Contextual Adminbar Color < 0.3 - Authenticated Stored Cross-Site Scripting Issue

The variable $message is not escaped : $message = sanitizetextfield $currentsettings'message' ; Then, it's printed in a value attribute : value="" PoC Edit WPScanTeam: Put the payload below in the custom message field in the plugin's settings page Tools Adminbar Settings: " onfocus=alert2...

Wordpress Plugin Email Before Download <=3.16 Blind SQL Inyection

Exploit for php platform in category web applications Wordpress Plugin: Email Before Download escape before using it. On line 120 File: /email-before-download/email-before-download.php we can see that: ===================================================================================== 120:...