CVE-2017-18585

CVE-2017-18585 affects the WordPress plugin posts-in-page prior to version 1.3.0. The root cause is a directory traversal vulnerability in the ic_add_posts template, permitting access to locations outside the intended directory. The CVSS v3 base score is 8.1 (HIGH) with NETWORK attack vector and ...

CVE-2016-10913

The wp-latest-posts plugin before 3.7.5 for WordPress has XSS...

Cross site scripting

The wp-latest-posts plugin before 3.7.5 for WordPress has XSS...

CVE-2016-10913

The CVE-2016-10913 entry concerns the WordPress plugin wp-latest-posts, specifically versions before 3.7.5. The connected documents confirm a cross-site scripting (XSS) vulnerability in this plugin. The provided sources do not specify the exact root cause, affected file/function, exploitation det...

CVE-2016-10913

The wp-latest-posts plugin before 3.7.5 for WordPress has XSS...

CVE-2016-10883

The simple-add-pages-or-posts plugin before 1.7 for WordPress has CSRF for deleting users...

Simple 301 Redirects Addon Bulk Uploader <= 1.2.4 - Multiple Issues

Unauthenticated option changes vulnerability that could allow an attacker to redirect all pages and posts of the blog to a malicious website, as well as an authenticated options export/deletion vulnerability...

Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion

The adminInit function of the admin/includes/class.actions.snippets.php file, registered as an admininit hook did not have any CSRF or capability checks for its close action, allowing unauthenticated users to delete arbitrary posts from the blog PoC...

Cryptolocking WordPress Plugin Locks Up Blog Posts

A malicious WordPress plugin ironically called WP Security has been spotted in the wild encrypting blog posts and rendering the content unreadable. It’s capable of targeting individual posts — an unusual behavior, according to researchers. According to analysis from Sucuri, the plugin obtains a...

CVE-2016-10790

cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net SEC-192...

Code injection

cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpanel.net SEC-192...

Mail.ru: [auto.mail.ru] IDOR на редактирование поста любого юзера.

IDOR allowed to edit arbitrary posts in auto.mail.ru auto.mail.ru belongs to Extended scope IDOR на редактирование произвольного поста на сайте auto.mail.ru...

WordPress Yuzo Related Posts Plugin Cross-Site Scripting

A Cross-Site Scripting vulnerability exists in WordPress Yuzo Related Posts plugin. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system...

Inside the MSRC – Anatomy of a SSIRP incident

This is the second in a series of blog posts that shares how the MSRC responds to elevated threats to customers through the Software and Services Incident Response Plan SSIRP. In ourlast blog post, we looked at the history of the Microsoft Security Response Center and SSIRP, and how Microsoft tak...

WordPress User Submitted Posts plugin <= 20190426 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability found by NinTechNet in WordPress User Submitted Posts plugin versions = 20190426. Apache + PHP FastCGI required for exploitation of this vulnerability. Solution Update the WordPress User Submitted Posts plugin to the latest available version at least 20190501...

[SECURITY] Fedora 30 Update: drupal7-views-3.23-1.fc30

You need Views if: You like the default front page view, but you find you want to sort it differently. You like the default taxonomy/term view, but you find you want to sort it differently; for example, alphabetically. You use /tracker, but you want to restrict it to posts of a certain type. You...

ZOHO ManageEngine ServiceDesk Plus Permission License and Access Control Issues Vulnerability

ZOHO ManageEngine ServiceDesk Plus is a set of ITIL-based IT service management software ITSM from ZOHO. The software integrates incident management, problem management, asset management, IT project management, procurement and contract management and other functional modules. A vulnerability exis...

CVE-2019-12253

my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&deleteposting...

CVE-2019-12253

CVE-2019-12253 affects the project’s “my little forum” prior to version 2.4.20. The vulnerability is a CSRF flaw that allows deleting posts via a crafted request (e.g., mode=posting&delete_posting). The issue is confirmed across multiple feeds (NVD/NVD-derived entries, Red Hat advisory, OSV, CVE ...

PT-2019-12719 · Zoho · Zoho Manageengine Servicedesk Plus

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ServiceDesk Plus versions prior to 10.6 Description: The issue allows users with the lowest privileges, such as guest users, to view arbitrary posts by manipulating the URL. This can be achieved by appending the post number ...