EUVD-2023-12162

Malicious code in bioql PyPI...

CVE-2023-0061

The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Si...

CVE-2023-0061 Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS

The Judge.me Product Reviews for WooCommerce WordPress plugin before 1.3.21 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Si...

WordPress plugin Judge.me Product Reviews for WooCommerce 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

PT-2023-15978 · WordPress · Judge.Me Product Reviews

Name of the Vulnerable Software and Affected Versions: Judge.me Product Reviews for WooCommerce WordPress plugin versions prior to 1.3.21 Description: The issue concerns the lack of validation and escaping of certain shortcode attributes, which could allow users with the contributor role and abov...

WordPress Judge.me Product Reviews for WooCommerce Plugin < 1.3.21 is vulnerable to Cross Site Scripting (XSS)

Software Judge.me Product Reviews for WooCommerce Type Plugin Vulnerable versions 1.3.21 Fixed in 1.3.21 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0061 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 7fda1dafd296...

Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: First, you need to set Judge.me shop...

Judge.me : Improper Access Control in Ali Express Importer

An improper access control vulnerability was found in the Ali Express Review Importer app, which allowed staff members with no access to the Judge.me app to view all reviews, including hidden and archived ones, from the Judge.me app. The vulnerability was exploited by intercepting and replacing t...

Judge.me : XSS in Widget Review Form Preview in settings

Summary: Hi team, I found a XSS vulenrability in the widget review form preview. The payload is added in the success message and triggers when you preview the form Steps To Reproduce: 1. Login to your Shopify account and open Judge.Me App 1. Go to 'Settings' - 'Review Widget' - 'Widget Form' 1. G...

Judge.me : Race condition on https://judge.me/people

summary:An attacker can increase the followers of the users of judge.me Tools required : 1.burpsuit 2.turbo intruder steps to reproduce: 1.visit https://judge.me/people 2.like a user and intercept the request 3.now send it to turbo intruder and configure the script to race.py Impact The attacker...

Judge.me : Stored XSS in Question edit for product name (bypass #1416672)

Hi @judgeme! Step to reproduce: 1. Log in to your shopify account and create product with name img src=x onerror=promptdocument.domain img src=x onerror=promptdocument.domain 2. Go to our store and write question to our product with name img src=x onerror=promptdocument.domain img src=x...

Judge.me : Log4j RCE on https://judge.me/reviews

Summary: CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution RCE class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system. What makes CVE-2021-44228 especial...

Judge.me : Stored XSS in "product type" field executed via product filters

HI @judgeme! I found Stored XSS! I Install judge.me in Shopify E-Commerce. Step to reproduce: 1. Log in to our shopify dev store and install "judgeme" app. 2. Create random product in our Shopify store make it active and insert XSS playload " in "PRODUCT TYPE" field and SAVE F1518888 3. Then go t...

Judge.me : Self-XSS due to image URL can be eploited via XSSJacking techniques in review email

A self-XSS vulnerability was discovered in Judge.me due to the image URL of recommendations in the reviewer profile that could be exploited via XSSJacking techniques in the review email. An attacker could insert a payload in the image URL of recommendations and then use XSSJacking techniques to...

Judge.me : Stored XSS in Email Templates via link

Summary: Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. FYI: I Install judge.me in Shopify E-Commerce Steps To Reproduce: 1. Go to...

Judge.me : Blind XSS via Feedback form.

Summary: Hi Team, I found Blind XSS which is triggered on the admin panel. I was trying to add widgets on the installation page for default theme. When the installation was done, I saw a question like that Are you happy with how everything looks?. I clicked the No, please remove all widgets butto...

Judge.me : HTML INJECTION (STORED)

Vulnerability description not provided...

Judge.me : HTML injection in review content

Hi Judge Security Team, I found a HTML Injection in review parameter at the https://judgeme-pentest.myshopify.com/products/pentest and at the judge.me Steps 1. Go to https://judgeme-pentest.myshopify.com/products/pentest 2. Click on "Write Review" 3. fill in the fields normally. F1083621 4. Now, ...