CVE-2021-39340

The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /src/classes/Utils/Settings.php file which made it possible for attackers with administrative user access to inject arbitrary we...

CVE-2021-39340

The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the /src/classes/Utils/Settings.php file which made it possible for attackers with administrative user access to inject arbitrary we...

CVE-2021-39334

The CVE-2021-39334 entry concerns the WordPress Job Board Vanila plugin (versions up to 1.0). It describes an authenticated Stored Cross-Site Scripting vulnerability via the psjb_exp_in and psjb_curr_in parameters in ~/job-settings.php, exploitable by users with administrative access, with impact...

CVE-2021-34642

The CVE-2021-34642 entry concerns the WordPress Smart Email Alerts plugin (versions up to 1.0.10) vulnerable to Reflected Cross-Site Scripting via the api_key in ~/views/settings.php. The underlying issue allows injection of arbitrary scripts, with network access and user interaction required (CV...

CVE-2021-34637 Post Index <= 0.7.5 Cross-Site Request Forgery to Stored Cross-Site Scripting

The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the /php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5...

CVE-2021-34637

The CVE-2021-34637 item applies to the WordPress Post Index plugin, affected through CSRF via the OptionsPage in php/settings.php, with vulnerable versions up to 0.7.5. Public references describe an attacker who can inject arbitrary web scripts, resulting in stored XSS, via a CSRF flaw. Connected...

WordPress 插件 跨站请求伪造漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress plugin, which stems from the vulnerability to cross-site request forgery via the OptionsPage function in the php settings.php file, which allows an attacker to inject arbitrary we...

Cross site scripting

Cross Site Scriptiong XSS vulnerability in GetSimpleCMS =3.3.15 via the timezone parameter to settings.php...

CVE-2021-28418

A cross-site scripting XSS issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter...

Cross site scripting

A cross-site scripting XSS issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter...

CVE-2021-28418

A cross-site scripting XSS issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter...

DRUPAL-CONTRIB-2020-012

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used...

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used...

CVE-2020-9425

An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in...

Design/Logic Flaw

An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in...

CVE-2020-10429

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/manage-settings.php by adding a question mark ? followed by the payload...

CVE-2020-10390

OS Command Injection in export.php vulnerable function called from include/functions-article.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by saving the code to be executed as the wkhtmltopdf path via admin/save-settings.php...

Cross site scripting

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/manage-settings.php by adding a question mark ? followed by the payload...

Command injection

OS Command Injection in export.php vulnerable function called from include/functions-article.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by saving the code to be executed as the wkhtmltopdf path via admin/save-settings.php...

CVE-2020-10478

The CVE refers to Chadha PHPKB Standard Multi-Language 9, where CSRF in admin/manage-settings.php allows changing global settings. The root cause is insufficient validation/origin verification of requests, enabling an attacker to alter settings and potentially trigger code execution or a denial o...