Nooz < 1.7.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Inline Tweet Sharer < 2.6 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Sticky Ad Bar <= 1.3.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Podlove Subscribe button < 1.3.9 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-0099

CVE-2023-0099 impacts the Simple URLs WordPress plugin prior to 115, which does not sufficiently sanitise/escape certain parameters before echoing them, enabling Reflected Cross-Site Scripting. The vulnerability can affect high-privilege users (e.g., admins) by crafting malicious links; CVSS v3.1...

EZP Coming Soon Page < 1.0.7.4 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress Simple Photo Gallery Plugin <= v1.8.1 is vulnerable to SQL Injection

Software Simple Photo Gallery Type Plugin Vulnerable versions = v1.8.1 Fixed in N/A OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2022-47588 Patch priority Low CVSS severity Low 6.7 Developer Claim ownership PSID 7bcaa9fe7073 Credits minhtuanact Required privilege Administrator...

CVE-2022-4323

The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

Cross site scripting

The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users...

CVE-2022-4485 Page-list < 5.3 - Contributor+ Stored XSS

The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege user...

CVE-2022-3425 Google Analyticator < 6.5.6 - Admin+ PHP Object Injection

The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

Modal Dialog < 3.5.10 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2023-14182 · WordPress · The Analyticator

Name of the Vulnerable Software and Affected Versions: The Analyticator WordPress plugin versions prior to 6.5.6 Description: The issue allows high privilege users, such as admins, to perform PHP Object Injection when a suitable gadget is present. This is due to the plugin unserializing user inpu...

WordPress plugin The Analyticator 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code issue vulnerability exists in the...

VikRentCar < 1.3.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Conversational Forms for ChatBot < 1.1.7 - Admin+ Stored XSS

The plugin does not sanitise and escape a form name, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

MailOptin 1.2.54.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Mapwiz <= 1.0.1 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC POST /wp-admin/admin.php?page=myplug/muyplg.php HTTP/1.1...

Mapwiz <= 1.0.1 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. POST /wp-admin/admin.php?page=myplug/muyplg.php&mid HTTP/1.1...

Design/Logic Flaw

Dell Alienware m17 R5 BIOS version prior to 1.2.2 contain a buffer access vulnerability. A malicious user with admin privileges could potentially exploit this vulnerability by sending input larger than expected in order to leak certain sections of SMRAM...