8202 matches found
SUSE CVE-2025-1015
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book,...
Nevma Adaptive Images - Arbitrary File Deletion
Nevma Adaptive Images plugin before 0.6.67 for WordPress contains an arbitrary file deletion caused by unsanitized input in adaptive-images-script.php, letting remote attackers delete arbitrary files, exploit requires sending specific request parameters. id: CVE-2019-14206 info: name: Nevma...
Label Studio < 1.16.0 - Cross-Site Scripting
Label Studio prior to version 1.16.0 contains a cross-site scripting caused by rendering unsanitized user-provided HTML in the /projects/upload-example endpoint, letting attackers execute arbitrary JavaScript via crafted labelconfig in a GET request, exploit requires victims to visit malicious UR...
Pinger 1.0 - Remote Code Execution
Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. id:...
Widget4Call WordPress - Cross-Site Scripting
Widget4Call WordPress plugin = 1.0.7 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13099 info: name:...
WP Pricing Table - Reflected XSS
WP Pricing Table WordPress plugin = 1.1 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute scripts in the context of high privilege users, exploit requires attacker to craft malicious URL. id: CVE-2024-13628 info: name: WP Pricing Table -...
SlideDeck 1 Lite Content Slider - Cross-Site Scripting
SlideDeck 1 Lite Content Slider WordPress plugin = 1.4.8 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13224 inf...
Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF)
Prometheus Blackbox Exporter through 0.17.0 contains a server-side request forgery caused by unsanitized target parameter in /probe, letting attackers perform SSRF attacks, exploit requires sending crafted target parameter. id: CVE-2020-16248 info: name: Prometheus Blackbox Exporter - Server-Side...
GestioIP - Reflected Cross-Site Scripting
GestioIP v3.5.7 contains a reflected cross-site scripting caused by unsanitized input in the ipdojob request, letting attackers execute scripts in the victim's browser, exploit requires specific user permissions. id: CVE-2024-50857 info: name: GestioIP - Reflected Cross-Site Scripting author:...
Shopware < 5.5.8 - Cross-Site Scripting
Shopware before 5.5.8 contains a reflected cross-site scripting XSS caused by unsanitized query string parameters in the backend/Login or backend/Login/load/ URI, letting attackers execute arbitrary scripts in the context of the victim's browser, exploit requires sending crafted URL to the victim...
WordPress Popup Builder < 4.0.7 - Remote Code Execution
Popup Builder WordPress plugin before 4.0.7 contains a local file inclusion caused by unsanitized 'sgpbtype' parameter in require statement, letting attackers include arbitrary local files or execute code via wrappers like PHAR, exploit requires attacker to control 'sgpbtype' parameter. id:...
phpLDAPadmin <= 1.2.3 - Reflected XSS
phpLDAPadmin = 1.2.3 contains a reflected cross-site scripting caused by unsanitized input in htdocs/entrychooser.php via the form, element, rdn, or container parameter, letting attackers execute malicious scripts in victim browsers, exploit requires sending crafted input. id: CVE-2017-11107 info...
WP BASE Booking - Reflected XSS
WP BASE Booking of Appointments, Services and Events WordPress plugin 5.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to...
WordPress User Messages <= 1.2.4 - Reflected XSS
WordPress User Messages plugin = 1.2.4 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires victim to load a...
Guten Free Options - Cross Site Scripting
Guten Free Options WordPress plugin = 0.9.5 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to click malicious link. id: CVE-2024-13492 info: name: Guten Free...
Advance Post Prefix WordPress plugin - Reflected XSS
Advance Post Prefix WordPress plugin through 1.1.1 contains a reflected cross-site scripting caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12734 info: name: Advance...
YesWiki < 4.5.4 - Cross-Site Scripting
YesWiki 4.5.4 contains a reflected cross-site scripting caused by unsanitized idformulaire parameter in /?BazaR endpoint, letting attackers steal cookies and hijack sessions, exploit requires user to click malicious link. id: CVE-2025-46550 info: name: YesWiki 4.5.4 - Cross-Site Scripting author:...
iBuildApp <= 0.2.0 - Reflected Cross-Site Scripting
iBuildApp WordPress plugin through 0.2.0 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13326 info:...
OWL Carousel Slider - Cross-Site Scripting
OWL Carousel Slider WordPress plugin v2.2 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craft malicious URL. id: CVE-2024-13627 info:...
WP DeskLite - Reflected XSS
WP DeskLite WordPress plugin through 1.0.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12724 info: name: WP DeskLite - Reflected XSS...