Bulk Edit Post Titles <= 5.0.0 - Missing Authorization via bulkUpdatePostTitles

Description The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with subscriber...

PT-2023-32344 · Unknown · Flusity-Cms

Name of the Vulnerable Software and Affected Versions: flusity CMS affected versions not specified Description: A problematic issue has been found in flusity CMS, affecting the loadPostAddForm function of the file core/tools/posts.php. The manipulation of the edit post id argument leads to...

Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery (CSRF) to Stored XSS

The plugin does not protect the ajax actions azhsave against CSRF attacks, allowing an unauthenticated attacker to modify posts by tricking a logged in user with rights to edit the post to submit a crafted request. Furthermore if the targeted user has a role of editor or above, arbitrary web...

Malicious Package

Overview @nelio-content/edit-post is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

CVE-2022-46890

Weak access control in NexusPHP before 1.7.33 allows a remote authenticated user to edit any post in the forum this is caused by a lack of checks performed by the /forums.php?action=post page...

AeroCMS SQL注入漏洞

AeroCMS is a content management system from AeroCMS, Inc. A security vulnerability exists in AeroCMS v0.0.1, which stems from the postcategoryid parameter of its adminincludeseditpost.php component allowing an attacker to implement SQL injection resulting in access to database information. No...

PT-2022-27568 · Aerocms · Aerocms

Name of the Vulnerable Software and Affected Versions: AeroCMS version 0.0.1 Description: The issue allows attackers to access database information through a SQL Injection vulnerability. This vulnerability is exploited via the post category id parameter at the "adminincludesedit post.php" endpoin...

PT-2022-24133 · Unknown · Flipbook Plugin

Name of the Vulnerable Software and Affected Versions: Flipbook Plugin affected versions not specified Description: A vulnerability was found in the Flipbook Plugin, affecting some unknown functionality of the file post.php of the component Edit Post Handler. The manipulation of the Shortcode...

CVE-2022-3400

The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the brickssavepost AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template...

CVE-2020-35597

Victor CMS 1.0 is vulnerable to SQL injection via cid parameter of admineditcomment.php, pid parameter of admineditpost.php, uid parameter of adminedituser.php, and edit parameter of adminupdatecategories.php...

CVE-2022-30810

elitecms v1.01 is vulnerable to SQL Injection via admin/editpost.php...

CVE-2022-30810

elitecms v1.01 is vulnerable to SQL Injection via admin/editpost.php...

elitecms SQL注入漏洞

Elitecms is a Web content management by elitecms India. elitecms version 1.01 has a SQL injection vulnerability that originates from the admin/editpost.php page's lack of validation of external input SQL statements, which can be exploited by attackers to execute illegal SQL commands to steal...

Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following in the plugin's settings: test = "alert/XSS/ Tick the "Enable text hover in...

CVE-2022-24220

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/editpost.php...

CVE-2022-24220

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/editpost.php...

Elite Graphix Elite Cms SQL注入漏洞

Elite Graphix Elite Cms is a web content management written in Php language from Elite Graphix India. platform for storing and organizing information and documents. Elite Graphix Elite Cms suffers from a SQL injection vulnerability that stems from the lack of validation of externally entered SQL...

Custom Banners < 3.3 - CSRF Nonce Bypass in saveCustomFields

The plugin did not properly check the CSRF nonce in the saveCustomFields method, which could allow attackers to make a logged in user with the editpost capability to save custom fields in a post. Numerous sanitisation fixes were also added to v3.3 PoC Send a request without the...

Online News Portal System 1.0 Cross Site Scripting

Exploit Title: Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting Date: 24-11-2020 Exploit Author: Parshwa Bhavsar Vendor Homepage: https://www.sourcecodester.com/php/14600/online-news-portal-using-phpmysqli-source-code.html Software Link:...

CVE-2019-19984

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with editpost capabilities to manage plugin settings and email campaigns...