‼ CVE-2023-1596 ‼
📖 Read
via "National Vulnerability Database".
The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0892 ‼
📖 Read
via "National Vulnerability Database".
The BizLibrary WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31986 ‼
📖 Read
via "National Vulnerability Database".
A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the setWAN function in /bin/webs without any limitations.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2179 ‼
📖 Read
via "National Vulnerability Database".
The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0490 ‼
📖 Read
via "National Vulnerability Database".
The f(x) TOC WordPress plugin through 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0761 ‼
📖 Read
via "National Vulnerability Database".
The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting Staff members, which could allow attackers to make logged in admins delete arbitrary Staff via a CSRF attack📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0233 ‼
📖 Read
via "National Vulnerability Database".
The ActiveCampaign WordPress plugin before 8.1.12 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2009 ‼
📖 Read
via "National Vulnerability Database".
Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).📖 Read
via "National Vulnerability Database".
‼ CVE-2023-23654 ‼
📖 Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SparkPost plugin <=Â 3.2.5 versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0763 ‼
📖 Read
via "National Vulnerability Database".
The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31842 ‼
📖 Read
via "National Vulnerability Database".
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/index.php?page=edit_faculty&id=.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4774 ‼
📖 Read
via "National Vulnerability Database".
The Bit Form WordPress plugin before 1.9 does not validate the file types uploaded via it's file upload form field, allowing unauthenticated users to upload arbitrary files types such as PHP or HTML files to the server, leading to Remote Code Execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31845 ‼
📖 Read
via "National Vulnerability Database".
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_class.php?id=.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22717 ‼
📖 Read
via "National Vulnerability Database".
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in nCrafts FormCraft plugin <=Â 1.2.6 versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29862 ‼
📖 Read
via "National Vulnerability Database".
An issue found in Agasio-Camera device version not specified allows a remote attacker to execute arbitrary code via the check and authLevel parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0520 ‼
📖 Read
via "National Vulnerability Database".
The RapidExpCart WordPress plugin through 1.0 does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection means an attacker can trick a logged in admin to perform the attack by submitting a hidden form.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2180 ‼
📖 Read
via "National Vulnerability Database".
The KIWIZ Invoices Certification & PDF System WordPress plugin through 2.1.3 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization (assuming they can upload a file on the server)📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22706 ‼
📖 Read
via "National Vulnerability Database".
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PropertyHive plugin <=Â 1.5.48 versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1019 ‼
📖 Read
via "National Vulnerability Database".
The Help Desk WP WordPress plugin through 1.2.0 does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-31844 ‼
📖 Read
via "National Vulnerability Database".
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_subject.php?id=.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1839 ‼
📖 Read
via "National Vulnerability Database".
The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.6 does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).📖 Read
via "National Vulnerability Database".