PT-2023-12488 · WordPress · Doneren Met Mollie

Name of the Vulnerable Software and Affected Versions: Doneren met Mollie plugin for WordPress versions up to and including 2.8.5 Description: The issue concerns Sensitive Data Exposure due to missing capability checks in the dmm export donations function, which is called via the admin post dmm...

Dental Clinic Appointment Reservation System 跨站脚本漏洞

Dental Clinic Appointment Reservation System is a Dental Clinic Appointment Reservation System by jkev Personal Developer. A cross-site scripting vulnerability exists in SourceCodester Dental Clinic Appointment Reservation System version 1.0 due to an unknown function in the file /admin/service.p...

PT-2022-27476 · Yith · Yith Woocommerce Gift Cards

Name of the Vulnerable Software and Affected Versions: YITH WooCommerce Gift Cards premium plugin versions 3.19.0 and earlier Description: The issue is related to an Unauth. Arbitrary File Upload vulnerability in the YITH WooCommerce Gift Cards premium plugin on WordPress, which allows unauthoriz...

VulnCheck KEV: CVE-2014-4725

The MailPoet Newsletters wysija-newsletters plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/...

Create Block Theme < 1.2.2 - Unauthenticated Arbitrary File Upload

The plugin does not have authorisation and CSRF checks, as well as does not validate the file to be uploaded, which could allow unauthenticated attackers to upload arbitrary files to the server As unauthenticated user, open The file will be uploaded at...

CVE-2022-1694

The Useful Banner Manager WordPress plugin through 1.6.1 does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete banners from the plugin by submitting a form...

CVE-2022-0642

The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject...

CVE-2022-27061

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file...

Open redirect

The Nested Pages WordPress plugin = 3.1.15 was vulnerable to an Open Redirect via the page POST parameter in the npBulkActions, npBulkEdit, npListingSort, and npCategoryFilter adminpost actions...

Cross site request forgery (csrf)

The Nested Pages WordPress plugin = 3.1.15 was vulnerable to Cross-Site Request Forgery via the npBulkActions and npBulkEdit adminpost actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other...

WordPress 插件输入验证错误漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on PHP and MySQL servers.WordPress plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress...

PT-2021-22063 · WordPress · Nested Pages

Name of the Vulnerable Software and Affected Versions: Nested Pages WordPress plugin versions 3.1.15 and earlier Description: The issue concerns an Open Redirect vulnerability via the page POST parameter in the npBulkActions, npBulkEdit, npListingSort, and npCategoryFilter admin post actions...

Nested Pages < 3.1.16 - Open Redirect

The plugin was vulnerable to an Open Redirect via the page POST parameter in the npBulkActions, npBulkEdit, npListingSort, and npCategoryFilter adminpost actions...

Victor CMS 代码问题漏洞

Victor CMS is an open source content management system from the developers of Victor Alagwu Software in Nigeria. version 1.0 of Victor CMS is vulnerable to arbitrary file uploads. An attacker can execute arbitrary code by uploading files to CMS site-masteradminincludesadminaddpost.php...

MiniCMS 跨站脚本漏洞

MiniCMS is a content management system CMS designed for personal websites. A security vulnerability exists in MiniCMS v1.10 that allows remote attackers to execute arbitrary code by sending a crafted HTTP request injection command to the component "mc-admin post-edit.php"...

CVE-2020-35749

Directory traversal vulnerability in class-simplejobboardresumedownloadhandler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjbfile parameter to wp-admin/post.php...

CVE-2020-29303

A cross-site scripting XSS vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with drtsformbuildid parameter containing the XSS payload and t paramet...

CVE-2019-18834

Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCSAdminPostTypes in class-wcs-admin-post-types.php...

CVE-2020-11509

An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37wplimporttemplate admin-post action which will execute in an administrator's browser if the template is used to create a page...

CVE-2020-11509

An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37wplimporttemplate admin-post action which will execute in an administrator's browser if the template is used to create a page...