Lucene search
+L

512 matches found

Vulnrichment
Vulnrichment
added 2023/12/21 12:34 p.m.24 views

CVE-2023-49826 WordPress Soledad Theme <= 8.4.1 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1...

8.1CVSS7.2AI score0.00567EPSS
Exploits0References1
CNNVD
CNNVD
added 2023/11/10 12:0 a.m.10 views

Discourse Security Breach

Discourse is an open source community discussion platform. The platform includes community, email, and chat room features. A security vulnerability exists in Discourse prior to version 3.1.3, which stems from a theme component that allows users to add svg images with an unlimited "height"...

5.4CVSS6.7AI score0.00702EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2023/10/20 3:6 p.m.8 views

CVE-2023-3933 Your Journey <= 1.9.8 - Prototype Pollution to Reflected Cross-Site Scripting

The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS7AI score0.00386EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2023/10/20 3:6 p.m.7 views

CVE-2023-3962 Winters <= 1.4.3 - Prototype Pollution to Reflected Cross-Site Scripting

The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

6.1CVSS7AI score0.00386EPSS
Exploits0References2
Prion
Prion
added 2023/08/28 9:15 p.m.15 views

Sql injection

theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run...

7.5CVSS9.7AI score0.00519EPSS
Exploits0References2Affected Software1
Patchstack
Patchstack
added 2023/07/18 12:0 a.m.8 views

WordPress Villar Theme <= 1.0.10 is vulnerable to Cross Site Scripting (XSS)

Software Villar Type Theme Vulnerable versions = 1.0.10 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 3b4edd361313 Credits Rafie Muhammad Patchstack Required privileg...

6.2AI score0.00284EPSS
Exploits0References3Affected Software1
Prion
Prion
added 2023/06/07 2:15 a.m.22 views

Security feature bypass

The Brilliance = 1.2.7, Activello = 1.4.0, and Newspaper X = 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activelloactivateplugin' and 'activellodeactivateplugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing...

6.4CVSS6.5AI score0.00979EPSS
Exploits1References5Affected Software15
Vulnrichment
Vulnrichment
added 2023/06/07 1:51 a.m.13 views

CVE-2020-36711 Avada <= 6.2.2 - Authenticated (Contributor+) Cross-Site Scripting

The Avada theme for WordPress is vulnerable to Stored Cross-Site Scripting via the updatelayout function in versions up to, and including, 6.2.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers, and above, to inject arbitrary web...

6.4CVSS6.3AI score0.00648EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2023/01/02 9:49 p.m.4 views

CVE-2022-4114 Superio - Job Board < 1.2.33 - Subscriber+ Stored Cross-Site Scripting

The Superio WordPress theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Cross-Site Scripting attacks...

5.3AI score0.00484EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2022/12/12 5:57 p.m.5 views

CVE-2022-3921 Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload

The Listingo WordPress theme before 3.2.7 does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE...

9.8AI score0.21205EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2022/12/12 5:54 p.m.11 views

CVE-2022-3359 Shortcodes and extra features for Phlox theme < 2.10.7 - PHP Objection Injection

The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports intentionally or not a malicious file and a suitable gadget chain is present on the blog...

7.4AI score0.00742EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2022/12/12 12:0 a.m.12 views

PT-2022-21789 · WordPress · Phlox

Name of the Vulnerable Software and Affected Versions: Shortcodes and extra features for Phlox theme WordPress plugin versions prior to 2.10.7 Description: The issue arises from the unserialize of the content of an imported file, which could lead to PHP object injection when a user imports a...

8.8CVSS8.7AI score0.00742EPSS
Exploits0References5
WPVulnDB
WPVulnDB
added 2022/12/02 12:0 a.m.14 views

Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. PoC POST /testt/wp-admin/admin-ajax.php HTTP/...

6.5CVSS2.3AI score0.00593EPSS
Exploits2Affected Software1
Vulnrichment
Vulnrichment
added 2022/11/17 10:7 p.m.7 views

CVE-2022-45077 WordPress Betheme theme <= 26.5.1.4 - Auth. PHP Object Injection vulnerability

Auth. subscriber+ PHP Object Injection vulnerability in Betheme theme = 26.5.1.4 on WordPress...

6.3CVSS7.2AI score0.00615EPSS
Exploits0References2
Prion
Prion
added 2022/10/18 3:15 p.m.19 views

Remote code execution

GetSimple CMS v3.3.16 was discovered to contain a remote code execution RCE vulnerability via the editedfile parameter in admin/theme-edit.php...

7.5CVSS9.8AI score0.09442EPSS
Exploits12References2Affected Software1
CNNVD
CNNVD
added 2022/10/10 12:0 a.m.4 views

WordPress theme soledad 跨站脚本漏洞

WordPress is a set of blogging platforms developed by the WordPress Foundation using the PHP language. WordPress theme is a theme for WordPress. cross-site scripting vulnerability exists in versions prior to WordPress soledad 8.2.5, which stems from its failure to clear a certain parameter, an...

6.1CVSS6AI score0.00486EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2022/06/23 4:20 a.m.6 views

CVE-2017-20088 Atahualpa Theme cross-site request forgery

A vulnerability classified as problematic has been found in Atahualpa Theme. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely...

4.3CVSS7.1AI score0.00403EPSS
Exploits1References2
Patchstack
Patchstack
added 2022/05/18 12:0 a.m.20 views

WordPress JupiterX premium theme <= 2.0.6 - Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification discovered by Ramuel Gall Wordfence in WordPress JupiterX premium theme versions = 2.0.6. Solution Update the WordPress JupiterX premium theme to the latest available version at least 2.0....

5.5CVSS4.1AI score0.00513EPSS
Exploits0References3Affected Software1
Patchstack
Patchstack
added 2022/01/28 12:0 a.m.12 views

WordPress Construction Lite theme <= 1.2.5 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability

Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress Construction Lite theme versions = 1.2.5. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...

3.4AI score
Exploits0References3Affected Software1
BDU FSTEC
BDU FSTEC
added 2021/09/10 12:0 a.m.8 views

Vulnerability of the function in /administration/theme.php of the PHP-Fusion CMS system, allowing a hacker to execute arbitrary code

The vulnerability in the /administration/theme.php function of the PHP-Fusion CMS system exists due to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary code through the created malicious load...

5.4CVSS6.4AI score0.00447EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder