CVE-2023-23702

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Pixelgrade Comments Ratings plugin = 1.1.7 versions...

CVE-2023-44230

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Gopi Ramasamy Popup contact form plugin = 7.1 versions...

Arbitrary Code Execution

Pagekit/pagekit is vulnerable to Arbitrary Code Execution. The vulnerability exists because the updateAction function in UpdateController.php blindly executes code in the uploaded requirements.php file which allow an admin authenticated attacker to execute malicious code into the system...

CVE-2023-32294

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Radical Web Design GDPR Cookie Consent Notice Box plugin = 1.1.6 versions...

CVE-2023-32505

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Arshid Easy Hide Login plugin = 1.0.7 versions...

CVE-2023-30874

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Steve Curtis, St. Pete Design Gps Plotter plugin = 5.1.4 versions...

Ivanti Addressed Second Zero-Day Flaw Exploited by Attackers

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary The zero-day vulnerability CVE-2023-35081 in Ivanti EPMM enables admin-authenticated attackers to write arbitrary files, risking unauthorized access, OS command execution, and malicious web shell...

Denial Of Service (DoS)

ethyca-fides is vulnerable to Denial Of Service DoS. The vulnerability exists due to the lack of validation checks for SVGs in the savetemplate function of connectorregistryservice.py, which allows an admin authenticated attacker to crash the application by uploading a zip file containing a...

CVE-2023-22690

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Shopfiles Ltd Ebook Store plugin = 5.775 versions...

CVE-2023-30746

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Booqable Rental Software Booqable Rental plugin = 2.4.15 versions...

CVE-2023-28932

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in WPMobile.App WPMobile.App — Android and iOS Mobile Application plugin = 11.20 versions...

CVE-2023-23812

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Joost de Valk Enhanced WP Contact Form plugin = 2.2.3 versions...

CVE-2023-25484

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Oliver Schlöbe Simple Yearly Archive plugin = 2.1.8 versions...

Server-side Request Forgery (SSRF)

github.com/darklynx/request-baskets is vulnerable to Server-side Request Forgery SSRF. The vulnerability exists due to the improper validation in the /api/baskets/name path, allowing an admin authenticated attacker to access network resources and sensitive information via a maliciously crafted AP...

CVE-2023-25464

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in StreamWeasels Twitch Player plugin = 2.1.0 versions...

Cross-site Scripting (XSS)

backdrop/backdrop is vulnerable to Cross-Site Scripting XSS. The vulnerability exist due to the lack of validation in the html elements when adding a post which allows an admin authenticated attacker to inject and execute malicious JavaScript when a user views a post...

CVE-2022-40697

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in 3com – Asesor de Cookies para normativa española plugin = 3.4.3 versions...

CVE-2022-40694

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in News Announcement Scroll plugin = 8.8.8 on WordPress...

Advanced Comment Form < 1.2.1 - Admin+ Authenticated Stored XSS

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In the settings of the plugin, add the following payload to the text before the form:...

CVE-2021-32103

A Stored XSS vulnerability in interface/usergroup/usergroupadmin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter...