Microweber 安全漏洞

Microweber is an online store management system that provides drag and drop functionality from the Microweber community in the United States. The system includes modules for adding products, images, and more. A file upload vulnerability exists in Microweber version v.2.0.4, which stems from the...

PT-2023-30753 · Nitin Rathod · Wp Forms Puzzle Captcha

Name of the Vulnerable Software and Affected Versions: WP Forms Puzzle Captcha versions n/a through 4.1 Description: A Cross-Site Request Forgery CSRF vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Stored XSS. Recommendations: For WP Forms Puzzle Captcha versions n/a through 4.1,...

WordPress BSK Forms Blacklist Plugin <= 3.6.3 is vulnerable to Cross Site Scripting (XSS)

Software BSK Forms Blacklist Type Plugin Vulnerable versions = 3.6.3 Fixed in 3.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5980 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 330a6bb4d39e Credits Bob Matyas Required...

WordPress Forms by CaptainForm Plugin <= 2.5.3 is vulnerable to Cross Site Scripting (XSS)

Software Forms by CaptainForm Type Plugin Vulnerable versions = 2.5.3 Fixed in 2.5.4 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-49170 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 40df54b84291 Credits Khalid Yusuf Required...

WP Forms Puzzle Captcha <= 4.1 - Cross-Site Request Forgery to Cross-Site Scripting

Description The WP Forms Puzzle Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this functio...

dotnet7.0 security update

An update is available for dotnet7.0. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list .NET is a managed-software framework. It implements a subset of the .NET...

BSK Forms Blacklist < 3.7 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the plugin settings ex:...

BSK Forms Blacklist < 3.7 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the plugin settings ex:...

CVE-2023-2707 Appointment booking addon for Gravity Forms <= 1.9.5.1 - Admin+ Stored XSS

The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

VulnCheck KEV: CVE-2023-0552

The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability...

Contact Form for Plugin by Fluent Forms < 5.0.9 - Insecure Direct Object Reference

Description The Contact Form for Plugin by Fluent Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 5.0.8 via the addIsRenderableFilter function due to missing validation on the publication status of a form. This makes it possible for...

WP User Frontend < 3.6.9 - Missing Authorization via AJAX actions

Description The WP User Frontend plugin for WordPress is vulnerable to unauthorized functionality use due to a missing capability check on several functions corresponding to AJAX actions in versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with...

Contact Form builder with drag & drop - Kali Forms < 2.3.29 - Missing Authorization via get_log

Description The Contact Form builder with drag & drop - Kali Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the getlog function in versions up to, and including, 2.3.28. This makes it possible for authenticated attackers, with subscriber-level...

Flo Forms <= 1.0.41 - Missing Authorization via flo_send_test_email

Description The Flo Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flosendtestemail function in versions up to, and including, 1.0.41. This makes it possible for authenticated attackers, with subscriber-level access and above...

Contact Form builder with drag & drop - Kali Forms < 2.3.28 - Missing Authorization via Contact Form

Description The Contact Form builder with drag & drop - Kali Forms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the runformprocesschecks function in versions up to, and including, 2.3.27. This makes it possible for unauthenticated attackers to...

Integration for Contact Form 7 and Constant Contact < 1.1.5 - Open Redirect

Description The Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.1.4. This is due to insufficient validation a redirect url. This makes it possible for unauthenticated...

Quill Forms < 3.4.0 - Cross-Site Request Forgery

Description The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.0. This is due to missing or...

CVE-2023-47816

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin = 1.7.0.13 versions...

CVE-2023-47816

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin = 1.7.0.13 versions...

Cross-site Scripting via uploaded assets

Impact HTML files crafted to look like images may be uploaded regardless of mime validation. This is only applicable on front-end forms using the "Forms" feature containing an assets field, or within the control panel which requires authentication. Patches It has been patched on 3.4.15 and 4.36.0...