Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-0431

The File Away WordPress plugin through 3.9.9.0.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

CVE
Open in Source
#xss#wordpress
CVE-2023-1323

The Easy Forms for Mailchimp WordPress plugin through 6.8.8 does not sanitise and escape some of its from parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-2362

The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects WordPress plugin before 5.2.2, Popup Box WordPress plugin before 2.2.2, Side Menu Lite WordPress plugin before 4.0.2, Sticky Buttons WordPress plugin before 3.1.1, Wow Skype Buttons WordPress plugin before 4.0.2, WP Coder WordPress plugin before 2.5.6 do not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-2398

The Icegram Engage WordPress plugin before 3.1.12 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-2568

The Photo Gallery by Ays WordPress plugin before 5.1.7 does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-2718

The Contact Form Email WordPress plugin before 1.3.38 does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability.

CVE-2023-34468: Apache NiFi Security Reports

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

CVE-2023-28933: WordPress Call Now Accessibility Button plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in StPeteDesign Call Now Accessibility Button plugin <= 1.1 versions.

CVE-2023-34026: WordPress This Day In History plugin <= 3.10.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in BrokenCrust This Day In History plugin <= 3.10.1 versions.

CVE-2023-29385: WordPress WP Abstracts plugin <= 2.6.2 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Kevon Adonis WP Abstracts plugin <= 2.6.2 versions.