WordPress Customize Login Image <3.5.3 - Cross-Site Scripting

WordPress Customize Login Image plugin prior to 3.5.3 contains a cross-site scripting vulnerability via the custom logo link on the Settings page. This can allow an attacker to steal cookie-based authentication credentials and launch other attacks. id: CVE-2021-33851 info: name: WordPress Customi...

CVE-2026-6292

CVE-2026-6292 affects the WordPress plugin MP Customize Login Page (versions ≤ 1.0). The issue is a CSRF vulnerability caused by a broken nonce validation in enter_mpclp_login_options() (inverted wp_verify_nonce() check and missing action parameter) and a settings-update handler hooked on init wi...

WordPress MP Customize Login Page plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin MP Customize Login Page versions = 1.0...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

CVE-2026-12136

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

EUVD-2026-37859

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Customize My Account for WooCommerce versions = 4.3.6...

CVE-2026-35180

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

PT-2026-30713

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize settings nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained security vulnerabilities. These vulnerabilities stemmed from a logical error in the setPassword.json.php endpoint of the CustomizeUser plugin. This error could cau...

AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php

Summary The setPassword.json.php endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero before...

CVE-2025-61676

October is a Content Management System CMS and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting XSS vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the...

CVE-2025-61676

October is a Content Management System CMS and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting XSS vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the stylesheet input in the backend branding and appearance configuration. An attacker can execute arbitrary scripts in the context of backend users by injecting malicious HTML or JavaScript. This is only...

Cross-site Scripting (XSS)

Overview october/system is a System module for October CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the stylesheet input in the backend branding and appearance configuration. An attacker can execute arbitrary scripts in the context of backend users by...

CVE-2023-50175

Stored cross-site scripting vulnerability exists in the App Settings /admin/app page, the Markdown Settings /admin/markdown page, and the Customize /admin/customize page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser o...

CVE-2021-33851

A cross-site scripting XSS attack can cause arbitrary code JavaScript to run in a user's browser and can use an application as the vehicle for the attack. The XSS payload given in the "Custom logo link" executes whenever the user opens the Settings Page of the "Customize Login Image" Plugin...

CVE-2022-0345

The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfwsearchusers AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes finding the first letter, then the second one, then the third one...

CVE-2023-49153

Cross-Site Request Forgery CSRF vulnerability in Saiful Islam Add to Cart Text Changer and Customize Button, Add Custom Icon.This issue affects Add to Cart Text Changer and Customize Button, Add Custom Icon: from n/a through 2.0...

EUVD-2020-23511

Malware in sbrugna...