CVE-2025-6832

The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2020-35943

A Cross-Site Request Forgery CSRF issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload. It is possible to bypass CSRF protection by simply not including a nonce parameter...

CVE-2025-1505

The Advanced AJAX Product Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.6.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2024-12466

The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2024-12466

CVE-2024-12466 – WordPress Proofreading plugin : Reflected XSS via the nonce parameter in all versions up to 1.2.1.1 due to insufficient input sanitization and output escaping. Impact: unauthenticated attacker can inject scripts on pages that run when a user is tricked into an action (e.g., click...

CVE-2024-12466 Proofreading <= 1.2.1.1 - Reflected Cross-Site Scripting

The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

PT-2025-1858 · WordPress · Proofreading Plugin

Name of the Vulnerable Software and Affected Versions: Proofreading plugin for WordPress versions up to, and including, 1.2.1.1 Description: The issue is related to Reflected Cross-Site Scripting via the nonce parameter due to insufficient input sanitization and output escaping. This allows...

WordPress plugin Turnkey bbPress by WeaverTheme 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2024-12167

The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpnonce' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

PT-2024-16999 · WordPress · Chessgame Shizzle

Name of the Vulnerable Software and Affected Versions: The Chessgame Shizzle plugin for WordPress versions up to, and including, 1.3.0 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated...

PT-2023-31614 · Unknown · Yii2-Authclient

Name of the Vulnerable Software and Affected Versions: yii2-authclient versions prior to 2.2.15 Description: The issue concerns a timing attack vulnerability in the Oauth1/2 state and OpenID Connect nonce due to comparison via regular string comparison instead of using...

PT-2022-3259 · Argo Cd · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions 0.11.0 through 2.4.0 Argo CD versions 2.1.0 through 2.1.15 Argo CD versions 2.2.0 through 2.2.9 Argo CD versions 2.3.0 through 2.3.4 Description: The issue is related to the use of insufficiently random values in parameters i...

CVE-2020-35942

A Cross-Site Request Forgery CSRF issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. It is possible to bypass CSRF protection by simply not including a nonce parameter...

NextGen Gallery < 3.5.0 - CSRF allows File Upload

It was possible to bypass the "validateajaxrequest" function used to control access to ajax functions by sending a request without a nonce parameter. This could be used to upload arbitrary code to an image file. Although the uploaded file must be a valid image, it is possible to include PHP code ...

Glassdoor: Reflected XSS on https://www.glassdoor.com/parts/header.htm

Reflected XSS was reported on https://www.glassdoor.com/parts/header.htm via the nonce parameter. Thanks, @0x7 for reporting the finding and also reporting additional endpoints affected by this - added a bonus for reporting those additional endpoints and also for your collaboration with us in the...

Media Library Assistant < 2.90 - Authenticated Blind SQL Injection

The Media Library Assistant WordPress plugin was affected by an authenticated admin+ blind SQL injection vulnerability when there is at least one Custom Field Rule set in the plugin's options. There need to be at least one Custom Field Rule in the plugin Custom Fields settings...

WordPress CommentLuv Plugin '_ajax_nonce' Cross-Site Scripting Vulnerability

WordPress CommentLuv Plugin is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...