CVE-2022-0140 Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure

The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint...

CVE-2022-0140

The CVE-2022-0140 issue affects WordPress Visual Form Builder plugin prior to 3.0.6 (also documented up to 3.0.8 in Nuclei templates). The vulnerability is an information-disclosure flaw caused by missing access control on the entry form export (vfb-export endpoint), allowing unauthenticated user...

WordPress plugin Visual Form Builder 信息泄露漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is a WordPress open source application plugin. versions prior to WordPress Visual Form Builder...

CVE-2022-0914

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

CVE-2022-0914

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

CVE-2022-0914

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

CVE-2022-0892

The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

Cross site request forgery (csrf)

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

Cross site scripting

The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

CVE-2022-0914 Export All URLs < 4.3 - Private/Draft Post/Page Title Disclosure via CSRF

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

CVE-2022-0914

The CVE-2022-0914 entry concerns the WordPress plugin “Export All URLs” (before version 4.3). According to connected sources (Red Hat, NVD, CVE records, Patchstack), the vulnerability is a CSRF flaw that can allow a logged-in admin to export all posts and pages (including private/draft) into an a...

CVE-2022-0892

The CVE-2022-0892 entry concerns the WordPress plugin Export All URLs (versions before 4.2). The root cause is improper sanitization/escaping of the CSV filename when outputting it on the page, which enables a Reflected Cross-Site Scripting (XSS) attack. Documented impact is a reflected XSS in pa...

CVE-2022-0892 Export All URLs < 4.2 - Reflected Cross-Site Scripting

The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

CSV Injection

kevinpapst/kimai2 is vulnerable to CSV injection. The vulnerability is possible because the library does not sanitize the $desc parameter, which allows an attacker to inject malicious input...

Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues As admin, import the below CSV file via Tools Import and export users and customers /wp-admin/tools.php?page=acui...

Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues PoC As admin, import the below CSV file via Tools Import and export users and customers /wp-admin/tools.php?page=ac...

GHSA-64FQ-9C6W-RQ44 Improper Neutralization of Formula Elements in a CSV File in Kimai 2

A CSV Injection vulnerablity exists in Kimai Kimai 2 prior to 1.14.1 via a description in a new timesheet...

Improper Neutralization of Formula Elements in a CSV File in Kimai 2

A CSV Injection vulnerablity exists in Kimai Kimai 2 prior to 1.14.1 via a description in a new timesheet...

CVE-2021-43515

CSV Injection aka Excel Macro Injection or Formula Injection exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file...

CVE-2021-43515

CSV Injection aka Excel Macro Injection or Formula Injection exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file...