WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions prior to WordPress WP User plugin 7.0. The vulnerability stems...

BookingPress < 1.0.11 - Unauthenticated SQL Injection

The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection - Create a new "category" and associate i...

The vulnerability of the wp_ajax_parse_media_shortcode() function in the PHP plugin for implementing PHP Everywhere allows a hacker to execute arbitrary code.

The vulnerability of the wpajaxparsemediashortcode function in the PHP plugin for implementing PHP Everywhere is related to incorrect code generation. Exploiting this vulnerability could allow an attacker to execute arbitrary code...

CVE-2022-24663 Remote Code Execution by Subscriber+ users via WordPress shortcode

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

CVE-2022-24663 Remote Code Execution by Subscriber+ users via WordPress shortcode

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user...

WordPress File Upload Pro premium plugin <= 4.16.2 - Contributor+ Stored Cross-Site Scripting (XSS) via Shortcode vulnerability

Contributor+ Stored Cross-Site Scripting XSS via Shortcode vulnerability discovered by apple502j in WordPress File Upload Pro premium plugin versions = 4.16.2. Solution Update the WordPress File Upload Pro premium plugin to the latest available version at least 4.16.3...

WordPress File Upload plugin <= 4.16.2 - Contributor+ Stored Cross-Site Scripting (XSS) via Shortcode vulnerability

Contributor+ Stored Cross-Site Scripting XSS via Shortcode vulnerability discovered by apple502j in WordPress File Upload plugin versions = 4.16.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.16.3...

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode

The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks wordpressfileupload widths='title:1;animation-nametwentytwentyone-close-button-transition" onanimationend="alert/XSS-widths/'...

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode

The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks PoC wordpressfileupload widths='title:1;animation-nametwentytwentyone-close-button-transition" onanimationend="alert/XSS-widths/'...

Cross-site Scripting (XSS) - Reflected in orchardcms/orchardcore

Description Reflected XSS is found under DesignShortcodeNew Shortcode Proof of Concept POC Video https://drive.google.com/file/d/1yFfa7g8MMUvJrrKTpJXZEHhQLRSZ1Cii/view?usp=sharing Impact Through this vulnerability, an attacker is capable to execute malicious scripts...

PHP Everywhere 2.0.3 Remote Code Execution

On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level,...

PHP Everywhere 2.0.3 Remote Code Execution Vulnerability

On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level,...

PHP Everywhere < 3.0.0 - Subscriber+ RCE via Shortcode

The plugin allows any authenticated users, such as subscriber to execute PHP via the phpeverywhere shortcode...

CVE-2021-24878

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue...

CVE-2021-24880

The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

CVE-2021-24880

The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

Cross site scripting

The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...

Wordpress Plugin SupportCandy 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. WordPress plugin is a WordPress open source application plugin. cross-site scripting vulnerability exists in Wordpress Plugin SupportCandy, which stems from the product's failure to effectively hand...

WordPress Custom Content Shortcode plugin <= 3.8.9 - Unauthorized Arbitrary Post Metadata Access vulnerability

Unauthorized Arbitrary Post Metadata Access vulnerability discovered by Francesco Carlucci in WordPress Custom Content Shortcode plugin versions = 3.8.9. Solution Update the WordPress Custom Content Shortcode plugin to the latest available version at least 4.0.0...

WordPress Custom Content Shortcode plugin <= 4.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Francesco Carlucci in WordPress Custom Content Shortcode plugin versions = 4.0.1. Solution Update the WordPress Custom Content Shortcode plugin to the latest available version at least 4.0.2...