#wordpress

CVE-2022-0642

The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.

3 years ago

CVE

Open in Source

#xss #csrf #vulnerability #java #wordpress #perl

CVE-2022-1009

The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file

3 years ago

The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options

3 years ago

CVE

Open in Source

#csrf #wordpress #auth

CVE-2022-1275

The BannerMan WordPress plugin through 0.2.4 does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed (such as in multisite)

3 years ago

The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3 years ago

The Slideshow WordPress plugin through 2.3.1 does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

3 years ago

CVE

Open in Source

#xss #wordpress

CVE-2022-29408: WordPress Advanced Contact form 7 DB plugin <= 1.8.7 - Persistent Cross-Site Scripting (XSS) vulnerability - Patchstack

Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress.

3 years ago

CVE

Open in Source

#xss #vulnerability #git #wordpress #auth

Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them

Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," new research has found. The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a set of actions before an unsuspecting victim creates an account in a target service. The study was led

3 years ago

The Hacker News

Open in Source

#vulnerability #web #microsoft #wordpress #auth #The Hacker News

CVE-2022-29004: PHP Project, PHP Projects Ideas, PHP Latest tutorials, PHP oops Concept

Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.

3 years ago

CVE

Open in Source

#sql #xss #csrf #vulnerability #web #java #wordpress #php

Yik Yak fixes information disclosure bug that leaked users’ GPS location

Hairy MitM exploit independently discovered by two security researchers