11 matches found
gamesonline.goedbegin.nl Cross Site Scripting vulnerability OBB-3929041
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
boeken1.zeebad.nl Cross Site Scripting vulnerability OBB-3929025
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
canman.us Cross Site Scripting vulnerability OBB-3928844
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
sentineldongle.com Cross Site Scripting vulnerability OBB-3928773
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
WordPress Crafthemes Demo Import Plugin <= 3.3 is vulnerable to Broken Access Control
Software Crafthemes Demo Import Type Plugin Vulnerable versions = 3.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-34800 Patch priority High CVSS severity High 7.6 Developer Claim ownership PSID e10925dbe035 Credits Yudistira Arya Required...
Business Card <= 1.0.0 - Category Edit via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks Make a logged in admin open an HTML document containing:...
KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks 1. Send a POST request to /wp-admin/admin.php?page=kkpb-add-project with the BODY action=edit-project&id=sleep5 2. Observe the delay in respons...
Business Card <= 1.0.0 - Arbitrary Card Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks Make a logged in admin open an HTML document containing where is a valid ID: "...
KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks PoC 1. Send a POST request to /wp-admin/admin.php?page=kkpb-add-project with the BODY action=edit-project=sleep5 2. Observe the delay in...
KKProgressbar2 Free <= 1.1.4.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert/XSS/' csrf" XSS will trigger on...
KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open an HTML file containing where is a valid ID: "...