WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution

WordPress themes including Shapely = 1.2.7, NewsMag = 2.4.1, Activello = 1.4.0, Illdy = 2.1.4, Allegiant = 1.2.2, Newspaper X = 1.3.1, Pixova Lite = 2.0.5, Brilliance = 1.2.7, MedZone Lite = 1.2.4, Regina Lite = 2.0.4, Transcend = 1.1.8, Affluent = 1.1.0, Bonkers = 1.0.4, Antreas = 1.0.2, Sparkli...

WordPress tagDiv Composer < 3.5 - Authentication Bypass

The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address id:...

EUVD-2023-32163

Malicious code in bioql PyPI...

CVE-2023-28493

Auth subscriber+ Reflected Cross-Site Scripting XSS vulnerability in Macho Themes NewsMag theme = 2.4.4 versions...

CVE-2021-24304

The Newsmag WordPress theme before 5.0 does not sanitise the tdblockid parameter in its tdajaxblock AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability...

Cross site scripting

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2023-3170 tagDiv Composer < 4.2 - Admin+ Stored XSS

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2023-3169 tagDiv Composer < 4.2 - Unauthenticated Stored XSS

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform...

CVE-2023-3169

The CVE concerns tagDiv Composer for WordPress (pre-4.2). Concrete detail: unauthenticated stored XSS via the REST endpoint /wp-json/tdw/save_css, exploiting the compiled_css parameter which is stored and later executed when CSS loads. Root cause: authorisation is missing on the REST route and in...

tagDiv Composer < 4.2 - Unauthenticated Stored XSS

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scriptin...

tagDiv Composer < 4.2 - Admin+ Stored XSS

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

tagDiv Composer < 4.2 - Admin+ Stored XSS

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

tagDiv Composer < 4.2 - Unauthenticated Stored XSS

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scriptin...

CVE-2020-36708

CVE-2020-36708 : The Nuclei template confirms a remote code execution flaw in WordPress themes using the Epsilon Framework (Shapely, NewsMag, Activello, Illdy, Allegiant, Newspaper X, Pixova Lite, Brilliance, MedZone Lite, Regina Lite, Transcend, Affluent, Bonkers, Antreas, Sparkling, NatureMag L...

VulnCheck KEV: CVE-2020-36708

The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely = 1.2.7, NewsMag = 2.4.1, Activello = 1.4.0, Illdy = 2.1.4, Allegiant = 1.2.2, Newspaper X = 1.3.1, Pixova Lite = 2.0.5, Brilliance = 1.2.7, MedZone Lite = 1.2.4, Regina...

CVE-2023-28493

Auth subscriber+ Reflected Cross-Site Scripting XSS vulnerability in Macho Themes NewsMag theme = 2.4.4 versions...

CVE-2023-28493

Auth subscriber+ Reflected Cross-Site Scripting XSS vulnerability in Macho Themes NewsMag theme = 2.4.4 versions...

Cross site scripting

Auth subscriber+ Reflected Cross-Site Scripting XSS vulnerability in Macho Themes NewsMag theme = 2.4.4 versions...

CVE-2023-28493 WordPress Newsmag Theme <= 2.4.4 is vulnerable to Cross Site Scripting (XSS)

Auth subscriber+ Reflected Cross-Site Scripting XSS vulnerability in Macho Themes NewsMag theme = 2.4.4 versions...

CVE-2023-28493

CVE-2023-28493 affects the WordPress plugin/theme combination: Macho Themes NewsMag theme versions ≤ 2.4.4 suffer a reflected XSS vulnerability that requires subscriber-level access and user interaction. The public-facing impact is an XSS in NewsMag’s handling of input, with no explicit exploit d...