CVE-2020-9382

An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget as defined by this extension via MediaWiki's widget: parser function...

CVE-2020-26229

TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the...

CVE-2020-35625

An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class defined within PHP or MediaWiki via a crafted HTML comment, related to a Smarty template. For example...

CVE-2015-9436

The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=termtree prefix or widgetid parameter...

CVE-2015-9437

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config pagelimit parameter...

CVE-2015-9438

The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dwshowwidget idbase, widgetnumber, or instance parameter...

WordPress Widgets Reset plugin <= 0.1 - Settings Update via CSRF vulnerability

Settings Update via CSRF vulnerability discovered by Daniel Ruf in WordPress Plugin Widgets Reset versions = 0.1...

CVE-2024-8082

The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-8082 Widgets Reset <= 0.1 - Settings Update via CSRF

The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-8082

The Widgets Reset WordPress plugin (versions ≤ 0.1) contains a CSRF flaw in the settings update path caused by missing CSRF protection. This could enable a logged-in administrator to alter settings via a CSRF attack. Public materials identify the affected version, but none provide a confirmed pat...

PT-2025-21510 · WordPress · Widgets Reset

Name of the Vulnerable Software and Affected Versions: Widgets Reset WordPress plugin versions 0.1 and earlier Description: The issue concerns a lack of CSRF check when updating settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Recommendations: For...

WordPress plugin Widgets Reset 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

Netgate pfSense CE 跨站脚本漏洞

Netgate pfSense CE is a FreeBSD-based open source firewall and routing platform from Netgate, Inc. that supports enterprise-class network security and network management features. A security vulnerability exists in Netgate pfSense CE prior to version 2.8.0 beta, which stems from a cross-site...

@dfeidao/fd-w000005 (>=4.6.201905201058 <=4.6.201907081013), @dfeidao/widgets (>=4.5.201903181201 <=4.6.201905131523) +16 more potentially affected by CVE-2025-47204 via bootstrap-multiselect (>=0.9.13-1 <=1.1.2)

bootstrap-multiselect NPM version =0.9.13-1, =4.6.201905201058, =4.5.201903181201, =1.0.0, =3.0.201812052008, =1.0.0, =2.0.0, =0.1.0, =0.0.3, =1.0.7-1, =1.1.4, =1.2.1, =1.2.2, =0.0.2, =1.0.0 and more Source cves: CVE-2025-47204 Source advisory: OSV:GHSA-GV5R-9GXR-V74W...

CVE-2025-2944 Jeg Elementor Kit <= 2.6.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Button and Countdown Widgets

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Button and Countdown Widgets in all versions up to, and including, 2.6.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

WordPress Widgets as Shortcodes plugin <= 5.9.10 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Plugin Widgets as Shortcodes versions = 5.9.10...

WordPress My Custom Widgets plugin <= 2.0.5 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by johska in WordPress Plugin My Custom Widgets versions = 2.0.5...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. HCL Leap suffers from a security vulnerability that stems from an inadequate cleanup policy that allows client-side scripts to be injected in deployed applications via HTML widgets...

CVE-2025-1054 UiCore Elements – Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to...

April 22, 2025—KB5055629 (OS Builds 22621.5262 and 22631.5262) Preview

April 22, 2025—KB5055629 OS Builds 22621.5262 and 22631.5262 Preview For information about Windows update terminology, see types of Windows updates and the monthly quality update types. To find an overview of Windows 11, version 23H2, see its update history page. Be sure to follow @WindowsUpdate ...