PT-2022-25234 · WordPress · Seriously Simple Podcasting

Name of the Vulnerable Software and Affected Versions: Seriously Simple Podcasting plugin versions prior to 2.16.0 Description: A Cross-Site Request Forgery CSRF issue allows for changes to plugin settings. Recommendations: For versions prior to 2.16.0, update to version 2.16.0 or later to resolv...

PT-2022-23936 · WordPress · Add Shortcodes Actions/Filters

Name of the Vulnerable Software and Affected Versions: Add Shortcodes Actions And Filters plugin version 2.0.9 and earlier Description: The issue is related to an Authenticated Stored Cross-Site Scripting XSS vulnerability. This means that an attacker with admin or higher privileges can inject...

PT-2022-24538 · WordPress · Seo Redirection

Name of the Vulnerable Software and Affected Versions: SEO Redirection plugin versions = 8.9 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability, which can lead to the deletion of 404 errors and redirection history. Recommendations: For SEO Redirection plugin versions = 8.9,...

PT-2022-25286 · WordPress · Testimonial Slider

Name of the Vulnerable Software and Affected Versions: GS Testimonial Slider plugin versions prior to 1.9.7 Description: The issue concerns multiple authenticated Stored Cross-Site Scripting XSS vulnerabilities. This means that an attacker with contributor or higher privileges can inject maliciou...

PT-2022-23350 · Totalsoft · Totalsoft Event Calendar – Calendar Plugin

Name of the Vulnerable Software and Affected Versions: Totalsoft Event Calendar – Calendar plugin versions 1.4.6 and earlier Description: The issue is related to an Authenticated Reflected Cross-Site Scripting XSS vulnerability. This means that an attacker could potentially inject malicious scrip...

PT-2022-24183 · WordPress · Apasionados Export Post Info

Name of the Vulnerable Software and Affected Versions: Apasionados Export Post Info plugin version 1.1.0 and earlier Description: The issue is related to an Authenticated Stored Cross-Site Scripting XSS vulnerability. This means that an attacker with admin or higher privileges can inject maliciou...

PT-2022-24236 · Gvectors Team · Wpforo Forum

Name of the Vulnerable Software and Affected Versions: gVectors Team wpForo Forum plugin versions = 2.0.5 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web...

PT-2022-23334

Name of the Vulnerable Software and Affected Versions: Simon Ward MP3 jPlayer plugin versions = 2.7.3 Description: The issue concerns multiple Cross-Site Request Forgery CSRF vulnerabilities. CSRF is a type of attack where an attacker tricks a user into performing unintended actions on a web...

PT-2022-15655 · WordPress · Wp Edit Menu

Name of the Vulnerable Software and Affected Versions: WP Edit Menu WordPress plugin versions prior to 1.5.0 Description: The issue concerns a lack of CSRF protection in an AJAX action, which could allow attackers to make a logged-in admin delete arbitrary posts or pages from the blog via a CSRF...

PT-2022-16549 · WordPress · Dw Promobar

Name of the Vulnerable Software and Affected Versions: DW Promobar WordPress plugin versions 1.0.0 through 1.0.4 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks when the unfiltered html capability is disallowed, for example in a...

Transposh WordPress Translation 1.0.7 Cross Site Scripting

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/ Type: Cross-Site Scripting CWE-79 Date found: 2021-08-19 Date published:...

PT-2022-22993 · WordPress · Testimonial Slider

Name of the Vulnerable Software and Affected Versions: GS Testimonial Slider plugin versions 1.9.5 and earlier GS Testimonial Slider plugin versions 1.9.1 and earlier Description: The issue is related to an Authenticated Stored Cross-Site Scripting XSS vulnerability. This vulnerability can be...

PT-2022-13657 · WordPress · The Mihdan: No External Links

Name of the Vulnerable Software and Affected Versions: The Mihdan: No External Links WordPress plugin versions prior to 5.0.2 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed,...

Cross-site Scripting in Jenkins Maven Metadata Plugin

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.1 and earlier does not escape the name and description of List maven artifact versions parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...

Cross-site Scripting in Jenkins Dynamic Extended Choice Parameter Plugin

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape the name and description of Moded Extended Choice parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Cross-site Scripting in Jenkins Hidden Parameter Plugin

Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Exploitation of this...

GHSA-438W-RJJ9-5FJF Cross-site Scripting in Jenkins Repository Connector Plugin

Jenkins Repository Connector Plugin 2.2.0 and earlier does not escape the name and description of Maven Repository Artifact parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Exploitation...

CVE-2022-31095

discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.0 is now generally available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Agent-to-controller access control allows reading/writing most content of build directories in Jenkins

Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related...