CVE-2026-33290 WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user including a custom role with zero capabilities to change moderation status of their own comment for example to APPROVE without the...

CVE-2022-1599

The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled,...

Cross site request forgery (csrf)

The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled,...

WordPress plugin Admin Management Xtended 跨站请求伪造漏洞

WordPress and others are products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. Xtend and others are products of the Eclipse Foundation. Xtend is a general-purpose high-level programming language for the Java Virtual Machine. WordPress...

Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF

The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. PoC The following PoC codes a...

Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF

The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. The following PoC codes are f...

CVE-2017-11412

Fiyo CMS 2.0.7 has SQL injection in dapur/apps/appcomment/controller/commentstatus.php via $GET'id'...

CVE-2017-11412

Fiyo CMS 2.0.7 has SQL injection in dapur/apps/appcomment/controller/commentstatus.php via $GET'id'...

CVE-2017-11413

Fiyo CMS 2.0.7 has SQL injection in dapur/apps/apparticle/controller/commentstatus.php via $GET'id'...

Fiyo CMS SQL Injection Vulnerability (CNVD-2017-23896)

Fiyo CMS is a content management system CMS for creating CMS templates. A SQL injection vulnerability exists in the dapur/apps/apparticle/controller/commentstatus.php file in Fiyo CMS version 2.0.7. A remote attacker can exploit the vulnerability to execute arbitrary SQL commands with the help of...

Fiyo CMS SQL Injection Vulnerability (CNVD-2017-23897)

Fiyo CMS is a content management system CMS for creating CMS templates. A SQL injection vulnerability exists in the dapur/apps/appcomment/controller/commentstatus.php file in Fiyo CMS version 2.0.7. A remote attacker can exploit the vulnerability to execute arbitrary SQL commands with the help of...

CVE-2011-0700

Multiple cross-site scripting XSS vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to 1 the Quick/Bulk Edit title aka post title or posttitle, 2 poststatus, 3 commentstatus, 4 pingstatus, and 5 escaping of tags...

DEBIAN-CVE-2011-0700

Multiple cross-site scripting XSS vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to 1 the Quick/Bulk Edit title aka post title or posttitle, 2 poststatus, 3 commentstatus, 4 pingstatus, and 5 escaping of tags...

CVE-2011-0700

Multiple cross-site scripting XSS vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to 1 the Quick/Bulk Edit title aka post title or posttitle, 2 poststatus, 3 commentstatus, 4 pingstatus, and 5 escaping of tags...