Lucene search
K

203 matches found

wpexploit
wpexploit
added 2022/06/15 12:0 a.m.126 views

Pagebar < 2.70 - Arbitrary Settings Update via CSRF to Stored XSS

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues ' input type="text" name="postaftloop...

5.4CVSS1.1AI score0.00331EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2022/06/15 12:0 a.m.20 views

Pagebar < 2.70 - Arbitrary Settings Update via CSRF to Stored XSS

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues PoC...

5.4CVSS4.6AI score0.00331EPSS
Exploits2Affected Software1
Patchstack
Patchstack
added 2022/06/15 12:0 a.m.23 views

WordPress Sharebar plugin <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Sharebar plugin versions = 1.4.1. Solution Deactivate and delete. This plugin has been closed as of June 14, 2022 and is not available for download. This closure is temporary, pending a full revie...

5.4CVSS3.6AI score0.00292EPSS
Exploits2References1Affected Software1
wpexploit
wpexploit
added 2022/06/15 12:0 a.m.97 views

Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them test1" test2"...

5.4CVSS0.3AI score0.00292EPSS
Exploits2
Cvelist
Cvelist
added 2022/06/13 12:42 p.m.20 views

CVE-2022-1763 Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS

Due to missing checks the Static Page eXtended WordPress plugin through 2.1 is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the...

5.5AI score0.00292EPSS
Exploits2References1
Cvelist
Cvelist
added 2022/06/13 12:42 p.m.21 views

CVE-2022-1605 Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...

6.6AI score0.00513EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2022/06/06 12:0 a.m.12 views

Qubely < 1.8.1 - Authenticated Arbitrary Settings Update

The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber in versions 1.7.9 or contributor in v 1.8.1 to update them PoC As a subscriber Nonce can be taken from the qubelylocalscript-js-extra script on the homepage...

2AI score
Exploits0Affected Software1
Patchstack
Patchstack
added 2022/06/06 12:0 a.m.26 views

WordPress MyCSS plugin <= 1.1 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability was discovered by Daniel Ruf in the WordPress MyCSS plugin versions = 1.1. Solution Deactivate and delete. This plugin has been closed as of May 31, 2022 and is not available for download. This closure is temporary, pendi...

4.3CVSS4AI score0.00412EPSS
Exploits1References1Affected Software1
wpexploit
wpexploit
added 2022/06/06 12:0 a.m.119 views

Qubely < 1.8.1 - Authenticated Arbitrary Settings Update

The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber in versions 1.7.9 or contributor in v 1.8.1 to update them As a subscriber Nonce can be taken from the qubelylocalscript-js-extra script on the homepage...

1AI score
Exploits0
wpexploit
wpexploit
added 2022/06/02 12:0 a.m.128 views

HTML2WP <= 1.0.0 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them input type=...

4.3CVSS1.8AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
added 2022/06/01 12:0 a.m.134 views

Cimy Header Image Rotator <= 6.1.1 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; input ty...

4.3CVSS1.4AI score0.00412EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2022/06/01 12:0 a.m.12 views

My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...

4.3CVSS4.9AI score0.00412EPSS
Exploits2Affected Software1
Patchstack
Patchstack
added 2022/06/01 12:0 a.m.18 views

WordPress My Private Site plugin <= 3.0.7 - Arbitrary Settings Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Settings Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress My Private Site plugin versions = 3.0.7. Solution Update the WordPress My Private Site plugin to the latest available version at least 3.0.8...

4.3CVSS4.4AI score0.00412EPSS
Exploits2References2Affected Software1
wpexploit
wpexploit
added 2022/06/01 12:0 a.m.158 views

New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF

The plugin does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes for bypassing the provided restrictions and to change plugin settings by tricking admin users into visiting specially crafted websites. Add code...

4.3CVSS2AI score0.00367EPSS
Exploits2
Patchstack
Patchstack
added 2022/06/01 12:0 a.m.23 views

WordPress New User Approve plugin <= 2.3 - Arbitrary Settings Update & Invitation Code Creation via CSRF vulnerability

Arbitrary Settings Update & Invitation Code Creation via CSRF vulnerability discovered by Daniel Ruf in WordPress New User Approve plugin versions = 2.3. Solution Update the WordPress New User Approve plugin to the latest available version at least 2.4...

4.3CVSS4.2AI score0.00367EPSS
Exploits2References2Affected Software1
wpexploit
wpexploit
added 2022/06/01 12:0 a.m.124 views

Clean-Contact <= 1.6 - Arbitrary Settings Update to Stored XSS via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well ' document.getElementById"test".submit;...

4.3CVSS0.9AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
added 2022/06/01 12:0 a.m.170 views

Add Post URL <= 2.1.0 - Arbitrary Settings Update to Stored XSS via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping " document.getElementById"test".submit; XSS will be...

4.3CVSS0.5AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
added 2022/06/01 12:0 a.m.190 views

My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit; sc...

4.3CVSS0.8AI score0.00412EPSS
Exploits2
Patchstack
Patchstack
added 2022/06/01 12:0 a.m.16 views

WordPress Clean-Contact plugin <= 1.6 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Clean-Contact plugin versions = 1.6. Solution Deactivate and delete. This plugin has been closed as of May 27, 2022 and is not available for download. This closure is temporary, pending a full...

4.3CVSS4.1AI score0.00412EPSS
Exploits2References1Affected Software1
Patchstack
Patchstack
added 2022/06/01 12:0 a.m.20 views

WordPress Add Post URL plugin <= 2.1.0 - Arbitrary Settings Update to Stored XSS via CSRF vulnerability

Arbitrary Settings Update to Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Add Post URL plugin versions = 2.1.0. Solution Deactivate and delete. This plugin has been closed as of May 27, 2022 and is not available for download. This closure is temporary, pending a full...

4.3CVSS3.2AI score0.00412EPSS
Exploits2References1Affected Software1
Rows per page
Query Builder