Data Exposure

Software Add Admin JavaScript Type Plugin Vulnerable versions = 2.0 Fixed in N/A OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-6548 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 9dd89390081b Credits stealthcopter Required...

CVE-2024-6548

The Add Admin JavaScript plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to the plugin utilizing bootstrap and leaving test files with displayerrors on. This makes it possible for unauthenticated attackers to retrieve the full path...

CVE-2024-6548

CVE-2024-6548 affects the WordPress plugin Add Admin JavaScript (versions

PT-2024-37705 · WordPress · Add Admin Javascript

Name of the Vulnerable Software and Affected Versions: Add Admin JavaScript plugin for WordPress versions up to and including 2.0 Description: The issue allows unauthenticated attackers to retrieve the full path of the web application, which can aid other attacks. However, the information display...

WordPress plugin Add Admin JavaScript 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2023-2819

A stored cross-site scripting vulnerability in the Sources UI in Proofpoint Threat Response/ Threat Response Auto Pull PTR/TRAP could allow an authenticated administrator on an adjacent network to replace the image file with an arbitrary MIME type. This could result in arbitrary javascript code...

PT-2023-21620 · Proofpoint · Proofpoint Threat Response/ Threat Response Auto Pull

Name of the Vulnerable Software and Affected Versions: Proofpoint Threat Response/ Threat Response Auto Pull PTR/TRAP versions prior to 5.10.0 Description: A stored cross-site scripting issue in the Sources UI could allow an authenticated administrator on an adjacent network to replace an image...

CVE-2022-34988

Inout Blockchain AltExchanger v1.2.1 was discovered to contain a cross-site scripting XSS vulnerability via the component /admin/js...

CVE-2022-1029 Limit Login Attempts < 4.0.72 - Admin+ Stored Cross-Site Scripting

The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite...

PT-2022-13602

Name of the Vulnerable Software and Affected Versions Limit Login Attempts WordPress plugin versions prior to 4.0.72 Description The issue allows malicious users with administrator privileges to store malicious Javascript code, leading to Cross-Site Scripting attacks when unfiltered html is...

CVE-2021-25115

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting XSS. Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel...

CVE-2018-1000513

LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting XSS vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x...