154 matches found
Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. Go to Setting Tab Under Calendar Lite Plugin Under Setting tab Click on Slugs/Permalinks tab Enter the XSS payload into Main Slug and Category Slug both. Both fields are vulnerable...
Cross site scripting
A cross site scripting XSS vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML...
CVE-2020-22150
A cross site scripting XSS vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML...
in ampache/ampache
✍️ Description According to PHP official documents 1 we have for mtrand function an security issue that says "This function does not generate cryptographically secure values, and should not be used for cryptographic purposes" and as we see in permalinks you use the mtrand function for generate...
GetSimple CMS Cross-Site Scripting Vulnerability (CNVD-2020-63995)
GetSimple CMS is a content management system CMS written in PHP. A security vulnerability exists in GetSimple CMS version 3.3.16, which originates from allowing persistent cross-site scripting execution of "permalinks" on parameter setting pages when you create and open a new page. No details of...
CVE-2020-13700
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
CVE-2020-13700
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
Cross site request forgery (csrf)
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
CVE-2020-13700
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
WordPress wp-better-permalinks plugin cross-site request forgery vulnerability
WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. wp-better-permalinks is a menu list structure customization plugin used in it. A cross-site request forgery vulnerability exists in...
CVE-2019-15835
The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF...
CVE-2019-15835
The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF...
CVE-2019-15835
CVE-2019-15835: The wp-better-permalinks WordPress plugin is affected by a cross-site request forgery (CSRF) vulnerability in all versions before 3.0.5. Attackers could coerce an authenticated user to perform unwanted actions via forged requests. Connected sources consistently identify the vulner...
CVE-2019-15835
The wp-better-permalinks plugin before 3.0.5 for WordPress has CSRF...
WordPress WP Better Permalinks plugin <= 3.0.4 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability found in WordPress WP Better Permalinks plugin versions = 3.0.4. Solution Update the WordPress WP Better Permalinks plugin to the latest available version at least 3.0.5...
WordPress Custom Permalinks plugin <=1.1 - Authenticated SQL Injection (SQLi) vulnerability
Authenticated SQL Injection SQLi vulnerability found in WordPress Custom Permalinks plugin versions =1.1. Solution Update the WordPress Custom Permalinks plugin to the latest available version at least 1.2...
WordPress Custom Permalinks plugin <=1.1 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability found in WordPress Custom Permalinks plugin versions =1.1. Solution Update the WordPress Custom Permalinks plugin to the latest available version at least 1.2...
Custom Permalinks <= 1.1 - Authenticated SQL Injection
Missing checking of user controllable input during Bulk Action in the Custom Permalinks backend page leads to SQL injection vulnerability. Send authenticated POST request to "URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks" with parameters "action=delete&permalinks=1 PAYLOAD -- "...
Custom Permalinks <= 1.1 - Authenticated SQL Injection
Missing checking of user controllable input during Bulk Action in the Custom Permalinks backend page leads to SQL injection vulnerability. PoC Send authenticated POST request to "URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks" with parameters "action=delete=1 PAYLOAD -- "...
Custom Permalinks <= 1.1 - Cross-Site Scripting (XSS)
User controllable input in the admin page of Custom Permalinks gets output without any escaping. PoC URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks=...