CVE-2022-1241

The Ask me WordPress theme before 6.8.2 does not properly sanitise and escape several of the fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues...

WordPress theme Discy 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress theme Discy plugin versions prior to 5.2 contain a cross-site request forgery vulnerability that...

CVE-2022-1422

CVE-2022-1422 concerns the WordPress theme Discy (versions before 5.2). The exposed issue is a CSRF in the AJAX endpoint discy_reset_options , which attackers can abuse to trick an admin into restoring site settings to defaults. Connected sources (Red Hat, CNVD, CVE lists, PatchStack/WP vuln DB) ...

CVE-2022-1422 Discy < 5.2 - Restore Default Settings via CSRF

The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discyresetoptions, allowing an attacker to trick an admin into resetting the site settings back to defaults...

WordPress JupiterX premium theme <= 2.0.6 - Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification

Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification discovered by Ramuel Gall Wordfence in WordPress JupiterX premium theme versions = 2.0.6. Solution Update the WordPress JupiterX premium theme to the latest available version at least 2.0....

CVE-2022-1170

In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests...

CVE-2022-1167

There are unauthenticated reflected Cross-Site Scripting XSS vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters...

CVE-2022-1167

There are unauthenticated reflected Cross-Site Scripting XSS vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters...

Null pointer dereference

In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests...

CVE-2022-1170 JobMonster < 4.5.2.9 - Unauthenticated Reflected Cross-Site Scripting

In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests...

CVE-2022-1170

CVE-2022-1170 affects the Noo JobMonster WordPress theme prior to version 4.5.2.9. The vulnerability is a cross-site scripting (XSS) flaw in the search form input, which is processed via unsanitized GET requests. The Nuclei template summarises the issue and confirms the vulnerable component as th...

Eyecix Careerfy跨站脚本漏洞

Eyecix Careerfy is a WordPress theme from Eyecix Pakistan.A cross-site scripting vulnerability exists in versions prior to Eyecix Careerfy 3.9.0, which stems from the program's lack of data validation filtering of user-supplied and output data. An attacker could exploit the vulnerability to execu...

CVE-2020-36510

The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cbsa AJAX action, leading to a Reflected Cross-Site Scripting...

CVE-2020-36510 15Zine < 3.3.0 - Reflected Cross-Site Scripting

The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cbsa AJAX action, leading to a Reflected Cross-Site Scripting...

WordPress Construction Lite theme <= 1.2.5 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability

Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress Construction Lite theme versions = 1.2.5. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...

CVE-2021-24840

The CVE-2021-24840 entry affects the Squaretype WordPress theme prior to version 3.0.4. The vulnerability allows unauthenticated users to manipulate the query_vars used to fetch posts in a REST endpoint, enabling disclosure of private and scheduled posts. This is demonstrated by published PoCs (e...

CVE-2021-24840 Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure

The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...

CVE-2021-24501

The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site...

CVE-2021-24500

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially...

CVE-2021-24304

The Newsmag WordPress theme before 5.0 does not sanitise the tdblockid parameter in its tdajaxblock AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability...