Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-5125: index.php in formget-contact-form/trunk – WordPress Plugin Repository

The Contact Form by FormGet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formget' shortcode in versions up to, and including, 5.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE
Open in Source
#xss#web#js#java#wordpress#php#auth#webkit
CVE-2023-43470: GitHub - ae6e361b/Online-Voting-System

SQL injection vulnerability in janobe Online Voting System v.1.0 allows a remote attacker to execute arbitrary code via the checklogin.php component.

CVE-2023-43469: Online Job Portal in PHP with Full Source Code (2020)

SQL injection vulnerability in janobe Online Job Portal v.2020 allows a remote attacker to execute arbitrary code via the ForPass.php component.

CVE-2023-43770: Security update 1.6.3 released

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.

CVE-2023-4716: class-mla-shortcode-support.php in media-library-assistant/trunk/includes – WordPress Plugin Repository

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-4774: Changeset 2969705 for wp-piwik – WordPress Plugin Repository

The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-34576: [CVE-2023-34576] Improper neutralization of SQL parameter in Opart Faq for PrestaShop

SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector.

CVE-2023-34577: [CVE-2023-34577] Improper neutralization of SQL parameter in Opart Planned popup for PrestaShop

SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.

Luxcal Event Calendar 3.2.3 Cross Site Request Forgery

Luxcal Event Calendar version 3.2.3 suffers from a cross site request forgery vulnerability.