83 matches found
EUVD-2015-9283
Malware in sbrugna...
Social Pixel <= 2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
CVE-2017-20108 Easy Table Plugin options-general.php cross site scripting
A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. This affects an unknown part of the file /wordpress/wp-admin/options-general.php. The manipulation with the input "alert1 leads to basic cross site scripting. It is possible to initiate the attack remotely...
CVE-2017-20108 Easy Table Plugin options-general.php cross site scripting
A vulnerability classified as problematic has been found in Easy Table Plugin 1.6. This affects an unknown part of the file /wordpress/wp-admin/options-general.php. The manipulation with the input "alert1 leads to basic cross site scripting. It is possible to initiate the attack remotely...
Design/Logic Flaw
The WP Import Export WordPress plugin both free and premium versions is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpieprocessfiledownload found in the /includes/classes/class-wpie-general.php file. This made it possible for...
Alipay <= 3.7.2 - Authenticated SQL Injection
A proid GET parameter of the plugin is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. GET /wp-admin/options-general.php?page=wsalipay&action=edit&proid=-5818%20UNION%20ALL%20SELECT...
Subscribe Sidebar <= 1.3.1 - Authenticated Reflected Cross-Site Scripting
The 'status' GET parameter in subscribesidebar.php, which is displayed in the plugin's option page, is vulnerable to reflected XSS attacks. /wp-admin/options-general.php?page=subscribesidebar.php&status=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E...
CVE-2015-5483
Multiple cross-site request forgery CSRF vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 add users, 2 delete posts, or 3 modify PHP files via unspecified vectors, or 4 conduct cross-site...
Code injection
The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS via the wp-admin/options-general.php count parameter...
CVE-2015-9424
The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php globalurl or adminurl parameter...
CVE-2015-9387
The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF...
Cross site request forgery (csrf)
The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF...
CVE-2019-13973
CVE-2019-13973 affects LayerBB 1.1.3, where the admin/general.php arbitrary file upload is possible because the custom_logo filename suffix is not restricted, allowing a ".php" file. The vulnerability stems from insufficient validation of uploaded logo names, enabling potential remote code execut...
Cross site scripting
The font-organizer plugin 2.1.1 for WordPress has wp-admin/options-general.php managefontid XSS...
CVE-2018-12051
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script via $FILE in /webmasterst/general.php, as demonstrated by a .php file with the image/jpeg content type...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in inc/AdminPage.php in the WP HTML Sitemap plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete the sitemap via a request to the wp-html-sitemap page in wp-admin/options-general.php...
Cross site request forgery (csrf)
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php...
Cross site scripting
A cross-site scripting XSS vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSSset parameter to wp-admin/options-general.php...
CVE-2018-6467
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php...
CVE-2018-6467
The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php...