CVE-2024-53278

Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen...

CVE-2024-53278

Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen...

CVE-2024-53278

Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the admin screen...

CVE-2024-53278

CVE-2024-53278 is a stored cross-site scripting vulnerability in the WordPress plugin WP Admin UI Customize . Affected versions are those prior to 1.5.14 . If a malicious admin user customizes the admin screen with crafted content, an arbitrary script can be executed in the web browser of other u...

WordPress plugin WP Admin UI Customize 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2024-5791

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpid' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input...

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload Date: 2024-04-01 Author: Milad Karimi Ex3ptionaL Category : webapps Tested on: windows 10 , firefox import sys import os.path import requests import re import urllib3 from requests.exceptions import SSLError from...

BIT-WORDPRESS-MULTISITE-2020-4046 Authenticated XSS through embed block in WordPress

In affected versions of WordPress, users with low privileges like contributors and authors can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin...

Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure

Description The plugin does not adequately authorize the aysquizauthorusersearch AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. import string import requests baseurl =...

EventPrime < 3.2.0 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. POC 1 - Visit any of the following pages created by the plugin: - Event Organize...

Fattura24 < 6.2.8 - Reflected Cross-Site Scripting

Description The plugin does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability. wp-admin/options-general.php?page=fatt-24-tax&id=12alert1%3B...

Design/Logic Flaw

The Change WP Admin Login WordPress plugin before 1.1.4 discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered...

CVE-2023-3604 Change WP Admin < 1.1.4 - Secret Login Page Disclosure

The Change WP Admin Login WordPress plugin before 1.1.4 discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered...

CVE-2023-3604

CVE-2023-3604 affects the Change WP Admin Login WordPress plugin prior to version 1.1.4. The vulnerability arises from disclosing the URL of the hidden login page when a crafted URL is accessed, bypassing the plugin’s protection mechanism. Impact, as stated in multiple sources, is that an unauthe...

CVE-2023-3604 Change WP Admin < 1.1.4 - Secret Login Page Disclosure

The Change WP Admin Login WordPress plugin before 1.1.4 discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered...

tagDiv Composer < 4.2 - Unauthenticated Stored XSS

Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scriptin...

WordPress Change wp-admin login Plugin < 1.1.4 is vulnerable to Bypass Vulnerability

Software Change wp-admin login Type Plugin Vulnerable versions 1.1.4 Fixed in 1.1.4 OWASP Top 10 A5: Security Misconfiguration Classification Bypass Vulnerability CVE CVE-2023-3604 Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID f402f5411a8e Credits Muhamad Arsyad...

Change WP Admin < 1.1.4 - Secret Login Page Disclosure

Description The plugin discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered. - Set custom Login URL under "Settings Permalinks". For example, login - As an unauthenticated visitor, open https://example.com/wp-admin/customize.php in a different...

Change WP Admin < 1.1.4 - Secret Login Page Disclosure

Description The plugin discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered. PoC - Set custom Login URL under "Settings Permalinks". For example, login - As an unauthenticated visitor, open https://example.com/wp-admin/customize.php in a...

WordPress SnazzyAdmin WP Admin Theme Plugin <= 1.0.2 is vulnerable to Cross Site Scripting (XSS)

Software SnazzyAdmin WP Admin Theme Type Plugin Vulnerable versions = 1.0.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID e3611a722d35 Credits Rafie Muhammad Patchsta...