CVE-2016-10660

fis-parser-sass-bin a plugin for fis to compile sass using node-sass-binaries. fis-parser-sass-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker...

CVE-2018-11632

An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker via spear phishing/social engineering, the attacker can change the plugin settings via...

CVE-2018-11633

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker via spear phishing/social engineering, the attacker can change the plugin settings. The function...

MyBB Admin Notes plugin cross-site request forgery vulnerability

MyBB a.k.a. MyBulletinBoard is a free and web-based forum software developed by the MyBB team using PHP and MySQL.Admin Notes is used in one of the admin notes plugin. A cross-site request forgery vulnerability exists in versions of MyBB Admin Notes plugin prior to version 1.1. A remote attacker...

Cross site scripting

There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" aka wplcname and "email" aka wplcemail input fields to wp-json/wplivechatsupport/v1/startchat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: thi...

MyBB Latest Posts on Profile plugin cross-site scripting vulnerability

MyBB aka MyBulletinBoard is a free and web-based forum software developed by the MyBB team using PHP and MySQL. Latest Posts on Profile is used in one of the post profile plugin. A cross-site scripting vulnerability exists in version 1.1 of the MyBB Latest Posts on Profile plugin, which stems fro...

CVE-2018-10580

The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject aka thread subject field...

WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting

WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting Date: 23/04/2018 Exploit Author: B0UG Vendor Homepage: http://www.wunderfarm.com/ Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/...

MyBB Threads To Link 1.3 Cross Site Scripting

Exploit Title: MyBB Threads to Link Plugin v1.3 - Persistent XSS Date: 3/15/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link: https://community.mybb.com/mods.php?action=view&pid=1065 Version: v1.3 Tested on: Ubuntu 17.10 1. Description: When editing a...

CVE-2018-10233

The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin...

Code injection

The EZPZ One Click Backup ezpz-one-click-backup plugin 12.03.10 and earlier for WordPress allows remote attackers to execute arbitrary commands via the cmd parameter to functions/ezpz-archive-cmd.php...

WooCommerce CSV-Importer-Plugin 3.3.6 Remote Code Execution

Exploit Title: Plugin Woocommerce CSV importer 3.3.6 a RCE a Unlink Date: 08/04/2018 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/woocommerce-csvimport/ Software Link: https://wordpress.org/plugins/woocommerce-csvimport/ Contact: http://twitter.com/lenonleite Website...

CVE-2018-9864

The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field...

CVE-2018-8719

An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/ files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information...

WordPress Plugin WordPress File Upload Cross-Site Scripting Vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports PHP and MySQL servers to set up a personal blog site.Iptanus WordPress File Upload plugin is used in one of the file upload plugin. A security vulnerability exists in...

WordPress WooCommerce Products Filter Plugin Arbitrary Code Execution Vulnerability

WordPress is the WordPress Software Foundation a set of blogging platform developed using the PHP language , the platform supports PHP and MySQL server set up a personal blog site . WooCommerce Products Filter aka WOOF plugin is to use one of the conditional filtering plugin . A security...

WP Security Audit Log Plugin <= 3.1.1 - Sensitive Information Disclosure

No protection on the wp-content/uploads/wp-security-audit-log/ which is indexed by google and allows for attackers to possibly find user information bad login attempts PoC Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/...

Jenkins Google Play Android Publisher Plugin Information Disclosure Vulnerability

Jenkins is an open source software project , is based on Java development of a continuous integration tool . A security vulnerability exists in the GooglePlayBuildStepDescriptor.java file in Jenkins Google Play Android Publisher Plugin 1.6 and earlier versions. An attacker can exploit the...

MyBB Last User's Threads In Profile 1.2 Cross Site Scripting

Exploit Title: MyBB Last User's Threads in Profile Plugin v1.2 - Persistent XSS Date: 3/19/2018 Author: 0xB9 Contact: luxorforums.com/User-0xB9 or 0xB9atprotonmail.com Software Link: https://community.mybb.com/mods.php?action=view&pid=910 Version: v1.2 Tested on: Ubuntu 17.10 1. Description:...

Pivotal Grails Resources Plugin Path Traversal Vulnerability

Pivotal Grails is the U.S. Pivotal Software's set of Groovy-based programming language and for rapid development of Web applications and open source framework. Resource Plugin is one of the HTML resource management plugin . A directory traversal vulnerability exists in Pivotal Grails Resources...