CVE-2020-37235 WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject...

CVE-2020-37235

CVE-2020-37235 concerns WordPress Theme Wibar 1.1.8, where a stored XSS flaw exists in the Brand component. The vulnerability allows authenticated users with editor/administrator/contributor/author roles to inject base64-encoded script payloads via the ftc_brand_url input field, resulting in arbi...

CVE-2020-37236

CVE-2020-37236 describes an authenticated persistent cross-site scripting vulnerability in NewsLister. Authenticated administrators can inject JavaScript via the title parameter in the news addition interface, with payloads executing when news items are viewed by other users. The CVE has a CVSS v...

CVE-2020-37235 WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject...

EUVD-2020-31235

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

CVE-2020-37233

CVE-2020-37233 affects WordPress Buddypress 6.2.0 via a persistent cross-site scripting in wp:html blocks (figure parameter). Exploitation requires moderator privileges and authenticated access; an iframe with event handlers (e.g., onload) can run when privileged users preview/view content, enabl...

CVE-2020-37233 WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

CVE-2020-37233 WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

CVE-2020-37227 WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File Upload

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...

EUVD-2020-31228

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...

CVE-2020-37227

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...

CVE-2020-37227

HS Brand Logo Slider 2.1 (a WordPress plugin) has an unrestricted file upload vulnerability. Authenticated users can bypass client-side extension checks by targeting the logoupload parameter in the admin interface and rename uploaded files to executable extensions such as .php, enabling remote co...

CVE-2020-37227 WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File Upload

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...

Arbitrary Code Injection

Froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper escaping of single quotes in PhpHelper::parseArrayToString, which allows an attacker to inject arbitrary PHP code through the privilegeduser parameter that gets executed on subsequent requests...

Server-Side Request Forgery

Arcane is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the /api/templates/fetch endpoint accepting a user-controlled url parameter and performing server-side HTTP requests without authentication or validation of the URL scheme and destination host, allowing...

Sensitive Information Exposure

Portainer Community Edition is vulnerable to Exposure of Sensitive Information. The vulnerability is due to the authentication middleware accepting JWT bearer tokens through the ?token= URL query parameter, which allows an attacker to obtain authentication tokens from browser history, proxy logs,...

CVE-2026-42847

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 122, there is a critical SQL Injection SQLi vulnerability in ClipBucket, exploitable through the type parameter on the authenticated admin endpoint adminarea/actionlogs.php. The endpoint adminarea/actionlogs.php reads...

EgavilanMedia PHPCRUD SQL注入漏洞

EgavilanMedia PHPCRUD is a PHP development framework provided by EgavilanMedia that supports database operations such as creation, deletion, modification, and viewing, along with rapid generation of backend management pages. Version 1.0 of EgavilanMedia PHPCRUD contains a SQL injection...

PT-2026-41442

Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or...

WordPress plugin Backup and Restore 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...