GHSA-QX2Q-Q59V-WF3J Craft CMS vulnerable to behavior injection RCE via EntryTypesController

The fix for GHSA-7jx7-3846-m7w7 commit 395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in EntryTypesController::actionApplyOverrideSettings. In src/controllers/EntryTypesController.php lines 381-387: php $settingsStr =...

WordPress plugin Custom Logo 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2025-14735 Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2025-43724

Name of the Vulnerable Software and Affected Versions Fast Velocity Minify versions prior to 3.5.1 Description The Fast Velocity Minify plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow authenticate...

PT-2022-16836 · WordPress · Wp-Useronline

Name of the Vulnerable Software and Affected Versions: WP-UserOnline plugin for WordPress versions up to, and including, 2.87.6 Description: The issue is related to Stored Cross-Site Scripting via the templatesbrowsingpagetext parameter due to insufficient input sanitization and output escaping...