30 matches found
Design/Logic Flaw
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...
VulnCheck KEV: CVE-2022-0218
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...
WordPress Theme Creative Multi-Purpose 9.1.3 - Persistent Cross-Site Scripting
Vendor Homepage: http://bridge.qodeinteractive.com/ Software Link: http://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054 Version: 9.1.3 Tested on: Debian 8, PHP 5.6.17-3 Type: Stored XSS, Ability to overwrite any theme settings. Time line: Found 23-Apr-2016, Vendor...
CVE-2014-8746
Cross-site scripting XSS vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings...
Cross site scripting
Cross-site scripting XSS vulnerability in the SimpleCorp theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in template.php in Zen theme 7.x-3.x before 7.x-3.3 and 7.x-5.x before 7.x-5.5 for Drupal allow remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the skiplinktext setting and unspecified...
CVE-2014-7979
Cross-site scripting XSS vulnerability in the SimpleCorp theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings...
CVE-2014-7978
Cross-site scripting XSS vulnerability in the BlueMasters theme 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings...
SA-CONTRIB-2014-047 - Zen - Cross Site Scripting
The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design. The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue. If you...
Remote file inclusion
PHP remote file inclusion vulnerability in theme/settings.php in bluevirus-design SMA-DB 0.3.9 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pfadz parameter...