Cross-site Scripting (XSS) - Reflected in jspark311/buriedunderthenoisefloor

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

World Travel Information <= 1.0.0 - Reflected Cross-Site Scripting

The plugin does not escape the $SERVER'PHPSELF' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/admin.php/"/?page=ti-info...

CVE-2021-40925

Cross-site scripting XSS vulnerability in dompdf/dompdf/www/demo.php infaveo-helpdesk v1.11.0 and below allow remote attackers to inject arbitrary web script or HTML via the $SERVER"PHPSELF" parameter...

CVE-2021-40928

Cross-site scripting XSS vulnerability in index.php in FlexTV beta development version allows remote attackers to inject arbitrary web script or HTML via the PHPSELF parameter...

Cross site scripting

Cross-site scripting XSS vulnerability in index.php in FlexTV beta development version allows remote attackers to inject arbitrary web script or HTML via the PHPSELF parameter...

CVE-2021-40928

CVE-2021-40928 is an XSS vulnerability in the development version of FlexTV (index.php) exploitable via the PHP_SELF parameter. The issue arises from unsanitized input in index.php, enabling remote attackers to inject arbitrary web script or HTML. Impact details in the documents indicate a relati...

CVE-2021-40928

Cross-site scripting XSS vulnerability in index.php in FlexTV beta development version allows remote attackers to inject arbitrary web script or HTML via the PHPSELF parameter...

PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons

Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHPSELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of...

PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin

Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHPSELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHPSELF. So be sure to look out fo...

Cross-site Scripting (XSS) - Reflected in pheditor/pheditor

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

CVE-2021-38339

The Simple Matted Thumbnails WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /simple-matted-thumbnail.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.01...

CVE-2021-38329

The DJ EmailPublish WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /dj-email-publish.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.7.2...

CVE-2021-38337

The RSVPMaker Excel WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /phpexcel/PHPExcel/Shared/JAMA/docs/download.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1...

CVE-2021-38329

The DJ EmailPublish WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /dj-email-publish.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.7.2...

Cross site scripting

The RSVPMaker Excel WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /phpexcel/PHPExcel/Shared/JAMA/docs/download.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1...

Cross site scripting

The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0...

Cross site scripting

The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /includes/pluginsettings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.10...

CVE-2021-38327 YouTube Video Inserter <= 1.2.1.0 Reflected Cross-Site Scripting

The YouTube Video Inserter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /adminUI/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.1.0...

CVE-2021-38329 DJ EmailPublish <= 1.7.2 Reflected Cross-Site Scripting

The DJ EmailPublish WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /dj-email-publish.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.7.2...

CVE-2021-38328 Notices <= 6.1 Reflected Cross-Site Scripting

The Notices WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /notices.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1...