3475 matches found
Cross site scripting
The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-1982 Front Editor <= 4.0.4 - Admin+ Stored XSS
The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-3501 FormCraft < 1.2.7 - Admin+ Stored XSS
The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
PT-2023-17389 · WordPress · Front Editor
Name of the Vulnerable Software and Affected Versions: The Front Editor WordPress plugin versions 4.0.4 and earlier Description: The issue allows high-privilege users to perform Stored Cross-Site Scripting attacks due to the lack of sanitization and escaping of some form settings. This can occur...
NotifyVisitors <= 1.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Translate WordPress with GTranslate < 3.0.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. This vulnerability affects multiple...
GDPR Cookie Consent Notice Box < 1.1.7 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Description The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. PoC On a multisite instance, log in as an admin. Click on File Organizer in the sidebar. The UI gives full control to the files on the server, despite not bein...
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Description The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. On a multisite instance, log in as an admin. Click on File Organizer in the sidebar. The UI gives full control to the files on the server, despite not being a...
Product page shipping calculator for WooCommerce < 1.3.26 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Easy Form by AYS < 1.2.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Serial Codes Generator and Validator with WooCommerce Support < 2.4.15 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC There are two fields affected by a...
CVE-2023-3667
The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-3667 Bit Assist < 1.1.9 - Admin+ Stored Cross-Site Scripting
The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Logo Scheduler < 1.2.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Cab Grid < 1.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
wpDataTables < 2.1.66 - Admin+ PHP Object Injection
Description The plugin does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin...
CVE-2023-2225
The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2023-2254
The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup, and we consider it a low risk...
CVE-2023-2225 SEO ALert <= 1.59 - Admin+ Stored XSS
The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...