CVE-2021-36872 WordPress Popular Posts plugin <= 5.3.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability in WordPress Popular Posts plugin versions = 5.3.3. Vulnerable at &widget-wpp2posttype...

CVE-2021-36872

CVE-2021-36872 affects WordPress Popular Posts plugin (versions

CVE-2021-36872 WordPress Popular Posts plugin <= 5.3.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability in WordPress Popular Posts plugin versions = 5.3.3. Vulnerable at &widget-wpp2posttype...

WordPress 跨站脚本漏洞

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL.The Wordpress plugin Popular Posts 5.3.3 and previous versions have a cross-site scripting vulnerability tha...

Allow REL= and HTML in Author Bios <= .1- Author+ Stored Cross-Site Scripting

The plugin does not sanitise the allowed HTML in Bio, allowing user with a role as low as author to perform Cross-Site Scripting attack against users viewing their posts PoC As Author, put a JS payload such as in your Biographical Info via your Profile, then access any public posts made by your...

CVE-2021-24585

The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address along other less sensitive data of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the editposts...

Cross site scripting

The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used...

Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting

The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. Put the following payload in the QR setting: "alert/XSS/ The XSS will be triggered in the plugin's...

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports personal blog sites on PHP and MySQL servers.WordPress Plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in the WordPress...

Find My Blocks < 3.4.0 - Private Post Titles Disclosure

The plugin does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. PoC Create a private post with at least one Gutenburg paragraph block and go to https://example.com/wp-json/find-my-blocks/blocks/?name=core/paragraph...

Simple Social Media Share Buttons < 3.2.4 - Authenticated Stored Cross-Site Scripting

The plugin does not escape the Share Title settings before outputting it in the frontend pages or posts depending on the settings used, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the...

PT-2021-22030 · WordPress · The Gutenberg Template Library & Redux Framework

Name of the Vulnerable Software and Affected Versions: The Gutenberg Template Library & Redux Framework plugin versions prior to 4.2.12 Description: The issue concerns an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route. Specifically, t...

Blog_mini 跨站脚本漏洞

Blogmini is an open source blogging system that is vulnerable to a cross-site scripting vulnerability in Blog mini v1.0. An attacker could use this vulnerability to execute arbitrary code via the "Manage Submitted Posts" component...

WordPress plugin Popular Posts remote code execution vulnerability

WordPress is a blogging platform developed based on the PHP language, which can be used to set up websites on servers supporting PHP and MySQL databases, and can also be used as a content management system CMS. WordPress plugin Popular Posts has a remote code execution vulnerability that can be...

WordPress Plugin Cross-Site Scripting Vulnerability (CNVD-2021-66917)

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the erection of personal blog sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plug-in. Video Posts Webcam Recorder WordPress versions...

CVE-2021-24512

The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting XSS vulnerability in one of the administrative functions for handling deletion of videos...

CVE-2021-24512

Affected software: WordPress plugin Video Posts Webcam Recorder (before 3.2.4). Issue: authenticated reflected XSS in an admin function that handles video deletion; root cause is that input parameters were not validated/escaped. Impact: XSS in admin context; requires authentication. Mitigation: u...

CVE-2021-24512 Video Posts Webcam Recorder < 3.2.4 - Authenticated Reflected XSS

The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting XSS vulnerability in one of the administrative functions for handling deletion of videos...

AddToAny Share Buttons < 1.7.48 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add the following payload in the Universal Button Image URL settings: " onerror=alert/XSS/ " The XSS...

WordPress Sticky Related Posts <= 1.0 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by iohex and WPScanTeam in WordPress Sticky Related Posts versions = 1.0. Solution This plugin has been closed as of January 28, 2021 and is not available for download. This closure is permanent. Reason: Author Request...