CVE-2023-3203

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatelimitproduct function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a...

CVE-2023-3198 MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Status Update

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatestatusordermessage function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site...

CVE-2023-2734

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated...

CVE-2023-2733

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated...

CVE-2023-2732 MStore API <= 3.9.2 - Authentication Bypass

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers ...

CVE-2023-2733

CVE-2023-2733 concerns the WordPress plugin MStore API . The vulnerability is an authentication bypass in versions up to and including 3.9.0 caused by insufficient verification of the user parameter supplied during the coupon redemption REST API call, enabling unauthenticated attackers to log in ...

CVE-2023-2733 MStore API <= 3.9.0 - Authentication Bypass

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated...

WordPress MStore API Plugin <= 3.9.1 is vulnerable to Broken Authentication

Software MStore API Type Plugin Vulnerable versions = 3.9.1 Fixed in 3.9.2 OWASP Top 10 A2: Broken Authentication Classification Broken Authentication CVE CVE-2023-2734 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 533a834d2d8a Credits Lana Codes Required privilege...

WordPress MStore API Plugin <= 3.9.2 is vulnerable to Broken Authentication

Software MStore API Type Plugin Vulnerable versions = 3.9.2 Fixed in 3.9.3 OWASP Top 10 A2: Broken Authentication Classification Broken Authentication CVE CVE-2023-2732 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 9a2f0204ce39 Credits Lana Codes Required privilege...

GHSA-64R9-X74Q-WXMH Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin

Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build...

PT-2022-26893 · Jenkins · Jenkins Pipeline: Supporting Apis Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline: Supporting APIs Plugin versions 838.va 3a 087b 4055b and earlier Description: The issue is related to a stored cross-site scripting XSS vulnerability. It occurs because the Jenkins Pipeline: Supporting APIs Plugin does not...

Code injection

Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties...

GHSA-5469-C5P2-XV5G Dataease before 1.11.2 allows arbitrary code execution via crafter plugin

An issue in the component /api/plugin/upload of Dataease v1.11.1 allows attackers to execute arbitrary code via a crafted plugin. Version 1.11.2 contains a patch for the problem...

GHSA-Q397-W28F-JX97 Stored XSS vulnerability in Jenkins ECharts API Plugin

ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Run/Update permission. ECharts API Plugin 4.7.0-4 escapes the display name...

Stored XSS vulnerability in Code Coverage API Plugin

Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of...

GHSA-XG77-XQHQ-CRPR Stored XSS vulnerability in Code Coverage API Plugin

Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of...

PT-2022-13460 · WordPress · Sema Api Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: SEMA API WordPress plugin versions prior to 4.02 Description: The issue arises from the SEMA API WordPress plugin's failure to properly sanitise and escape certain parameters before using them in SQL statements via an AJAX action. This leads ...

CVE-2021-21677

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability...

CVE-2021-21677

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability...

CVE-2021-21677

Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability...