Sql injection

A vulnerability classified as critical has been found in Kama Click Counter Plugin up to 3.4.8. This affects an unknown part of the file wp-admin/admin.php. The manipulation of the argument orderby/order with the input ASC%2cselectfromselectsleep2a leads to sql injection Blind. It is possible to...

CVE-2017-20103 Kama Click Counter Plugin admin.php Blind sql injection

A vulnerability classified as critical has been found in Kama Click Counter Plugin up to 3.4.8. This affects an unknown part of the file wp-admin/admin.php. The manipulation of the argument orderby/order with the input ASC%2cselectfromselectsleep2a leads to sql injection Blind. It is possible to...

CVE-2017-20103

CVE-2017-20103 describes a blind SQL injection in the Kama Click Counter Plugin (up to version 3.4.8) affecting wp-admin/admin.php via the order_by/order parameter (ASC, (select sleep(2))). The vulnerability can be exploited remotely and the public exploit has been disclosed. Upgrading to version...

CVE-2022-1814

The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...

CVE-2022-1595

The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request...

CVE-2022-1594

The HC Custom WP-Admin URL WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL...

Cross site request forgery (csrf)

The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request...

Cross site scripting

The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...

CVE-2022-1814

The CVE-2022-1814 entry concerns the WordPress plugin WP Admin Style (versions up to 0.1.2). The root cause is failure to sanitize/escape certain plugin settings, which can allow stored XSS by high-privilege users (e.g., admins) when unfiltered_html is disallowed. Several sources (Red Hat, CNVD, ...

CVE-2022-1814 WP Admin Style <= 0.1.2 - Admin+ Stored Cross-Site Scripting

The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...

CVE-2022-1595

CVE-2022-1595 affects the WordPress HC Custom WP-Admin URL plugin up to version 1.4. The issue is unauthenticated information disclosure: a crafted request leaks the secret admin login URL, enabling potential brute‑force targeting of the admin panel. Affected: HC Custom WP-Admin URL WordPress plu...

CVE-2022-1594

CVE-2022-1594 concerns the WordPress plugin HC Custom WP-Admin URL (versions ≤ 1.4). The vulnerability is a lack of CSRF protection when updating settings, enabling a logged-in administrator to be coerced into changing the login URL via a CSRF attack. Impact aligns with Arbitrary Settings Update ...

PT-2022-13992 · WordPress · Hc Custom Wp-Admin Url

Name of the Vulnerable Software and Affected Versions: HC Custom WP-Admin URL WordPress plugin versions 1.4 and earlier Description: The issue allows the secret login URL to be leaked when a specific crafted request is sent. Recommendations: For HC Custom WP-Admin URL WordPress plugin versions 1....

CVE-2022-1589

The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector...

CVE-2022-1589

The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector...

CVE-2022-1589

The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector...

CVE-2022-1589

CVE-2022-1589 affects the WordPress plugin “Change wp-admin login” prior to version 1.1.0. The issue arises from insufficient authorization checks and missing CSRF protection when updating settings, enabling unauthenticated users to modify settings via CSRF vectors. Documented impact is unauthent...

bbPress stored Cross-Site Scripting (XSS) vulnerability in the Forum creation section

The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?posttype=forum aka the Forum listing page for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI...

Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS

Due to missing checks the plugin is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings...

HC Custom WP-Admin URL <= 1.4 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL document.getElementById"test".submit;...