CVE-2022-0620

The Delete Old Orders WordPress plugin through 0.2 does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

PT-2022-12701 · Phpipam · Phpipam

Name of the Vulnerable Software and Affected Versions: phpIPAM version 1.4.4 Description: The issue allows for Reflected XSS and CSRF attacks via the "app/admin/subnets/find free section subnets.php" endpoint of the subnets functionality. Recommendations: For phpIPAM version 1.4.4, consider...

RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack

A reflected Cross-Site Scripting XSS flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The...

PT-2022-9576 · Squirrly Seo · The Seo Plugin

Name of the Vulnerable Software and Affected Versions: The SEO Plugin by Squirrly SEO versions prior to 11.1.12 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because the type parameter is not properly escaped before being outputted back in an attribute o...

CVE-2022-0327

The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the errormessage parameter before outputting it back in the response of the jltmarestrictcontent AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scriptin...

CVE-2022-0321

The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the postid parameter before outputting it back in the response via the wpvcsocialshareicons AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...

CVE-2022-0449

The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting...

CVE-2022-0161

The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2022-0161

The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2022-0347

The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...

CVE-2022-0426

The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the wooseacategoriesdropdown AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting...

CVE-2022-23397

The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has "no...

CVE-2022-25014

Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting XSS vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link...

CVE-2022-0150

The WP Accessibility Helper WAH WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue...

CVE-2021-25069

The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the packageids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue...

CVE-2022-0212

The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...

CVE-2021-25077

The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting...

Multiple cross-site scripting vulnerabilities in php_mailform

Overview phpmailform provided by econosys system contains multiple cross-site scripting vulnerabilities listed below. Reflected cross-site scripting vulnerability regarding the checkbox CWE-79 - CVE-2022-22142 Reflected cross-site scripting vulnerability regarding the attached file name CWE-79 -...

Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master"

Overview WordPress Plugin "Quiz And Survey Master" provided by ExpressTech contains multiple vulnerabilities listed below. Cross-site request forgery CWE-352 - CVE-2022-0180 Reflected cross-site scripting CWE-79 - CVE-2022-0181 Stored cross-site scripting CWE-79 - CVE-2022-0182 CVE-2022-0180,...

CVE-2021-39315

The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the /inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2...