CVE-2023-2407

CVE-2023-2407 is a CSRF flaw in The Event Registration Calendar By vcita plugin (and Online Payments) for WordPress. The root cause is missing nonce validation in the ls_parse_vcita_callback() function, allowing unauthenticated attackers to modify plugin settings and inject malicious JavaScript v...

CVE-2023-2406 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficien...

CVE-2023-2406

The CVE-2023-2406 issue affects the WordPress plugins Event Registration Calendar By vcita (up to v3.9.1) and Online Payments – Get Paid with PayPal, Square & Stripe (up to v1.3.1). Root cause: insufficient input sanitization and output escaping on the email parameter, enabling Stored XSS. Exploi...

Multiple plugins by vcita - Contributor+ Stored Cross-Site Scripting

The plugin does not sanitize and the email field in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts in the plugin settings page, which could target high privilege users such as administrators. PoC...

PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

Impact A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can ...

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)

Last week, there were 90 vulnerabilities disclosed in 77 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities ...

[SECURITY] Fedora 37 Update: editorconfig-0.12.6-1.fc37

EditorConfig makes it easy to maintain the correct coding style when switching between different text editors and between different projects. The EditorConfig project maintains a file format and plugins for various text editors which allow this file format to be read and used by those editors...

CVE-2023-1661

The Display post meta, term meta, comment meta, and user meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post metadata in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Joomla Plugins Detected

This is an informational notice that the scanner was able to detect one or more installed Joomla plugins. No source data...

Drupal Plugins Detected

This is an informational notice that the scanner was able to detect one or more installed Drupal plugins. No source data...

Symfony Debug Mode Enabled

Symfony is a free and open-source PHP web application framework relying on bundles, which are plugins allowing developers to hook into Symfony. Symfony offers a debug mode which allows developers to get additional tools like the web profiler and the debug toolbar to help troubleshooting their...

SUSE SLES15 / openSUSE 15 Security Update : cni-plugins (SUSE-SU-2023:2324-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:2324-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number...

SUSE: Security Advisory (SUSE-SU-2023:2324-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2023:2324-1 Security update for cni-plugins

This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.19 security release bsc1200441...

PT-2023-36188 · Unknown · Cni-Plugins

Name of the Vulnerable Software and Affected Versions: cni-plugins affected versions not specified Description: The issue is related to the go 1.19 security release. The package cni-plugins has been rebuilt to address this issue. Recommendations: At the moment, there is no information about a new...

dnf-plugins-core bug fix and enhancement update

An update is available for dnf-plugins-core. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list For detailed information on changes in this release, see the Rocky...

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)

Last week, there were 82 vulnerabilities disclosed in 59 WordPress Plugins and 11 WordPress themes, along with 6 in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 26 Vulnerability Researchers that contributed to WordPress Security last...

GHSA-QVQ8-CW7F-M7M4 Apache JSPWiki vulnerable to cross-site scripting on several plugins

A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later...

Apache JSPWiki vulnerable to cross-site scripting on several plugins

A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later...

CVE-2022-46907 Apache JSPWiki: XSS Injection points in several plugins

A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later...