CVE-2025-13007

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible...

CVE-2025-13007 WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible...

CVE-2025-13007 WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 - Unauthenticated Stored Cross-Site Scripting via External Content Import

The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible...

CVE-2023-1905

The WP Popups WordPress plugin before 2.1.5.1 does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2023-1905

The WP Popups WordPress plugin before 2.1.5.1 does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

Navy Warship’s Facebook Page Hacked to Stream ‘Age of Empires’ Gaming

The official Facebook page of a destroyer-class Navy warship, the USS Kidd, has gone rogue: Someone has taken over the page in order to…stream Age of Empires play. Age of Empires is a real-time online multiplayer strategy game in which the objective is to advance one’s civilization. Players “buil...

US Navy ship Facebook page hijacked to stream video games

The official Facebook page of the US Navy’s destroyer-class warship, USS Kidd, has been hijacked. According to Task & Purpose, who first reported on the incident, the account has done nothing but stream Age of Empires, an award-winning, history-based real-time strategy RTS video game wherein...

Exposed Database Reveals 100K+ Compromised Facebook Accounts

Researchers have uncovered a wide-ranging global scam targeting Facebook users, after finding an unsecured database used by fraudsters to store the usernames and passwords of at least 100,000 victims. Researchers said that the cybercriminals behind the scam were tricking Facebook victims into...

Cuvva: Unclaimed facebook page at www.cuvva.com/about

Description: Hello sir, while I was surfing your website I found unclaimed facebook page at www.cuvva.com/about F503171 when you click this button you will be redirected to https://www.facebook.com/getcuvvad which was unclaimed but I claimed it as poc steps to reproduce: 1. go to...

Cross site scripting

Multiple stored cross-site scripting XSS in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: 1 Title, 2 Favicon, 3 Meta Description, 4 Subscribe Form Name field label, Last name field label, Email...

Shopify: Stored XSS through Facebook Page Connection

The following URL https://kitcrm.com/users/122686/connections displays us options to connect our several social networking accounts to kitcrm. Once i connect my facebook account, the facebook section in above link will list out all my facebook page and will give me an option to select a business...

WordPress Plugin leenk.me 2.5.0 - Cross-Site Request Forgery / Cross-Site Scripting

I would like to disclose CSRF and stored XSS vulnerability in Wordpress plugin LeenkMe version 2.5.0. The plugin can be found at https://wordpress.org/plugins/leenkme/ In the page wp-content/plugins/leenkme/facebook.php XSS vulnerable Fields are : - facebookmessage - facebooklinkname -...

Zendesk: Stored XSS on [your_zendesk].zendesk.com in Facebook Channel

I have found a stored XSS in the Facebook Channel options at https://yourzendesk.zendesk.com/agent/admin/facebook/facebookauth. The XSS is a result of improperly escaping Facebook Page names. Steps to reproduce ------------------------- 1. Create a facebook page with the following title/page name...

Ahrareandeysheh CMS Cross Site Scripting

@@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@ @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@ @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@ @@@ @@@ @@ @@@...

phpMyBackupPro-2.4 Cross-Site Scripting vulnerability

phpMyBackupPro-2.4 Xss vulnerability phpmybackuppro Cross-Site Scripting vulnerability @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@ @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@ @@@...

Realtek Sound Manager AvRack - &#039;.wav&#039; Crash (PoC)

!/usr/bin/python Title: Realtek Sound Manager AvRack - Crach Poc version: all versions link: http://www.realtek.com.tw/ Platform: Windows XP sp3 Author: Asesino04 Blog : http://asesino04.blogspot.com/ junk="\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"...

Auxilium PetRatePro SQL Injection / Shell Upload

Exploit Title: Auxilium PetRatePro Multiple Vulnerabilities Date: 14/09/2012 Author: DaOne @LibyanCA Software Link: http://www.auxiliumsoftware.com Google Dork: "N/A" 1-Remote Add Admin: Create New Administrator Username Password Name Email Address 2-SQL Injection viewcomments.php parameter phid...

Clipster Video - Persistent Cross-Site Scripting

Clipster Video - Persistent Cross-Site Scripting Exploit Title: Clipster Video Persistent XSS Vulnerability Date: 04/09/2012 Author: DaOne Software Link: http://www.clipsterscript.com/ Google Dork: "Powered by ClipsterScript.com" How to exploit: 1-go to : http://site.com/login.php?action=Register...

Joomla (makedown.php) Local File Inclusion/download

Exploit for php platform in category web applications Exploit Title: Joomla /Makedown.php Local File Inclusion/download Author: Th3 Bl4Ck H4Ck3R Facebook Page: http://www.fb.com/Mr.googl E-mail: email protected Category:: webapps !! File makedown.php ------------------------------...

USA Today Twitter Account Hacked By Script Kiddie

USA Today Twitter Account Hacked By Script Kiddie A group calling itself "The Script Kiddies" hacked USA Today's Twitter account this weekend and used it to solicit requests for future targets and even to promote its own Facebook page. Although this recent hack seems like more of a childish prank...