CVE-2023-1413

The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-1473

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin 3.29.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-1473 Responsive WordPress Slideshows 3.29.0 - Reflected XSS

The Slider, Gallery, and Carousel by MetaSlider WordPress plugin 3.29.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-1413 WP VR < 8.2.9 - Reflected XSS

The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-1282 Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting

The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the...

CVE-2023-1939

No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface...

Design/Logic Flaw

No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface...

CVE-2023-1939 No access control for the OTP key on OTP entries

No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface...

CVE-2023-1939

CVE-2023-1939 concerns a lack of access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager. Affected products: Windows 2022.3.33.0 and prior; Linux 2022.3.2.0 and prior. Impact: non-admin users can view OTP keys via the user interface. Root cause: insufficient authorizat...

CVE-2023-1939 No access control for the OTP key on OTP entries

No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface...

PT-2023-22188 · Sap · Sap Netweaver As Abap

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS for ABAP Business Server Pages versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 Description: The issue allows an attacker authenticated as a non-administrative user to craft a request with certain...

CVE-2023-1121

The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-0874 Klaviyo <= 3.0.10 - Admin+ Stored XSS

The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-1120 Simple Giveaways < 2.45.1 - Admin+ Stored XSS

The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites...

CVE-2023-25464 WordPress Twitch Player Plugin <= 2.1.0 is vulnerable to Cross Site Scripting (XSS)

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in StreamWeasels Twitch Player plugin = 2.1.0 versions...

CVE-2023-24004

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in WPdevart Image and Video Lightbox, Image PopUp plugin = 2.1.5 versions...

Music Gallery Site v1.0 - Broken Access Control Vulnerability

Exploit Title: Music Gallery Site v1.0 - Broken Access Control Exploit Author: Muhammad Navaid Zafar Ansari CVE Assigned: CVE-2023-0963 mitre.org nvd.nist.org Vendor Homepage: https://www.sourcecodester.com Software Link: Music Gallery Site Version: v 1.0 Tested on: Windows 11 Broken...

CVE-2023-1377

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

PT-2023-21998 · Unknown +3 · Cloudflared +4

Name of the Vulnerable Software and Affected Versions: Wagtail versions prior to 4.1.4 and 4.2.2 Description: A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing....