AppServ Open Project <=2.5.10 - Cross-Site Scripting

AppServ Open Project 2.5.10 and earlier contains a cross-site scripting vulnerability in index.php which allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter. id: CVE-2008-2398 info: name: AppServ Open Project =2.5.11 or apply the necessary security patches...

Moodle LTI module Reflected - Cross-Site Scripting

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's brows...

PHPJabbers Food Delivery Script - SQL Injection

PHPJabbers Food Delivery Script 3.0 has a SQL injection SQLi vulnerability in the "q" parameter of index.php. id: CVE-2023-40748 info: name: PHPJabbers Food Delivery Script - SQL Injection author: ritikchaddha severity: critical description: | PHPJabbers Food Delivery Script 3.0 has a SQL injecti...

MindPalette NateMail 3.0.15 - Cross-Site Scripting

MindPalette NateMail 3.0.15 is susceptible to reflected cross-site scripting which could allows an attacker to execute remote JavaScript in a victim's browser via a specially crafted POST request. The application will reflect the recipient value if it is not in the NateMail recipient array. Note...

DomainMOD <=4.13.0 - Cross-Site Scripting

DomainMOD through 4.13.0 contains a cross-site scripting vulnerability via /reporting/domains/cost-by-month.php in Daterange parameters. id: CVE-2019-15811 info: name: DomainMOD =4.13.1 to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/47325 -...

Brafton WordPress Plugin < 3.4.8 - Cross-Site Scripting

The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php. id: CVE-2016-10973 info: name: Brafton WordPress Plugin 3.4.8 - Cross-Site Scripting author: Harsh severity: medium description: | The Brafton plugin...

WBCE CMS v1.5.4 - Cross Site Scripting (Stored)

A cross-site scripting XSS vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field. id: CVE-2022-45038 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...

Tiempo.com <= 0.1.2 - Cross-Site Scripting

Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to stea...

Aajoda Testimonials < 2.2.2 - Cross-Site Scripting

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. id: CVE-2023-2178 info: name: Aajoda Testimonials...

WordPress Copyright Proof <=4.16 - Cross-Site-Scripting

WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. id: CVE-2022-1906...

Redwood Report2Web 4.3.4.5 & 4.5.3 - Cross-Site Scripting

Redwood Report2Web 4.3.4.5 and 4.5.3 contains a cross-site scripting vulnerability in the login panel which allows remote attackers to inject JavaScript via the signIn.do urll parameter. id: CVE-2021-26710 info: name: Redwood Report2Web 4.3.4.5 & 4.5.3 - Cross-Site Scripting author: pikpikcu...

Haraj 3.7 - Cross-Site Scripting

Haraj 3.7 contains a cross-site scripting vulnerability in the User Upgrade Form. An attacker can inject malicious script and thus steal authentication credentials and launch other attacks. id: CVE-2022-31299 info: name: Haraj 3.7 - Cross-Site Scripting author: edoardottt severity: medium...

eShop 3.0.4 - Cross-Site Scripting

eShop 3.0.4 contains a reflected cross-site scripting vulnerability in json search parse and json response in wrteam.in. id: CVE-2022-35493 info: name: eShop 3.0.4 - Cross-Site Scripting author: arafatansari severity: medium description: | eShop 3.0.4 contains a reflected cross-site scripting...

WordPress E2Pdf <1.16.45 - Cross-Site Scripting

WordPress E2Pdf plugin before 1.16.45 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape some of its settings, even when the unfilteredhtml capability is disallowed. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context o...

Unyson < 2.7.27 - Cross Site Scripting

The plugin does not sanitise and escape the QUERYSTRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters id: CVE-2022-2219 info: name: Unyson 2.7.27 - Cross Site Scripting author: r3Y3r53 severity: high description:...

WordPress MF Gig Calendar <=1.1 - Cross-Site Scripting

WordPress MF Gig Calendar plugin 1.1 and prior contains a reflected cross-site scripting vulnerability. It does not sanitize or escape the id GET parameter before outputting back in the admin dashboard when editing an event. id: CVE-2021-24510 info: name: WordPress MF Gig Calendar =1.2 which...

WordPress Page Layout builder v1.9.3 - Cross-Site Scripting

WordPress plugin Page-layout-builder v1.9.3 contains a cross-site scripting vulnerability. id: CVE-2016-1000141 info: name: WordPress Page Layout builder v1.9.3 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress plugin Page-layout-builder v1.9.3 contains a cross-site...

WordPress Goto Tour & Travel Theme <2.0 - Cross-Site Scripting

WordPress Goto Tour & Travel theme before 2.0 contains an unauthenticated reflected cross-site scripting vulnerability. It does not sanitize the keywords and startdate GET parameters on its Tour List page. id: CVE-2021-24235 info: name: WordPress Goto Tour & Travel Theme =2.0 to mitigate the XSS...

CVE-2026-7165

The vulnerability is present in the ‘/addJugador’ endpoint: The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their...

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidenc...