12 matches found
Cross-Site Scripting (XSS)
getgrav/grav is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization in the /admin/config/site endpoint, which allows an attacker to inject malicious scripts via the datataxonomies parameter and execute them in users’ browsers...
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datataxonomies parameter. The injected payload is stored on the server and automatically...
CVE-2025-66308
This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This...
CVE-2025-66308
Grav Admin Plugin stored-XSS CVE-2025-66308 affects the Grav admin UI via POST /admin/config/site, specifically data[taxonomies]. The vulnerability stores malicious input on the server which later executes in a user’s browser when configuring sites, creating a persistent attack vector. Root cause...
PT-2025-48567
Name of the Vulnerable Software and Affected Versions Grav versions prior to 1.11.0-beta.1 Description The admin plugin for Grav, an HTML user interface for configuring Grav and managing pages, contains a Stored Cross-Site Scripting XSS issue. This allows attackers to inject malicious scripts int...
CVE-2024-50451
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter.This issue affects MDTF: from n/a through = 1.3.3.4...
CVE-2024-8624
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'metakey' attribute of the 'mdfselecttitle' shortcode in all versions up to, and including, 1.3.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation...
CVE-2024-12030
MDTF – Meta Data and Taxonomies Filter (WordPress) is vulnerable to SQL Injection via the key parameter in the mdf_value shortcode in all versions up to and including 1.3.3.5. The vulnerability requires authentication (Contributor level or higher) and can be leveraged to append additional SQL to ...
WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3.5 - Authenticated (Contributor+) SQL Injection vulnerability
Authenticated Contributor+ SQL Injection vulnerability discovered by Thanh Nam Tran in WordPress Plugin MDTF versions = 1.3.3.5...
CVE-2024-30457
Cross-Site Request Forgery CSRF vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter MDTF.This issue affects WordPress Meta Data and Taxonomies Filter MDTF: from n/a through 1.3.3.1...
CVE-2024-29932
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter MDTF allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter MDTF: from n/a through 1.3.2...
WordPress MDTF - Meta Data & Taxonomies Filter premium plugin <= 2.2.7.2 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability discovered by Ryoma Nishioka in WordPress MDTF - Meta Data & Taxonomies Filter premium plugin versions = 2.2.7.2. Solution Update the WordPress MDTF - Meta Data & Taxonomies Filter premium plugin to the latest available version at least 2.2.8...