WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in the...

WP Statistics < 13.2.9 - Authenticated SQLi

The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. Log...

WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection

The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+. Edit WPScanTeam: September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates,...

CVE-2020-8251

Node.js 14.11.0 is vulnerable to HTTP denial of service DoS attacks based on delayed requests submission which can make the server unable to accept new connections...