CVE-2024-0829

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscribe...

CVE-2024-23635

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS mXSS vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the...

CVE-2024-6704

The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers to add HTML such as hyperlinks to comments when rich editing...

CVE-2024-35539

Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently...

CVE-2024-9829

The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwaphandledownloaduser' and 'dpwaphandledownloadcomment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, wit...

CVE-2024-6546

The One Click Close Comments plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.7.1. This is due to the plugin utilizing bootstrap and leaving test files with displayerrors on. This makes it possible for unauthenticated attackers to retrieve the ful...

CVE-2024-28234

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

CVE-2024-31249

Insertion of Sensitive Information into Log File vulnerability in WPKube Subscribe To Comments Reloaded.This issue affects Subscribe To Comments Reloaded: from n/a through 220725...

CVE-2023-30956

A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0...

CVE-2023-28748

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in biztechc Copy or Move Comments allows SQL Injection.This issue affects Copy or Move Comments: from n/a through 5.0.4...

CVE-2023-30948

A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's conten...

CVE-2023-41703

User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avo...

CVE-2023-23702

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Pixelgrade Comments Ratings plugin = 1.1.7 versions...

CVE-2023-51691

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through 7.6.12...

CVE-2023-46311

Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3...

CVE-2023-50871

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed...

CVE-2023-30959

In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction...

CVE-2023-28876

A Broken Access Control issue in comments to uploaded files in Filerun through Update 20220202 allows attackers to delete comments on files uploaded by other users...

CVE-2023-22985

Sourcecodester Simple Guestbook Management System version 1 is vulnerable to Cross Site Scripting XSS via Name, Referrer, Location, and Comments...

CVE-2023-23615

Discourse is an open source discussion platform. The embeddable comments can be exploited to create new topics as any user but without any clear title or content. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. As a workaround, disable embeddable comments ...