CVE-2014-4597

Affected software: WordPress WP Social Invitations Plugin. Vulnerable component: test.php parameter handling (xhrurl) in versions before 1.4.4.3. Root cause: cross-site scripting (XSS) vulnerability allowing remote attackers to inject arbitrary script/HTML via the xhrurl parameter. Impact: potent...

Wordpress Plugin NextGEN Gallery <= 1.5.1 - XSS Vulnerability

No description provided by source. XSS Vulnerability in NextGEN Gallery Wordpress Plugin 1. Advisory Information Title: XSS Vulnerability in NextGEN Gallery Wordpress Plugin Advisory Id: CORE-2010-0323 Advisory URL: http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability Date...

MyBB Extended Useradmininfo Plugin 1.2.1 - Cross Site Scripting

No description provided by source. Exploit Title: Extended Useradmininfo MyBB Plugin 1.2.1 - Cross Site Scripting Google Dork: N/A Date: 09.02.2014 Exploit Author: Fikri Fadzil - [email protected] Vendor Homepage: http://forum.mybboard.de/user-9022.html Software Link:...

Wordpress Font Uploader Plugin 1.2.4 - Arbitrary File Upload

No description provided by source. Description : Wordpress Plugins - WordPress Font Uploader Shell Upload Vulnerability Version : 1.2.4 Link : http://wordpress.org/extend/plugins/font-uploader/ Plugins : http://downloads.wordpress.org/plugin/font-uploader.1.2.4.zip Date : 01-06-2012 Google Dork :...

AjaXplorer checkInstall.php Remote Command Execution

No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3...

Wordpress Plugin DS FAQ <= 1.3.2 - SQL Injection Vulnerability

No description provided by source. Exploit Title: WordPress WP DS FAQ plugin = 1.3.2 SQL Injection Vulnerability Date: 2011-08-18 Author: Miroslav Stampar miroslav.stamparatgmail.com @stamparm Software Link: http://downloads.wordpress.org/plugin/wp-ds-faq.1.3.2.zip Version: 1.3.2 tested...

CVE-2014-3937

SQL injection vulnerability in the Contextual Related Posts plugin before 1.8.10.2 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors...

CVE-2013-2107

The CVE-2013-2107 entry concerns the WordPress Mail On Update plugin, affected in versions before 5.2.0. The vulnerability is a Cross‑Site Request Forgery (CSRF) that lets an attacker exploit an authenticated admin session to change the "List of alternative recipients" via the mailonupdate_mailto...

WordPress TinyMCE Color Picker Plugin <= 1.1 - CSRF

Because of this vulnerability, the attackers can hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. Solution Update the plugin...

WordPress cnhk-slideshow Shell Upload

Exploit Title: Wordpress cnhk-slideshow plugin Shell Upload Author: Ashiyane Digital Security Team Date: 05/18/2014 Vendor Homepage: http://cnhk-systems.webege.com Software Link : http://downloads.wordpress.org/plugin/cnhk-slideshow.2.1.1.zip Google dork: inurl:/wp-content/plugins/cnhk-slideshow/...

WP e-Commerce Swipe <= 3.1.0 - Multiple XSS Issues

The last time it was checked the plugin was still affected and had been closed...

CVE-2013-4240

Multiple cross-site request forgery CSRF vulnerabilities in the HMS Testimonials plugin before 2.0.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 add new testimonials via the hms-testimonials-addnew page, 2 add new groups via the...

WordPress EasyMedia Gallery 1.2.29 Cross Site Scripting

============================================================== Title ...| EasyMedia Gallery XSS Version .| easy-media-gallery.1.2.29 Date ....| 23.02.2014 Found ...| HauntIT Blog Home ....| http://wordpress.org/plugins/ ==============================================================...

Cross site scripting

Cross-site scripting XSS vulnerability in inc/rafform.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the currenturl parameter...

WordPress Plugin Lazy SEO 1.1.9 - Arbitrary File Upload

Exploit Title : Wordpress Lazy SEO plugin Shell Upload Vulnerability Exploit Author : Ashiyane Digital Security Team Google Dork: : inurl:/wp-content/plugins/lazy-seo/ Date: 2013/09/21 Vendor Homepage : http://wordpress.org/plugins/lazy-seo Software Link :...

PJ blog plug-in vulnerability of the actuator can be bulk obtained webshell-vulnerability warning-the black bar safety net

pjblog in 0 7 in a civil plug-in vulnerabilities. PJ blog editor of the vulnerability, without filtering sensitive characters. Currently this plugin author has not maintenance updates. Don't use this plugin, the blog will not be affected Can batch get most of the PJ blog WEBSHELL。 ! QQ screenshot...

Discuz! 后台第三方插件上传任意后缀文件拿shell（某插件导致）

简要描述： Discuz!利用插件拿Discuz!论坛shell的文章：http://zone.wooyun.org/content/5275 拿shell，我在这篇文章里面用到的插件是zend加密的，可能有系统不支持。 今天谈的这个利用插件拿shell，是未加密的插件，基本都支持吧，不挑版本系统。 另外有小伙伴说，安装插件需要 安全密码，确实有的论坛需要安全密码。 绕过安全密码第一版：http://www.wooyun.org/bugs/wooyun-2013-032644 我已经提交给官方了，所以失效了。 但是我后续还会上 绕过安全密码第二版。 详细说明：...

CVE-2013-2707

Cross-site request forgery CSRF vulnerability in the Login With Ajax plugin before 3.1 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings...

WordPress WP125 Plugin <= 1.4.9 - CSRF

Because of this vulnerability in the adminmenus.php, the attackers can hijack the authentication of administrators for requests that add or edit an ad via unspecified vectors. Solution Update the plugin...

XSS Flaw in WordPress Plugin Allows Injection of Malicious Code

Hardly a week goes by without some new vulnerability in WordPress or one of its components showing up on a mailing list or in a security advisory. This week’s first entrant is a newly disclosed flaw in a plugin that displays ad banners on WordPress sites, a bug that enables an attacker to inject...