25 matches found
CVE-2026-7385
The Decent Comments WordPress plugin (prior to version 3.0.2) exposes comment author and post author email addresses via its REST API without access restrictions, enabling unauthenticated users to enumerate registered email addresses. Root cause: insufficient access controls on the REST endpoint....
CVE-2026-7385 Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...
CVE-2026-44366
Vvveb CMS before version 1.0.8.1 is affected by a Stored XSS in the comment submission flow. An unauthenticated user can submit an author field on any public post page, which is stored without sanitization and later rendered unsanitized in two sinks. The issue is fixed in version 1.0.8.1. Remedia...
CVE-2026-44366 Vvveb: Stored XSS via Comment Author Field
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting XSS vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post...
CVE-2026-44366 Vvveb: Stored XSS via Comment Author Field
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.1, a Stored Cross-Site Scripting XSS vulnerability exists in the Vvveb CMS comment submission flow. The author field is submitted by an unauthenticated user on any public post...
CVE-2026-22204
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
EUVD-2026-11749
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
CVE-2026-22204
wpDiscuz prior to 7.6.47 has an email header injection due to unsanitized comment_author_email cookie. An attacker can craft a cookie value that, after urldecode() is processed by wp_mail(), injects headers or alters recipients. The exact impact and exploit status are not elaborated beyond the de...
CVE-2026-22204 wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
CVE-2026-22204
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
PT-2026-25144
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment author email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wp mail...
WeKan has an unspecified vulnerability
WeKan is a Kanban application from WeKan open source. WeKan suffers from a security vulnerability that can be exploited by an attacker to spoof the author of a recorded comment by providing another user's identifier...
CVE-2020-37072
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'commentauthor' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...
CVE-2020-37072
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'commentauthor' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...
CVE-2020-37072 Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'commentauthor' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...
PT-2026-5823
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers...
AeroCMS 跨站脚本漏洞
AeroCMS is a content management system from the American company AeroCMS. AeroCMS version v0.0.1 suffers from a cross-site scripting vulnerability that stems from the commentauthor and commentcontent parameters of /post.php failing to properly validate user input. An attacker can exploit this...
Halo 跨站脚本漏洞
Halo is a light, clean and powerful Java blogging system. Halo version 0.4.3 suffers from a cross-site scripting vulnerability that can be exploited by attackers via CommentAuthorUrl...
Victor CMS 'comment_author' Cross-Site Scripting Vulnerability
Victor CMS is a PHP-based content management system CMS. Victor CMS 'commentauthor' cross-site scripting vulnerability. An attacker can insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...
ruibaby Halo Cross-Site Scripting Vulnerability
ruibaby Halo is a Java-based blogging system. A cross-site scripting vulnerability exists in ruibaby Halo version 0.0.2. A remote attacker can inject arbitrary web script or HTML by sending the commentAuthor field to the FrontCommentController.java file...