CVE-2022-4946 Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect

The Frontend Post WordPress Plugin WordPress plugin through 2.8.4 does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain...

CVE-2022-4946 Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect

The Frontend Post WordPress Plugin WordPress plugin through 2.8.4 does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain...

CVE-2022-4946

CVE-2022-4946 affects the Frontend Post WordPress Plugin (versions

WordPress Plugin Frontend Post 输入验证错误漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. An input validation error...

PT-2023-16041 · WordPress · Wp Multi Store Locator

Name of the Vulnerable Software and Affected Versions: WP Multi Store Locator WordPress plugin versions prior to 2.5 Description: The issue concerns the WP Multi Store Locator WordPress plugin, which does not properly validate and escape certain shortcode attributes. This could allow users with t...

PT-2023-15932 · WordPress · Frontend Post Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Frontend Post WordPress Plugin versions through 2.8.4 Description: The issue concerns a lack of validation for an attribute in one of the plugin's shortcodes. This could allow users with a role as low as contributor to add a malicious shortco...

CVE-2023-3051

The Page Builder by AZEXO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'azhpost' shortcode in versions up to, and including, 1.27.133 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web...

PT-2023-22740 · Azexo · The Page Builder By Azexo

Name of the Vulnerable Software and Affected Versions: The Page Builder by AZEXO plugin for WordPress versions up to, and including, 1.27.133 Description: The issue is related to Stored Cross-Site Scripting via the azh post shortcode due to insufficient input sanitization and output escaping. Thi...

CVE-2023-2304

The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userfavorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-2304

The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userfavorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-2304 Favorites <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userfavorites' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-2436

The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bloginblog' shortcode in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2023-2436

The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bloginblog' shortcode in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

File Manager Advanced Shortcode <= 2.3.2 - Unauthenticated Remote Code Execution through shortcode

The plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users. PoC 1. Add the following shortcode to ...

File Manager Advanced Shortcode <= 2.3.2 - Unauthenticated Remote Code Execution through shortcode

The plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users. 1. Add the following shortcode to a...

WordPress Plugin Favorites 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

PT-2023-19527 · WordPress · Blog-In-Blog

Name of the Vulnerable Software and Affected Versions: Blog-in-Blog plugin for WordPress versions up to, and including, 1.1.1 Description: The issue allows editor-level and above attackers to include and execute arbitrary files on the server via a shortcode attribute, potentially bypassing access...

PT-2023-10287 · Meitar · Meitar Inline Google Spreadsheet Viewer Plugin

Name of the Vulnerable Software and Affected Versions: meitar Inline Google Spreadsheet Viewer Plugin versions up to 0.9.6 Description: A vulnerability was found in the meitar Inline Google Spreadsheet Viewer Plugin, which is classified as problematic. The issue affects the displayShortcode...

CVE-2022-4676

The OSM WordPress plugin through 6.01 does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...

CVE-2022-4676

The OSM WordPress plugin through 6.01 does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack...