137 matches found
CVE-2018-18069
processforms in the WPML aka sitepress-multilingual-cms plugin through 3.6.3 for WordPress has XSS via any localefilename parameter such as localefilenameen in an authenticated theme-localization.php request to wp-admin/admin.php...
CVE-2018-18069
The CVE-2018-18069 entry concerns the WordPress plugin sitepress-multilingual-cms (WPML) up to version 3.6.3. A Cross-Site Scripting (XSS) flaw exists in the process_forms function via any locale_file_name_ parameter (e.g., locale_file_name_en) when making an authenticated request to wp-admin/adm...
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 6.1...
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. PoC POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT...
WordPress WPML reminder_popup 跨站脚本漏洞
No description provided by source...
Uber: SQLi in love.uber.com
@iad found an SQL Injection vulnerability in one of our Wordpress blog's plugins the website being love.uber.com. This blog was hosted at WPEngine and did not contain any of our user's information. However due to our previously vague bug bounty rules we decided to reward the maximum of 3,000$ sin...
Uber: Multiple Vulnerabilities (Including SQLi) in love.uber.com
Hi, I noticed you are using a critically vulnerable version of WMPL. By accessing http://love.uber.com/wp-content/plugins/sitepress-multilingual-cms/changelog.md, Attacker could find out http://love.uber.com/ is running WMPL version 3.1.8.4 Which is Vulnerable to, 1. SQL injection which gives ful...
WordPress WPML Plugin SQL Injection (CVE-2015-2314)
An SQL injection vulnerability exists in the WPML plugin for WordPress, allowing remote attackers to execute arbitrary SQL commands...
WordPress WPML Plugin <= 3.2.6 - Cross Site Scripting
This plugin is prone to a cross site scripting vulnerability in accept-language header. Solution Update the plugin...
WPML 2.9.3-3.2.6 - Cross-Site Scripting (XSS) in Accept-Language Header
The sitepress-multilingual-cms WordPress plugin was affected by a Cross-Site Scripting XSS in Accept-Language Header security vulnerability...
CVE-2015-2792
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET...
CVE-2015-2791
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php...
Design/Logic Flaw
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET...
Design/Logic Flaw
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php...
CVE-2015-2792
The CVE-2015-2792 entry concerns the WordPress WPML plugin prior to 3.1.9. It describes a vulnerability where the plugin does not properly handle multiple actions in a single request, allowing an attacker to bypass nonce checks and perform arbitrary actions by including an action parameter in bot...
CVE-2015-2791
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php...
CVE-2015-2792
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET...
CVE-2015-2791
CVE-2015-2791 affects the WordPress WPML plugin prior to 3.1.9. The vulnerability is in the plugin’s menu sync function and allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. The evidence base also notes bro...
WordPress WPML Plugin <= 3.1.8 - SQL Injection #1
Because of the "menu sync" function, remote attackers can delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. Related records:...
WordPress WPML plugin SQL injection vulnerability
WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports PHP and MySQL servers to set up a personal blog site.WPML is one of the multi-language plug-ins. A SQL injection vulnerability exists in versions of the WordPress WPML...