Design/Logic Flaw

The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donationbuttontwiliosendtestsms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes t...

Cross site scripting

The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

CVE-2022-4004

Affected software: Donation Button WordPress plugin, versions through 4.0.0. Vulnerability: the AJAX action donation_button_twilio_send_test_sms does not properly enforce privileges or nonce checks. Impact: any logged-in user on the site (e.g., subscribers) could use the plugin’s Twilio integrati...

CVE-2022-4004 Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam

The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donationbuttontwiliosendtestsms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes t...

CVE-2022-4005 Donation Button <= 4.0.0 - Contributor+ Stored XSS

The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

CVE-2022-4005

The CVE-2022-4005 entry concerns the Donation Button WordPress plugin (pre-4.0.1/4.0.0) where insufficient sanitization and escaping of certain parameters allows stored XSS by users with a role as low as Contributor. Affected code paths involve parameter handling in the plugin, enabling XSS paylo...

CVE-2022-4005 Donation Button <= 4.0.0 - Contributor+ Stored XSS

The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

PT-2022-25172 · Twilio · Twilio

Name of the Vulnerable Software and Affected Versions: Donation Button WordPress plugin versions through 4.0.0 Description: The issue concerns a lack of proper privilege and nonce token checks in the donation button twilio send test sms AJAX action. This may allow users with an account on the...

PT-2022-25177 · WordPress · Donation Button Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Donation Button WordPress plugin versions prior to 4.0.1 Description: The issue allows users with a role as low as Contributor to perform Cross-Site Scripting attacks due to the plugin's failure to sanitize and escape some parameters...

WordPress plugin Donation Button 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

WordPress plugin Donation Button 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A security vulnerability exists in WordPress plugin...

[SECURITY] Fedora 37 Update: xfce4-places-plugin-1.8.3-1.fc37

A menu with quick access to folders, documents, and removable media. The Places plugin brings much of the functionality of GNOME=EF=BF=BD=EF=BF=BD=EF =BF=BDs Places menu to Xfce. It puts a simple button on the panel. Clicking on this button opens up a menu with 4 sections: 1 System-defined...

Yii2 Gii Cross-site Scripting vulnerability

Some fields like Message Category requires I18N enabled in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious...

PT-2022-22113 · Yii2 Gii · Yii2 Gii

Name of the Vulnerable Software and Affected Versions: Yii2 Gii versions through 2.2.4 Description: The issue allows stored XSS by injecting a payload into any field. Some fields, such as Message Category in Model Generator, CRUD Generator or Form Generator, and Author Name in Extension Generator...

Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click the 'Settings' button of this plugin. 2...

Donation Button <= 4.0.0 - Contributor+ Stored XSS

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. Put the following shortcode in a blog post: paypaldonationbutton align='center" onmouseover="alert1'...

admin-tool-button (>=1.0.1a0 <=1.0.5a0), aimmo (>=2.0.0 <=2.5.8) +95 more potentially affected by CVE-2022-41323 via django (>=3.2.0 <=3.2.15)

django PYPI version =3.2.0, =1.0.1a0, =2.0.0, =6.2.0, =0.2.0, =22.0.0.dev21, =22.0.0.dev13, =22.0.0.dev29, =6.0.0, =6.0.0, =1.1.0, =1.1.3 - common-framework =2021.4.1 and more Source cves: CVE-2022-41323 Source advisory: OSV:GHSA-QRW5-5H28-6CMG...

admin-tool-button (>=1.0.1a0 <=1.0.5a0), aimmo (>=2.0.0 <=2.5.8) +95 more potentially affected by CVE-2022-41323 via django (>=3.2.0 <=3.2.15)

django PYPI version =3.2.0, =1.0.1a0, =2.0.0, =6.2.0, =0.2.0, =22.0.0.dev21, =22.0.0.dev13, =22.0.0.dev29, =6.0.0, =6.0.0, =1.1.0, =1.1.3 - common-framework =2021.4.1 and more Source cves: CVE-2022-41323 Source advisory: OSV:PYSEC-2022-304...

Xss vulnerability in Button module

Steps 1.Visit https://demo.microweber.org 2.Click option 'Modules' in the left list 3.Click and go into the 'Button' 4.Click the 'edit url' and Enter the following javascript alert1 Proof of Concept Video javascript https://1drv.ms/v/s!Ai0UEGpMIb9scRgdvmX1sBCQu4A...

CVE-2022-39264

nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply th...