CVE-2024-11804

The Planaday API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

Exploit for Authentication Bypass Using an Alternate Path or Channel in Vivektamrakar Wp_Rest_Api_Fns

CVE-2024-49328 WP REST API FNS = 1.0.0 - Privilege Escalat...

CVE-2024-41141

Stored cross-site scripting vulnerability exists in EC-CUBE Web API Plugin. When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the OAuth Management page, an arbitrary script may be executed on the web browser of the other user who accessed th...

CVE-2024-41141

Stored cross-site scripting vulnerability exists in EC-CUBE Web API Plugin. When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the OAuth Management page, an arbitrary script may be executed on the web browser of the other user who accessed th...

EC-CUBE plugin (for EC-CUBE 4 series) "EC-CUBE Web API Plugin" vulnerable to stored cross-site scripting

Overview EC-CUBE plugin for EC-CUBE 4 series "EC-CUBE Web API Plugin" provided by EC-CUBE CO.,LTD. contains a stored cross-site scripting vulnerability CWE-79 in OAuth Management feature. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN...

PT-2024-29291 · Ec Cube · Ec-Cube Web Api Plugin

Name of the Vulnerable Software and Affected Versions: EC-CUBE Web API Plugin affected versions not specified Description: A stored cross-site scripting issue exists in the EC-CUBE Web API Plugin. When multiple users utilize the OAuth Management feature and one user inputs a crafted value on the...

WordPress Contact Form to Any API Plugin <= 1.1.8 is vulnerable to SQL Injection

Software Contact Form to Any API Type Plugin Vulnerable versions = 1.1.8 Fixed in 1.1.9 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-30242 Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID f2d596609a9a Credits Le Ngoc Anh Required privilege Subscrib...

CVE-2023-35039 WordPress Password Reset with Code for WordPress REST API Plugin <= 0.0.15 is vulnerable to Broken Authentication

Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15...

WordPress Contact Form to Any API Plugin <= 1.1.6 is vulnerable to Broken Access Control

Software Contact Form to Any API Type Plugin Vulnerable versions = 1.1.6 Fixed in 1.1.7 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47871 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 81c0f0123458 Credits Arvandy Require...

WordPress MStore API Plugin <= 4.0.6 is vulnerable to SQL Injection

Software MStore API Type Plugin Vulnerable versions = 4.0.6 Fixed in 4.0.7 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2023-45055 Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID 62679b9fbc47 Credits Truoc Phan Required privilege Subscriber Published 3...

WordPress Contact Form to Any API Plugin <= 1.1.2 is vulnerable to SQL Injection

Software Contact Form to Any API Type Plugin Vulnerable versions = 1.1.2 Fixed in 1.1.3 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-32741 Patch priority Low CVSS severity Low 7.6 Developer Claim ownership PSID 7672258ac26c Credits Arvandy Required privilege Administrator...

CVE-2023-37957

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token...

CVE-2023-37957

CVE-2023-37957 affects Jenkins Pipeline restFul API Plugin up to version 0.11. A CSRF flaw allows an attacker to cause the Jenkins instance to connect to an attacker-controlled URL, enabling capture of a newly generated JCLI token. The vulnerability’s description and Red Hat/GitHub/NVD references...

CVE-2023-37957

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token...

CVE-2023-37957

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token...

CVE-2023-3077

The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, an...

CVE-2023-3076

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features...

CVE-2023-3197 MStore API <= 4.0.1 - Unauthenticated SQL Injection

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible...

Sql injection

Unauth. SQL Injection SQLi vulnerability in InspireUI MStore API plugin = 3.9.7 versions...

CVE-2022-47614

CVE-2022-47614 : Unauth. SQL Injection in the InspireUI MStore API WordPress plugin, affected versions