Cross site scripting

The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...

CVE-2021-24972 Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting

The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...

CVE-2021-24972

The CVE-2021-24972 entry relates to the WordPress Pixel Cat plugin (Pixel Cat Lite) prior to version 2.6.3, where certain settings are not escaped. This can allow a high-privilege user to perform Stored Cross-Site Scripting even when unfiltered_html is disallowed. The vulnerability is described a...

CVE-2021-24922

The CVE-2021-24922 entry pertains to the Pixel Cat WordPress plugin, affected version(s) prior to 2.6.2. The vulnerability arises because the plugin does not perform CSRF validation when saving settings and fails to adequately sanitise/escape some inputs, enabling an attacker to leverage a logged...

CVE-2021-24922 Pixel Cat Lite < 2.6.2 - CSRF to Stored Cross-Site Scripting

The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks...

WordPress 插件跨站请求伪造漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. Pixel Cat Plugin is a WordPress open source application plugin. WordPress Pixel Cat Plugins has a cross-site reques...

WordPress 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an open source application plugin for WordPress. The WordPress plugin suffers from a cross-sit...

WordPress Pixel Cat Lite plugin <= 2.6.3 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by WPScanTeam in WordPress Pixel Cat Lite plugin versions = 2.6.3. Solution Update the WordPress Pixel Cat Lite plugin to the latest available version at least 2.6.4...

Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the Google Product Category setting of the plugin at wp-admin/admin.php?page=fcapcsettingspage in...

Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Put the following payload in the Google Product Category setting of the plugin at wp-admin/admin.php?page=fcapcsettingspag...

Pixel Cat Lite < 2.6.2 - CSRF to Stored Cross-Site Scripting

The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks alertdocument.domain;" / var form1 = document.getElementById'hack';...

WordPress Pixel Cat plugin <= 2.6.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)

Cross-Site Request Forgery CSRF vulnerability leading to Stored Cross-Site Scripting XSS discovered by JrXnm in WordPress Pixel Cat plugin versions = 2.6.1. Solution Update the WordPress Pixel Cat plugin to the latest available version at least 2.6.2...

Pixel Cat Lite < 2.6.2 - CSRF to Stored Cross-Site Scripting

The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks PoC...

WordPress Pixel Cat plugin <= 2.6.2 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by JrXnm in WordPress Pixel Cat plugin versions = 2.6.2. Solution Update the WordPress Pixel Cat plugin to the latest available version at least 2.6.3...

CVE-2021-24788

The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts...

CVE-2021-24788

The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts...

CVE-2021-24788

The CVE-2021-24788 entry concerns the WordPress Batch Cat plugin (versions up to 0.3). Documents explicitly state that the plugin defines three custom AJAX actions requiring authentication but accessible to all roles, allowing any authenticated user (including subscribers) to add, set, or delete ...

Wordpress plugin Batch Cat 安全漏洞

WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports personal blogging sites on PHP and MySQL servers. WordPress Plugin is a WordPress open source application plugin. authentication. An attacker could manipulate the post categor...

WordPress Batch Cat plugin <= 0.3 - Arbitrary Categories Add/Set/Delete to Posts vulnerability

Arbitrary Categories Add/Set/Delete to Posts vulnerability discovered by Quentin VILLAIN 3wsec in WordPress Batch Cat plugin versions = 0.3. Solution Deactivate and delete. This plugin has been closed as of September 24, 2021 and is not available for download. This closure is temporary, pending a...

Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts

The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts. Set the category 107 to the post 1537: POST /wp-admin/admin-ajax.php...