CVE-2023-2405

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settin...

CVE-2023-2407 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Event Registration Calendar By vcita plugin, versions up to and including 3.10.0, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the lsparsevcitacallback function. This...

CVE-2023-2407 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Event Registration Calendar By vcita plugin, versions up to and including 3.10.0, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the lsparsevcitacallback function. This...

CVE-2023-3055

The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azhsave' function. This makes it possible for unauthenticated attackers to update the post content an...

WordPress plugin Contact Form and Calls To Action by vcita 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

WordPress plugin Event Registration Calendar By vcita 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

PT-2023-18825 · Vcita · Contact Form/Calls To Action

Name of the Vulnerable Software and Affected Versions: Contact Form and Calls To Action by vcita plugin for WordPress versions up to, and including, 2.6.4 Description: The issue is due to missing nonce validation in the vcita-callback.php file, making it possible for unauthenticated attackers to...

WordPress plugin CRM and Lead Management by vcita 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

PT-2023-19387 · Vcita · The Event Registration Calendar By Vcita

Name of the Vulnerable Software and Affected Versions: The Event Registration Calendar By vcita plugin versions up to and including 3.9.1 Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress affected versions not specified Description: The issue is due to missing nonce...

CVE-2023-3055 Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save

The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azhsave' function. This makes it possible for unauthenticated attackers to update the post content an...

Cross site scripting

Openfind Mail2000 has insufficient filtering special characters of email content of its content filtering function. A remote attacker can exploit this vulnerability using phishing emails that contain malicious web pages injected with JavaScript. When users access the system and open the email, it...

Cross-Site Scripting (XSS)

lavalite/cms is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to a lack of user input sanitization in the account name parameter, which allows an attacker to inject arbitrary JavaScript into the browser...

Splunk 跨站脚本漏洞

Splunk is a suite of data collection and analysis software from Splunk, Inc. in the United States. The software is primarily used to collect, index, and analyze and the data it generates, including data generated by all IT systems and infrastructures physical, virtual machines, and cloud. A...

Lost and Found Information System Cross-Site Scripting Vulnerability

Lost and Found Information System is a lost and found management system. A cross-site scripting vulnerability exists in Lost and Found Information System version 1.0, which can be exploited by attackers to inject malicious JavaScript script...

Lost and Found Information System 安全漏洞

Lost and Found Information System is a lost and found management system. A cross-site scripting vulnerability exists in Lost and Found Information System version 1.0, which can be exploited by attackers to inject malicious JavaScript script...

CVE-2023-33962 JStachio XSS vulnerability: Unescaped single quotes

JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users...

CVE-2023-33961 Leantime Stored Cross-site Scripting Vulnerability

Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time ...

CVE-2023-33961

Leantime (v2.3.21 and later) is affected by a stored cross-site scripting vulnerability. An authenticated user with commenting privileges can inject malicious JavaScript into a comment, which executes in other users’ browsers when the comment is viewed. The available documents state that a patch ...

CVE-2023-2113

The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users such as an administrator to inject arbitrary javascript into the admin panel, even when the unfilteredhtml capability is disabled, such as in a...

CVE-2023-2113

Summary: CVE-2023-2113 affects the Autoptimize WordPress plugin prior to 3.1.7. The vulnerability arises from failing to sanitize and escape settings imported from a previous export, enabling a high-privilege user (e.g., an administrator) to inject arbitrary JavaScript into the admin panel (store...