acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

GHSA-R345-X8HR-2R9P acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...

GHSA-9X76-MP7R-2XC5 MantisBT vulnerable to CSRF and Open Redirect attacks

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in stringapi.php and consequently has conflicting interpretations of an initial / substring as introducing either a local pathname or a remote hostname, which leads to 1 arbitrary Permalink Injection via CSRF...

MantisBT vulnerable to CSRF and Open Redirect attacks

MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in stringapi.php and consequently has conflicting interpretations of an initial / substring as introducing either a local pathname or a remote hostname, which leads to 1 arbitrary Permalink Injection via CSRF...

Cross-site Request Forgery (CSRF)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to insufficient validation of user-supplied input in the permalinkpage.php and loginpage.php URIs. Remediation Upgrade mantisbt/mantisbt to version 1.3.11,...

WordPress Premmerce Permalink Manager for WooCommerce plugin <= 2.3.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Premmerce Permalink Manager for WooCommerce plugin versions = 2.3.4. Solution Update the WordPress Premmerce Permalink Manager for WooCommerce plugin to the latest available version at least 2.3.5...

WordPress Premmerce Permalink Manager for WooCommerce plugin <= 2.3.4 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Premmerce Permalink Manager for WooCommerce plugin versions = 2.3.4. Solution Update the WordPress Premmerce Permalink Manager for WooCommerce plugin to the latest available version at least 2.3.5...

WordPress Permalink Manager Lit and Permalink Manager Pro plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. A cross-site scripting vulnerability exists in WordPress Permalink Manager Lite and Permalink Manager Pro plugins prior to version 2.2.15, which stems from the plugin's failure to clean up and...

CVE-2022-0201

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

CVE-2022-0201

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

CVE-2022-0201

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

Cross site scripting

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

CVE-2022-0201 Permalink Manager < 2.2.15 - Reflected Cross-Site Scripting

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

CVE-2022-0201

The CVE pertains to WordPress Permalink Manager Lite and Pro plugins prior to version 2.2.15, with a Reflected Cross-Site Scripting (XSS) vulnerability caused by not sanitising/escaping query parameters before echoing them on the debug page. Affected components: Permalink Manager Lite/Pro plugins...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. A cross-site scripting vulnerability exists in WordPress Permalink Manager Lite and Permalink Manager Pro plugins prior to version 2.2.15, which stems from the plugin's failure to clean up and...

Permalink Manager < 2.2.15 - Reflected Cross-Site Scripting

The plugins do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue https://example.com/index.php?p=%3Cimg%20src%20onerror=alert/XSS/%3E&debugurl=1...

Permalink Manager < 2.2.15 - Reflected Cross-Site Scripting

The plugins do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/index.php?p=%3Cimg%20src%20onerror=alert/XSS/%3Eurl=1...

WordPress Permalink Manager Pro premium plugin <= 2.2.14 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Permalink Manager Pro premium plugin versions = 2.2.14. Solution Update the WordPress Permalink Manager Pro premium plugin to the latest available version at least 2.2.15...

WordPress Permalink Manager Lite plugin <= 2.2.14 - Unauthorized Reflected Cross-Site Scripting (XSS) vulnerability

Unauthorized Reflected Cross-Site Scripting XSS vulnerability discovered by Krzysztof Zając in WordPress Permalink Manager Lite plugin versions = 2.2.14. Solution Update the WordPress Permalink Manager Lite plugin to the latest available version at least 2.2.15...

CVE-2021-24769

The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection...