99 matches found
CVE-2023-0992
CVE-2023-0992 relates to the Shield Security plugin for WordPress. The Red Hat data corroborates a later feed showing a Missing Authorization issue on the theme-plugin-file AJAX action in versions up to and including 17.0.17, and notes that this can serve as a vector for the stored Cross-Site Scr...
CVE-2023-0992 Shield Security <= 17.0.17 - Unauthenticated Stored Cross-Site Scripting
The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an...
PT-2023-16671 · WordPress · The Shield Security
Name of the Vulnerable Software and Affected Versions: The Shield Security plugin for WordPress versions up to, and including, 17.0.17 Description: The issue allows unauthenticated attackers to inject arbitrary web scripts in pages via the User-Agent header, which will execute whenever a user...
Multiple Vulnerabilities Patched in Shield Security
On March 20, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for two vulnerabilities in Shield Security, a security plugin with over 50,000 installations. One of these vulnerabilities allowed unauthenticated attackers to inject malicious JavaScript into an...
WordPress Shield Security Plugin <= 17.0.17 is vulnerable to Cross Site Scripting (XSS)
Software Shield Security Type Plugin Vulnerable versions = 17.0.17 Fixed in 17.0.18 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0992 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID 814ad86ffa89 Credits Ramuel Gall Requir...
WordPress plugin Shield Security 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...
Shield Security < 17.0.18 - Subscriber+ Arbitrary Log Entry Creation
The plugin does not have authorisation in the theme-plugin-file AJAX action, allowing any authenticated users, such as subscriber to call it and add arbitrary audit log entries, which could also lead to Stored XSS due to the lack of escaping of some entry metadata...
WordPress Shield Security 17.0.17 Cross Site Scripting / Missing Authorization
Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Plugin Slug: wp-simple-firewall Affected Versions: = 17.0.17 CVE ID: CVE-2023-0992 CVSS Score: 7.2 High CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 17.0.18 T...
WordPress Shield Security 17.0.17 Cross Site Scripting / Missing Authorization Vulnerability
WordPress Shield Security Smart Bot Blocking and Intrusion Prevention plugin versions 17.0.17 and below suffer from cross site scripting and missing authorization vulnerabilities. Affected Plugin: Shield Security – Smart Bot Blocking & Intrusion Prevention Plugin Slug: wp-simple-firewall Affected...
WordPress Shield Security plugin跨站脚本漏洞
WordPress is a set of blogging platforms developed by the WordPress Wordpress Foundation using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. WordPress Shield Security plugin version 13.0.6 previously had a cross-site scripting vulnerability, whic...
CVE-2022-0211
The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2022-0211
The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2022-0211
The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
CVE-2022-0211
The CVE-2022-0211 entry concerns the WordPress Shield Security plugin (before 13.0.6). The vulnerability is a stored XSS caused by the plugin not sanitising/escaping admin notes, which could let high-privilege users execute JavaScript even when unfiltered_html is disallowed. Public references in ...
CVE-2022-0211 Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...
WordPress Shield Security plugin <= 13.0.5 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Yoru Oni in WordPress Shield Security plugin versions = 13.0.5. Solution Update the WordPress Shield Security plugin to the latest available version at least 13.0.6...
Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payload as an Admin Note Shield Security Tools Admin Notes: alert/XSS/;...
Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC Put the following payload as an Admin Note Shield Security Tools Admin Notes:...
WAFW00F v1.0.0 - Detect All The Web Application Firewall!
WAFW00F identifies and fingerprints Web Application Firewall WAF products. How does it work? To do its magic, WAFW00F does the following: Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of potentially...