WordPress Shortcodes Blocks Creator Ultimate plugin <= 2.2.0 - Reflected Cross-Site Scripting via _wpnonce vulnerability

Reflected Cross-Site Scripting via wpnonce vulnerability discovered by vgo0 in WordPress Plugin Shortcodes Blocks Creator Ultimate versions = 2.2.0...

PT-2025-1785 · Weavertheme · Turnkey Bbpress

Name of the Vulnerable Software and Affected Versions: Turnkey bbPress by WeaverTheme plugin for WordPress versions up to, and including, 1.6.3 Description: The issue is related to Reflected Cross-Site Scripting via the wpnonce parameter due to insufficient input sanitization and output escaping...

CVE-2024-11808 Pingmeter Uptime Monitoring <= 1.0.3 - Reflected Cross-Site Scripting

The Pingmeter Uptime Monitoring plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpnonce' parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

PT-2024-17264 · WordPress · Pingmeter Uptime Monitoring

Name of the Vulnerable Software and Affected Versions: Pingmeter Uptime Monitoring plugin for WordPress versions up to, and including, 1.0.3 Description: The issue is related to Reflected Cross-Site Scripting via the wpnonce parameter due to insufficient input sanitization and output escaping. Th...

PT-2024-17467 · WordPress · Shortcodes Blocks Creator Ultimate

Name of the Vulnerable Software and Affected Versions: Shortcodes Blocks Creator Ultimate plugin for WordPress versions up to, and including, 2.2.0 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing...

WordPress plugin Shortcodes Blocks Creator Ultimate 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

CVE-2022-0628

The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

CVE-2022-0628

The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...

uListing < 2.0.6 - Settings Update via CSRF

A Settings Update via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC PoC 1 | CSRF | Main Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: admin cookies User-Agent: Mozilla/5.0...

uListing < 2.0.6 - Reflected Cross-Site Scripting

An Authenticated Reflected XSS vulnerability was discovered in the plugin. Vulnerable parameters: id, user, expireddate, createddate, updateddate. WPNonce is present in the original requests, but doesn't pass the correct check, as a result of which it doesn't work. PoC PoC 1 | Authenticated...

WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress Crop-image Shell Upload', 'Description' = %q This module exploits a path traversal and a local file inclusion vulnerability on WordPres...