WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists i...

WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in versions of the WordPress GetPaid plugin prior to...

WordPress plugin Admin Columns 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning

The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution RCE of the system due to log poisoning and therefore potentially a full compromise of the underlying structure PoC RCE through chaining LFI with log poisoning 1. Path Traversal / Local File...

WordPress 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress Plugin A cross-site scripting vulnerability exists that stems from a cross-site scripting...

Design/Logic Flaw

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activateplugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites...

Cross site scripting

The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue...

Cross site scripting

In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue...

BetterLinks WordPress plugin 访问控制错误漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in BetterLinks WordPress plugin versions prior to 2.0.4, which stems...

WordPress SQL注入漏洞

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.Yes/No Chart is a plugin for WordPress. Yes/No Chart WordPress plugin version prior to 1.0.12 suffers from a SQL injection...

WordPress SQL注入漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in WordPress Sendit WP Newsletter plugin 2.5.1 and earlier...

10Web Map Builder for Google Maps < 1.0.70 - Authenticated Stored XSS

The plugin does not validate or escape its MAP API Key, Center Address, Center Lat, Center Lng and Zoom Level settings in the admin dashboard, allowing high privilege users such as admin to use JavaScript payload in them, leading to Stored Cross-Site Scripting issues even when the unfilteredhtml...

WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF

The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings including the email settings for example. v1.6.6 fixed most of CSRF checks, but the one in model.emailsettings.php was improperly fixed bypass still...

Recently < 3.0.5 - Authenticated Code Injection

Jerome Bruandet from NinTechNet discovered a code injection issue in the plugin before 3.0.5...

WordPress和Fancy Product Designer 代码问题漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on PHP and MySQL servers. A code issue exists in the WordPress plugin Fancy Product Designer, which originates from "wp-admin" or...

CVE-2021-24310

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery i...

Cross site request forgery (csrf)

The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them...

CVE-2021-24331 Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS

The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psbdistance, psbbuttonsize, psbspeed, only validating them client side. This could allow high privilege users such as admin to set XSS payloads in them...

All 404 Redirect to Homepage < 2.1 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin v1.21 attempted to fix a Stored Cross-Site scripting issue in its "Redirect All 404 page to" settings, however the fix is insufficient, still allowing the issue to be triggered. This could allow high privilege users even with the unfilteredhtml disabled to use malicious payloads in it,...

WordPress 插件 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists i...