PT-2021-21383 · WordPress · Wp Google Maps

Name of the Vulnerable Software and Affected Versions: WordPress WP Google Maps plugin versions = 8.1.12 Description: The issue concerns multiple authenticated persistent Cross-Site Scripting XSS vulnerabilities. Vulnerable parameters include &dataset name, &wpgmza gdpr retention purpose, &wpgmza...

More From Google <= 0.0.2 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $SERVER"PHPSELF" value in the /morefromgoogle.php file which allows attackers to inject arbitrary web scripts...

Chained Quiz < 1.2.7.2 - Authenticated Stored Cross Site Scripting

The plugin does not properly sanitize or escape inputs in the plugin's settings. PoC Open "Chained Quiz Social Sharing" in the WP admin panel. Under title field enter the payload : " Click on Save All Setting and the XSS will fire every time the Social Sharing page is loaded...

Cross site scripting

The WPFront Notification Bar WordPress plugin before 2.1.0.08087 does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

Design/Logic Flaw

The Gutenberg Template Library & Redux Framework plugin = 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were bas...

CVE-2021-38312

The CVE-2021-38312 entry concerns the WordPress Gutenberg Template Library & Redux Framework plugin, affected versions

WordPress 插件安全漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in WordPress...

WordPress Easy Social Icons plugin <= 3.0.8 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by Ram Gall WordFence in WordPress Easy Social Icons plugin versions = 3.0.8. Solution Update the WordPress Easy Social Icons plugin to the latest available version at least 3.0.9...

Jenkins 代码问题漏洞

Jenkins is a Jenkins open source application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project. A code issue vulnerability exists in Jenkins Nested View Plugin 1.20 and earlier, which arises from an improperly designe...

PT-2021-14722 · Jenkins · Jenkins Azure Ad Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Azure AD Plugin versions 164.v5b48baa961d2 through 179.vf6841393099e Description: The issue allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. This is due to an overly permissive...

CVE-2021-34646

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...

User Activity Log < 1.4.7 - Reflected Cross-Site Scripting

The plugin does not escape the txtsearch parameter before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/admin.php?page=useractionlog=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F...

User Activity Log < 1.4.7 - Reflected Cross Site Scripting via Query String

The plugin does not escape the $SERVER'QUERYSTRING' before outputting it back in attributes, which could lead to Reflected Cross-Site Scripting in web browsers which do not encode URL characters. PoC With a web browser which does not encode characters or use burp suite and decode the URL via the...

Duplicate Page < 4.4.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. The attempt to fix the issue in 4.4.2 is insufficient and...

Duplicate Page < 4.4.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. The attempt to fix the issue in 4.4.2 is insufficient and...

Live Scores for SportsPress < 1.9.1 - Authenticated Local File Inclusion

The plugin does not validate or sanitise the tab parameter in the admin dashboard before using it in an include statement, leading to an Authenticated Local File Inclusion PoC https://example.com/wp-admin/admin.php?page=live-scores-for-sportspress=../../index This will include the homepage of the...

Coupon Affiliates for WooCommerce < 4.11.0.2 - Reflected Cross-Site Scripting

The plugin does not escape the page parameter in its Referral Visits dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC...

Booster for WooCommerce < 5.4.4 - Authentication Bypass

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...

Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting

The plugin does not properly sanitise or escape some of the properties of the Recipe Card Block such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. As a...

Cross site scripting

The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues...