EUVD-2024-34100

Malicious code in bioql PyPI...

CVE-2024-12463

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arenaembedamp' shortcode in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2024-12463

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arenaembedamp' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2024-12526

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.0. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2024-12526

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.1. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2024-11384

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arenablog' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2024-12526

CVE-2024-12526 : Arena.IM – Live Blogging for real-time events (WordPress) had a CSRF vulnerability due to missing nonce validation on albfre_user_action, allowing unauthenticated abuse to change plugin settings if an admin visits a forged link. Affected versions were up to 0.3.0; Wordfence notes...

CVE-2024-12526 Arena.IM – Live Blogging for real-time events <= 0.4.1 - Cross-Site Request Forgery to Settings Update

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.1. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2024-12526 Arena.IM – Live Blogging for real-time events <= 0.4.1 - Cross-Site Request Forgery to Settings Update

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.1. This is due to missing or incorrect nonce validation on the 'albfreuseraction' AJAX action. This makes it possible for unauthenticated...

CVE-2024-11384 Arena.IM – Live Blogging for real-time events <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arenablog' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2024-11384 Arena.IM – Live Blogging for real-time events <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arenablog' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...

CVE-2024-12463

CVE-2024-12463 affects the Arena.IM – Live Blogging for real-time events WordPress plugin. It is a Stored Cross-Site Scripting flaw via the arena_embed_amp shortcode in all versions up to 0.3.0, exploitable by authenticated users with contributor-level access. The issue has a patch status indicat...

CVE-2024-11384

CVE-2024-11384 applies to the Arena.IM – Live Blogging for real-time events WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) in the plugin’s arena blog shortcode that affects all versions up to and including 0.3.0, arising from insufficient input sanitization and output ...

WordPress Arena.IM – Live Blogging for real-time events plugin <= 0.4.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Peter Thaleikis in WordPress Plugin Arena.IM – Live Blogging for real-time events versions = 0.4.1...

WordPress plugin Arena.IM – Live Blogging for real-time events 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

PT-2024-17605 · WordPress · Arena.Im – Live Blogging For Real-Time Events

Name of the Vulnerable Software and Affected Versions: Arena.IM – Live Blogging for real-time events plugin for WordPress versions up to, and including, 0.3.0 Description: The issue is related to Stored Cross-Site Scripting via the plugin's arena embed amp shortcode due to insufficient input...