All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as &lt;not-a-tag /&gt;) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

**Types of attacks**

There are a few methods by which XSS can be manipulated:

Type

Origin

Description

**Stored**

Server

The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.

**Reflected**

Server

The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.

**DOM-based**

Client

The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.

**Mutated**

The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

**Affected environments**

The following environments are susceptible to an XSS attack:

*   Web servers
*   Application servers
*   Web application environments

**How to prevent**

This section describes the top best practices designed to specifically protect your code:

*   Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
*   Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
*   Give users the option to disable client-side scripts.
*   Redirect invalid requests.
*   Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
*   Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
*   Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

CVE-2022-25349: Cross-site Scripting (XSS) in materialize-css | CVE-2022-25349 | Snyk

Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious javascript on application.

**An attacker can execute malicious javascript in Live Helper Chat**

Low severity GitHub Reviewed Published Apr 30, 2022 • Updated May 3, 2022

GHSA-9hgc-wpc5-v8p9: An attacker can execute malicious javascript in Live Helper Chat

A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".

**Cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS**

Moderate severity GitHub Reviewed Published Apr 30, 2022 • Updated May 4, 2022

GHSA-jv64-2m3x-6v4q: Cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS

Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.

**Woodpecker allows cross-site scripting (XSS) via build logs**

Moderate severity GitHub Reviewed Published Apr 30, 2022 • Updated May 3, 2022

GHSA-vmp5-c5hp-6c65: Woodpecker allows cross-site scripting (XSS) via build logs

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the cross-site scripting (XSS) payload.

**tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload**

Moderate severity GitHub Reviewed Published Apr 30, 2022 • Updated May 3, 2022

GHSA-pxpf-v376-7xx5: tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-29947: Escape html / xml in log view by anbraten · Pull Request #879 · woodpecker-ci/woodpecker

This affects the package @yaireo/tagify before 4.9.8.
 The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.


Compare

Choose a tag to compare

 yairEO released this

· 32 commits to master since this release

v4.9.8

db18415

Compare

Choose a tag to compare

*   fixes #989 - fix XSS 198c045
*   removed unneeded line after recent change which moved this to another onEditDone 93f729c
*   fixes #984 - Readonly tags can be deleted by Backspace d675c3f
*   bugfix - in mix-mode, place the caret after a tag which was just edited, instead of before it 9d0787d
*   fixes #987 - edit tag bug 0f1ebbc

v4.9.7...v4.9.8

**Assets**2

*   Source code (zip)
*   Source code (tar.gz)

CVE-2022-25854: Release v4.9.8 · yairEO/tagify

Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Subscribe to Comments Reloaded is a robust plugin that enables commenters to sign up for e-mail notification of subsequent entries. The plugin includes a full-featured subscription manager that your commenters can use to unsubscribe to certain posts or suspend all notifications. It solves most of the issues that affect Mark Jaquith’s version, using the latest WordPress features and functionality. Plus, allows administrators to enable a double opt-in mechanism, requiring users to confirm their subscription clicking on a link they will receive via email or even One Click Unsubscribe.

**Requirements**

*   WordPress 4.0 or higher
*   PHP 5.6 or higher
*   MySQL 5.x or higher

**Main Features**

*   Easily manage and search among your subscriptions
*   Imports Mark Jaquith’s Subscribe To Comments (and its clones) data
*   Messages are fully customizable, no poEdit required (and you can use HTML!) with a Rich Text Editor – WYSIWYG
*   Disable subscriptions for specific posts
*   One Click Unsubscribe
*   Get and Download your System information for better support.

**Language Localization**

If you would like to help out translating the plugin to your language you can do so through the official WordPress plugin translation system

1.  If you are using Subscribe To Comments by Mark Jaquith, disable it (no need to uninstall it, though)
2.  Upload the entire folder and all the subfolders to your WordPress plugins’ folder. You can also use the downloaded ZIP file to upload it.
3.  Activate it
4.  Customize the Permalink value under Settings > Subscribe to Comments > Management Page > Management URL. It **must** reflect your permalinks’ structure
5.  If you don’t see the checkbox to subscribe, you will have to manually edit your template, and add <?php global $wp_subscribe_reloaded; if (isset($wp_subscribe_reloaded)){ echo $wp_subscribe_reloaded->stcr->subscribe_reloaded_show(); } ?> somewhere in your comments.php
6.  If you’re upgrading from a previous version, please **make sure to deactivate/activate** StCR.
7.  You can always install the latest development version by taking a look at this Video

**Are there any video tutorials?**

Yeah, I have uploaded a few videos for the following topics:

1.  Issues Updating StCR via WordPress Update
2.  Issues with StCR links see StCR Clickable Links
3.  Issues with empty emails or management messages? see StCR Management Message
4.  Upgrading from the latest development version see Upgrading

**Why my notifications are not in HTML format?**

Don’t worry, just go to the Options tab an set to Yes the **Enable HTML emails** option.

**How can I reset all the plugin options?**

There is a new feature called **Safely Uninstall** that allow you to delete the plugin using the WordPress plugin interface. If you have the option set to **Yes** everything but the subscriptions created by the plugin will be wipeout. So after you made sure that you have this option to **Yes** you can deactivate the plugin and the delete it. Now you have to install the plugin via WordPress or Upload the plugin zip file and activate it, after this step all your settings will be as default and your subscriptions will remain.  
There is a new feature added on the Options tab where you can reset all the settings by using only one click. You can either wipe out all the subscriptions or keep them.

**What can I do if the \*\*Safely Uninstall\*\* does not have any value?**

Just deactivate and activate the plugin and you are all set. The default value will be **Yes**.

**Aaargh! Were did all my subscriptions go?**

No panic. If you upgraded from 1.6 or earlier to 2.0+, you need to deactivate/activate StCR, in order to update the DB structure. After the version 180212 a fix was applied so that you can see all the subscriptions.

**Can I customize the layout of the management page?**

Yes, each HTML tag has a CSS class or ID that you can use to change its position or look-and-feel.

**How do I disable subscriptions for a given post?**

Add a custom field called stcr_disable_subscriptions to it, with value ‘yes’

**How do I add the management page URL to my posts?**

Use the shortcode [subscribe-url], or use the following code in your theme:  
global $wp\_subscribe\_reloaded; if (isset($wp\_subscribe\_reloaded)){ echo ‘Subscribe“;

**Can I move the subscription checkbox to another position?**

Yes! Just disable the corresponding option under Settings > Comment Form and then add the following code where you want to display the checkbox:  
stcr->subscribe\_reloaded\_show(); } ?>

**What if after update to the version 141024 I still see plain HTML messages?**

The information of your configuration needs to be updated. Go to the Subscribe to Comments Reloaded settings and click the Save Changes button on the tab  
where you have you messages with HTML.

**How to generate a new Key for my Site?**

Just go to the Options Panel and click the generate button. By generating a new key you prevent the spam bots to steal your links.

People from my website, who made subscription for comments, said that in e-mail they get the IP of user, who left the comment. I\`m going to find another plugin.

I have the v.210315 I translated it into Italian 100% with Loco translated, but I noticed that in the plugin there are still many entries in English.

Just installed this as an alternative to setting up a forum, which seemed too much like hard work! Love it so far, very easy to set up and I like the fact that every item has a "?" so you can find out what it means before setting it.

Believe me guys, I tried all the plugins out there available for comment subscription and this is the only plugin that is robust, reliable and with continuous support from the author for a very long time. And guess what it's completely free. Thanks a lot for this wonderful plugin. All the best for your great success.

A fabulous plugin that helps people to stay engaged with the posts they appreciate much. Thank you!

If I had written design specs for a plugin and commissioned someone to write it, the result would not have been as good as this plugin is. Setting up this plugin it quickly becomes apparent that a lot of real-world experience has been incorporated into it over the years. The end result is, that it works like a dream and totally exceeds my expectations. Thanks so much!

Read all 156 reviews

“Subscribe To Comments Reloaded” is open source software. The following people have contributed to this plugin.

Contributors

*    WPKube

**v211130**

*   **Fix** Removed custom error handler (thanks to JakeQZ for bringing the issue to our attention)
*   **Fix** Processing form submission in subscribe.php is now stopped in case “subscribe without commenting” is enabled

**v211019**

*   **Fix** Issue with STCR output on non-virtual management page

**v210315**

*   **Fix** Removed the “need help” added via “contextual\_help” (deprecated)
*   **Fix** PHP 8 deprecated notice
*   **Fix** Fix issue with missing submit button when using “stcr\_disable\_subscription” custom field
*   **Tweak** Bump up WP “tested up to” version to 5.7

**v210126**

*   **New** Option to disable the “subscribe without commenting” and “request management link” pages. ( WP Admin > StCR > Management Page )

**v210110**

*   **Fix** Limit subscription types on the management page when only a specific subscription is allowed
*   **Fix** JS error on front-end

**v210104**

*   **New** Google reCAPTCHA now available for the “subscribe without commenting” and “request management subscription” form (WP admin > StCR > Options)
*   **Improvement** When using the checkbox (not the select box from advanced subscription) you can now select the subscription type (all or replies) (WP admin > StCR > Comment Form)
*   **Improvement** \[comment\_author\] can now be used in the Notification subject (WP admin > StCR > Notifications)
*   **Improvement** Replaced final instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Fix** The form to “request management link” will now check if that email is a subscriber before sending a link
*   **Fix** Issue with broken option tooltips on Notifications settings page
*   **Tweak** Removed HTML comments around the plugin’s output on the frontend

**v200813**

*   **Fix** Error when permanently deleting a post/page/… (related to WP 5.5 change in the “delete\_post” hook coming with a 2nd parameter)

**v200629**

*   **New** Option to show the subscription checkbox/select only for logged in users (option called “Enable only for logged in users” and located in WP admin > StCR > Options)
*   **New** Added \[comment\_date\] and \[comment\_time\] shortcodes which can be used in the “notification message”.
*   **Improvement** Challenge question/answer now shows on “request management link” page as well
*   **Improvement** Replaced multiple instances of jQuery code to be raw JavaScript (not rely on jQuery)
*   **Tweak** Added label for the checkbox in “Screen Options”
*   **Tweak** Email input value fallback to “email” removed
*   **Fix** Subscriptions will no longer duplicate when post is copied/duplicated with the “Duplicate Post” plugin
*   **Fix** Fixed issue with PHP notice when $comment object does not have comment\_approved set
*   **Fix** The jQuery code that handles moving the position of the checkbox is now added later on in the code to avoid issue when jQuery gets loaded in the footer

**v200422**

*   **New** Arabic translation, thanks to Yaser Maadan
*   **Fix** WP\_PLUGIN\_URL replaced by plugins\_url()
*   **Fix** Issue with “generate new key” button for “StCR Unique Key” not working (WP Admin > StCR > Options)
*   **Fix** Issue with ordering by date in the subscription management table (WP Admin > StCR > Manage subscriptions)
*   **Fix** Issue with management page ( /comment-subscriptions/ ) being shown for child pages as well ( /comment-subscriptions/something-else/ )
*   **Fix** Corrections in Hungarian translation
*   **Tweak** Some other minor tweaks

**v200205**

*   **New** Function for developers to add subscribers. Check the guide
*   **New** Option to set a challenge (question + answer) for the “subscribe without commenting” form to prevent automatic bot submissions
*   **Fix** It is now possible to send out plain text emails instead of HTML emails. Check the guide
*   **Fix** It is now possible for visitors to subscribe to comments when the comments are only open for logged in users and the visitor is not logged in
*   **Fix** Corrections in German translation

**v191217**

*   **Improvement** Option to enable/disable the plugin from setting cookies (email address after subscription)
*   **Improvement** German translation improvements (thanks to Greendroid)

**v191209**

*   **Improvement** Logged in users no longer need to submit the “email” form on a subscription page in order to access their subscriptions
*   **Improvement** Ability to filter/search the subscriptions table ( WP admin > StCR > Manage Subscriptions ) when there are more than 1000 subscriptions

**v191028**

*   **Fix** Issue with “Default Checkbox Value” not being saved
*   **Fix** Issue with /comment-subscriptions taking to 404 ( when it does not end with / )
*   **Tweak** Error notification when \[manager\_link\] used in “Management Page message”.

**v191011**

*   **Fix** Revert changes to error logging due to PHP errors/warnings

**v191009**

*   **Fix** Issue with post slug being displayed instead of the post title on unsubscribe
*   **Fix** HTML validation error in subscribe template
*   **Fix** Fix German translation “Nicht abonnieren”
*   **Fix** Fix import data from Subscribe Reloaded by Mark Jaquith
*   **Fix** Issue with using double quotes in options
*   **Tweak** Show a message to the comment author to check his email to confirm subscription
*   **Tweak** Performance improvement for error logging

**v190529**

*   **Fix** Issue with being unable to dismiss admin notices shown by StCR
*   **Fix** Virtual management page was still being shown even when disabled

**v190523**

*   **Fix** Remove the old system information functionality

**v190510**

*   **New** Option to only enable the functionality for blog posts ( option named “Enable only for blog posts” located in WP admin > StCR > StCR Options)
*   **Tweak** Info on subscriber and subscriptions amount moved into separate table
*   **Fix** Text domain

**v190426**

*   **New** Info on the amount of subscribers and subscriptions added in WP admin > StCR > StCR System
*   **Fix** Text domain (for translations) has been changed to the correct domain (from subscribe-reloaded to subscribe-to-comments-reloaded)
*   **Fix** Issue with undefined is\_rtl function
*   **Fix** Missing blank space between sentences (below comment form when subscribed)
*   **Fix** Undefined variable notices for $order\_status and $order\_dt
*   **Fix** Temporarily hidden an unused option in StCR > Management Page to avoid confusion.
*   **Fix** Removed localization for non textual strings
*   **Fix** Fixed incorrectly localized textual strings

**v190412**

*   **Fix** Issue with JavaScript code that is supposed to show the form when “StCR Position” is enabled

**v190409**

*   **Fix** Post author was notified of new comments even if they are awaiting approval, no need for this since WordPress itself sends out an email in that case
*   **Fix** Post author was notified twice ( if he was subscribed and “subscribe authors” was enabled )
*   **Fix** Issue with “StCR Position” option ( for older/outdated themes ) not working properly
*   **Fix** Issue with wrong translation in German
*   **Tweak** The “Action” select box labels on “Manage Subscriptions” page tweaked to be more descriptive

**v190325**

*   **New** Shortcode for manage page content (to be used on non-virtual management page). The shortcode is \[stcr\_management\_page\]
*   **Rewrite** New method for downloading system information file
*   **Fix** The admin panel CSS and JavaScript files now load only on StCR pages
*   **Fix** Tooltips not showing up on System options page
*   **Fix** Conflict with MailChimp for WP plugin (comment filter received echo instead of return which caused the issue)
*   **Fix** Issue with select/deselect all on management page
*   **Tweak** The MySQL requirements info on the system page now uses WordPress requirements
*   **Tweak** The post author will no longer be notified of his/her own comments

**v190305**

*   **Fix** Issue with “Subscribe authors” functionality sending the emails to administrator instead of the post author

**v190214**

*   **Fix** String error calling the Curl Array.
*   **Fix** wrong array definition that was breaking the site in some newer PHP versions.
*   **Fix** error by calling $wp_locale that was not needed.
*   **Fix** wrong label on option issue #467.
*   **Fix** typo en help description issue #468.

**v190117**

*   **Fix** missing checkbox when the option **StCR Position** was set to **Yes**.
*   **Fix** styles on admin notices.
*   **Fix** filenames to match the correct menu name.
*   **Fix** \# issue#431 and issue#444.
*   **Fix** warning message that was notifying the server when the Management URL was empty. Now the field must have a value. Props @breezynetworks on WordPress Forum
*   **Fix** value of management page to get it on the event insteadof page load.
*   **Add** translation for Subs Table, Add PHP error logger.
*   **Add** Plugin information on Cards.
*   **Add** the Phing build script to automate the deployment and testings.
*   **Add** WebUI Popover library to display the help messages in a clear way.
*   **Add** dropdown menu on the options tab to include the System menu.
*   **Add** option to download the system report.
*   **Add** functionality to create the system report via Ajax.
*   **Add** cron to clean house the system report file.
*   **Upgrade** the **Comment Form** Panel 2 options.
*   **Upgrade** the **Management Page** panel.
*   **Upgrade** the **Options** Panel.
*   **Upgrade** the **Support** Panel.
*   **Upgrade** the **StCR System** Menu.
*   **Update** font awesome refrences.
*   **Update** Admin Menus with Bootstrap.
*   **Implement** Pagination using plugins and fix responsive layout of management page.
*   **Implement** SASS for the CSS files.
*   **Implement** a cache array for the menu options.
*   **Remove** unecessary components from Composer.
*   **Remove** double inclusion of Font Awesome.
*   **Modify** Bower, Gulp and Phing files to implement WebUI Popover.
*   **Refactor** the options saving process.
*   **Refactor** code to move the functional saving options to the Utils Class.
*   **Set** the Double Verification option to yes.
*   **Create** array of options for improve support.
*   **Sanitize** input and out of data preventing XSS. Code modification and suggestion by @jnorell.
*   **Re Word** option to avoid missleading to new users. Props @padraigobeirn.
*   **Move** the plugin core files to the folder **src** in order to implement npm and bower task managers.

**v180225**

*   **Fix** error when a user subscribe to a new post and the double opt-in was enable, preventing the double opt-in not sending the email message. Issue#350.
*   **Add** email and post id validation on the StCR backened.
*   **Add** email, search and post id validation on the frontend.
*   **Add** backened validation for input data (email) on the subscribe and request management pages.
*   **Add** debug messages to improve support.
*   **Add** feature to change the date format output on the management page for both the User page and Author. See issue#345.
*   **Remove** the inclusion of the plugin scripts with WP enqueue. This will load only the needed script on specific pages. Will remove request to the server to get scripts.

CVE-2022-29414: Subscribe To Comments Reloaded

CVE-2021-41948: 1-click stored XSS from admin panel to site · Issue #8 · intelliants/subrion-plugin-contact_us

A vulnerability has been found in automad up to 1.10.9 and classified as problematic. This vulnerability affects the Dashboard. The manipulation of the argument title with the input Home</title><script>alert("home")</script><title> leads to a cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit details have disclosed to the public and may be used.

**automad<=1.10.9 Stored Cross-Site Scripting(XSS)****Description**

    The system Client doesn't properly sanitise POST parameter, which result into a Stored Cross-Site Scripting(XSS).
    

**Vendor Homepage**

    https://github.com/marcantondahmen/automad
    https://automad.org/
    

**Author****Proof of Concept**

1,After installing the program, log in to the background system, modify the website title and inject attack code, and then submit

    Home</title><script>alert("home")</script><title>
    

2,Visiting the home page of the website will trigger the code

Tag

#xss