CVE-2018-16258

There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import customtype. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a...

CVE-2018-16257

There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged...

CVE-2018-16257

WP All Import plugin version 3.4.9 has multiple XSS vulnerabilities exploitable via the action=template endpoint. The issue affects WordPress installations using this plugin and can lead to client-side code execution, with sources explicitly noting administrator-only access as part of the exposur...

CVE-2018-16256

WP All Import plugin for WordPress (version 3.4.9) contains a cross-site scripting (XSS) vulnerability that can be triggered via the Add Filtering Options (Add Rule) feature. The issue is reported as present in 3.4.9 and is tied to insufficient input validation, with disclosures noting the vulner...

CVE-2018-16255

There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in...

CVE-2018-16255

WP All Import plugin for WordPress, version 3.4.9, is associated with a cross-site scripting vulnerability via the endpoint action=evaluate. Exploitation appears to require a logged-in administrator; vendor dispute exists regarding the issue. No patch/version fix details are provided in the inclu...

CVE-2018-16254

There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in...

CVE-2018-16254

Summary: CVE-2018-16254 concerns an XSS vulnerability in the WordPress plugin WP All Import (version 3.4.9) exposed via the parameter action=options. The vulnerability is described as exploitable by a logged-in administrator; the vendor states it is not a vulnerability. The linked OpenVAS entry c...

CVE-2018-16254

There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=options. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in...

WordPress WP All Import plugin cross-site scripting vulnerability (CNVD-2019-30134)

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WP All Import plugin is used in one of the file import plugin. A cross-site scripting vulnerability exists in WordPress WP All Import...

PT-2019-9286 · WordPress · Wp All Import

Name of the Vulnerable Software and Affected Versions: WP All Import plugin version 3.4.9 Description: The issue concerns an XSS vulnerability in the WP All Import plugin for WordPress, specifically via the action=options. It's noted that the vendor does not consider this a vulnerability, as the...

WordPress WP All Import plugin cross-site scripting vulnerability (CNVD-2019-30136)

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WP All Import plugin is used in one of the file import plugin. A cross-site scripting vulnerability exists in WordPress WP All Import...

PT-2019-9289 · WordPress · Wp All Import

Name of the Vulnerable Software and Affected Versions: WP All Import plugin version 3.4.9 Description: The issue concerns multiple XSS vulnerabilities. These can be accessed via the "action=template" endpoint. It's worth noting that the vendor disputes this being a vulnerability, citing that WP A...

PT-2019-9290 · WordPress · Wp All Import

Name of the Vulnerable Software and Affected Versions: WP All Import plugin version 3.4.9 Description: The issue concerns an XSS vulnerability via the pmxi-admin-import custom type. It is noted that the vendor disputes this being a vulnerability, citing that WP All Import can only be used by a...

PT-2019-9287 · WordPress · Wp All Import

Name of the Vulnerable Software and Affected Versions: WP All Import plugin version 3.4.9 Description: The issue concerns an XSS vulnerability via the action=evaluate endpoint. It is noted that the vendor does not consider this a vulnerability, as the plugin can only be used by a logged-in...

WordPress WP All Import plugin cross-site scripting vulnerability (CNVD-2019-30135)

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WP All Import plugin is used in one of the file import plugin. A cross-site scripting vulnerability exists in WordPress WP All Import...

PT-2019-9288 · WordPress · Wp All Import

Name of the Vulnerable Software and Affected Versions: WP All Import plugin version 3.4.9 Description: The issue concerns an XSS vulnerability in the WP All Import plugin for WordPress. It can be exploited via the Add Filtering Options Add Rule feature. The vendor has stated that this is not...

pixiv: CSRF at https://chatstory.pixiv.net/imported

Summary: A CSRF in https://chatstory.pixiv.net/imported can trick users to import a novel of the attacker as the users' chatstory. Steps To Reproduce: 1. Attacker creates a novel 2. Go to the novel https://www.pixiv.net/novel/show.php?id=10997105 Import the novel as chatstory by clicking the...

GitLab: Importing GitLab project archives can replace uploads of other users

Summary Importing a modified exported GitLab project archive can overwrite uploads for other users. If the secret and file name of an upload are known these can be easily identified for any uploads to public repositories, any user can import a new project which overwrites the served content of th...

jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320)

A flaw was found in the Jenkins script security sandbox. The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab could be circumvented through use of various Groovy language features including the use of...