Category Order and Taxonomy Terms Order <= 1.5.2.2 - Authenticated PHP Object Injection

Usage of unserialize on user input in the saving request of the orders leads to PHP object injection vulnerability. PoC Send POST request to "URL/wp-admin/admin-ajax.php" with parameters "action=update-taxonomy-order=SERIALIZED-OBJECT"...

blog.activ-investment.eu XSS vulnerability

Open Bug Bounty ID: OBB-568414 Description| Value ---|--- Affected Website:| blog.activ-investment.eu Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| WordPress Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

sylvaniatownship.com XSS vulnerability

Open Bug Bounty ID: OBB-568372 Description| Value ---|--- Affected Website:| sylvaniatownship.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| WordPress Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

academia.subdere.gov.cl XSS vulnerability

Open Bug Bounty ID: OBB-568371 Description| Value ---|--- Affected Website:| academia.subdere.gov.cl Vulnerable Application:| WordPress Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Disclosure Standard:| Coordinated Disclosu...

Photo Gallery by WD <= 1.3.66 - Cross-Site Scripting (XSS)

User input gets first escaped with eschtml and then urldecoded. This leads to the possibility of reflected XSS with a double url encoded payload...

Swape Theme - Authentication Bypass and Stored XSS

Similar to https://wpvulndb.com/vulnerabilities/8061, but with no authentication The theme suffers from a privilege escalation vulnerability, any user can trigger this vulnerability due to weak permissions checking. An attacker can update options, such as changing user's default role, registratio...

beautifulworld.com XSS vulnerability

Open Bug Bounty ID: OBB-552745 Description| Value ---|--- Affected Website:| beautifulworld.com Vulnerable Application:| newsmag theme from tagdiv Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Disclosure Standard:| Coordinat...

nasiloluyo.com XSS vulnerability

Open Bug Bounty ID: OBB-552742 Description| Value ---|--- Affected Website:| nasiloluyo.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| newsmag theme from tagdiv Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Cross site request forgery (csrf)

The acxasmwsaveordercallback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant socialwidgeticonarrayorder XSS...

CVE-2018-6357

The acxasmwsaveordercallback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant socialwidgeticonarrayorder XSS...

CVE-2017-18032

The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdmgeneratepassword action to wp-admin/admin-ajax.php...

CVE-2018-5653

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizarpffreesettingssaveget-users parameter...

Cross site request forgery (csrf)

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php...

Design/Logic Flaw

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php security parameter...

CVE-2018-5654

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php PFFREEAccessToken parameter...

Design/Logic Flaw

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php PFFREEAccessToken parameter...

Design/Logic Flaw

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizarpffreesettingssaveget-users parameter...

CVE-2018-5653

The CVE-2018-5653 entry refers to a vulnerability in the WordPress plugin weblizar-pinterest-feeds version 1.1.1. The issue is an XSS vulnerability exploitable via the wp-admin/admin-ajax.php parameter weblizar_pffree_settings_save_get-users. Several connected sources (CNVD-2018-01274 and WPVulnD...

CVE-2018-5653

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizarpffreesettingssaveget-users parameter...

WordPress Booking Calendar 7.0 / 7.1 SQL Injection / Local File Inclusion Vulnerabilities

WordPress Booking Calendar plugin versions 7.1, 7.0, and below suffer from remote SQL injection and local file inclusion vulnerabilities. Advisory Title: WordPress Booking Calendar Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Booking...