105181 matches found
CVE-2020-37233 WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...
CVE-2020-37233
CVE-2020-37233 affects WordPress Buddypress 6.2.0 via a persistent cross-site scripting in wp:html blocks (figure parameter). Exploitation requires moderator privileges and authenticated access; an iframe with event handlers (e.g., onload) can run when privileged users preview/view content, enabl...
CVE-2020-37233 WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...
EUVD-2020-31235
WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...
CVE-2020-37227 WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File Upload
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...
EUVD-2020-31228
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...
CVE-2020-37227 WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File Upload
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...
CVE-2020-37227
HS Brand Logo Slider 2.1 (a WordPress plugin) has an unrestricted file upload vulnerability. Authenticated users can bypass client-side extension checks by targeting the logoupload parameter in the admin interface and rename uploaded files to executable extensions such as .php, enabling remote co...
CVE-2020-37227
HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...
Arbitrary Code Injection
Froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper escaping of single quotes in PhpHelper::parseArrayToString, which allows an attacker to inject arbitrary PHP code through the privilegeduser parameter that gets executed on subsequent requests...
Server-Side Request Forgery
Arcane is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the /api/templates/fetch endpoint accepting a user-controlled url parameter and performing server-side HTTP requests without authentication or validation of the URL scheme and destination host, allowing...
Sensitive Information Exposure
Portainer Community Edition is vulnerable to Exposure of Sensitive Information. The vulnerability is due to the authentication middleware accepting JWT bearer tokens through the ?token= URL query parameter, which allows an attacker to obtain authentication tokens from browser history, proxy logs,...
CVE-2026-42847
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 122, there is a critical SQL Injection SQLi vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint adminarea/actionlogs.php. The endpoint adminarea/actionlogs.php reads...
OpenSolution Quick.CMS 跨站脚本漏洞
OpenSolution Quick.CMS is a lightweight website content management system developed by the Polish company OpenSolution. Version 6.7 of OpenSolution Quick.CMS contains a cross-site scripting vulnerability. This vulnerability stems from a cross-site scripting flaw in the sliders form, allowing...
EgavilanMedia PHPCRUD SQL注入漏洞
EgavilanMedia PHPCRUD is a PHP development framework provided by EgavilanMedia that supports database operations such as creation, deletion, modification, and viewing, along with rapid generation of backend management pages. Version 1.0 of EgavilanMedia PHPCRUD contains a SQL injection...
PT-2026-41461
Name of the Vulnerable Software and Affected Versions WP Learn Manager version 1.1.2 Description A stored cross-site scripting issue allows unauthenticated attackers to inject malicious scripts. This is achieved by submitting POST requests to the 'jslm fieldordering' page using the fieldtitle...
PT-2026-41467
Name of the Vulnerable Software and Affected Versions Quick.CMS version 6.7 Description An issue in the sliders form allows authenticated attackers to inject malicious scripts by submitting payloads through the sDescription parameter. This can be achieved by crafting CSRF Cross-Site Request Forge...
PT-2026-41466
Name of the Vulnerable Software and Affected Versions Fuel CMS version 1.4.13 Description Authenticated attackers can manipulate database queries by injecting SQL code through the col parameter in the Activity Log interface. By sending requests to the 'logs' endpoint with malicious SQL payloads i...
WordPress plugin Backup and Restore 路径遍历漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
LayerBB SQL注入漏洞
LayerBB is a set of small-scale forum software. Version 1.1.4 of LayerBB contains an SQL injection vulnerability. This vulnerability stems from SQL injection issues, which may allow unauthenticated attackers to inject SQL code through the searchquery parameter, thereby manipulating database queri...