245 matches found
CVE-2023-4971
The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog...
WP Ultimate CSV Importer < 7.9.9 - Imported Files Disclosure
Description The plugin does not protect its imported files, which could allow unauthenticated users to list and view exported files...
CVE-2023-2113
The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users such as an administrator to inject arbitrary javascript into the admin panel, even when the unfilteredhtml capability is disabled, such as in a...
PT-2023-17921 · WordPress · Autoptimize
Name of the Vulnerable Software and Affected Versions: Autoptimize WordPress plugin versions prior to 3.1.7 Description: The issue allows high privileged users, such as administrators, to inject arbitrary javascript into the admin panel. This can occur even when the unfiltered html capability is...
XWiki Platform 注入漏洞
XWiki Platform is a suite of Wiki platforms for creating Web collaboration applications from the French company XWiki. An injection vulnerability exists in XWiki Platform that stems from incorrectly escaping information loaded from attachments in imported.vm, importinline.vm, and packagelist.vm...
CVE-2022-36969
This vulnerability allows remote attackers to disclose sensitive information on affected installations of AVEVA Edge 2020 SP2 Patch 04201.2111.1802.0000. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specifi...
SUSE CVE-2019-9834
The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to...
SUSE CVE-2021-26349
Failure to assign a new report ID to an imported guest may potentially result in an SEV-SNP guest VM being tricked into trusting a dishonest Migration Agent MA...
SUSE CVE-2021-41771
ImportedSymbols in debug/macho for Open or OpenFat in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation...
CVE-2022-4703
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprresetpreviousimport' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported da...
CVE-2022-4703 Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Import Deletion
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprresetpreviousimport' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported da...
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Import Deletion
The plugin does not have authorisation and CSRF checks when deleting imported content, which could allow any authenticated user, such as subscriber to perform such action...
CVE-2022-3417
The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import intentionally or not a malicious settings file and a suitable gadget chain is present on the blog...
CVE-2022-3679
The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...
CVE-2022-3679
The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...
Design/Logic Flaw
The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog...
Design/Logic Flaw
The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import intentionally or not a malicious settings file and a suitable gadget chain is present on the blog...
WordPress Plugin Kadence WP 代码问题漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...
PT-2023-13350 · WordPress · Wptouch
Name of the Vulnerable Software and Affected Versions: WPtouch WordPress plugin versions prior to 4.3.45 Description: The issue arises from the unserialization of the content of an imported settings file, which could lead to PHP object injections issues when a user imports a malicious settings fi...
Design/Logic Flaw
The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog...