| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Server-Side Request Forgery (SSRF) vulnerability in WappPress Team WappPress.This issue affects WappPress: from n/a through 6.0.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imbasynergy ImbaChat allows DOM-Based XSS.This issue affects ImbaChat: from n/a through 3.1.4. |
| Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master.This issue affects Quiz And Survey Master: from n/a through 8.1.18.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cloudways Breeze allows Stored XSS.This issue affects Breeze: from n/a through 2.1.3.
|
| A vulnerability was found in TP-Link VN020 F3v(T) TT_V6.2.1021. It has been rated as critical. This issue affects some unknown processing of the file /control/WANIPConnection of the component Incomplete SOAP Request Handler. The manipulation leads to denial of service. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. |
| Missing Authorization vulnerability in Octolize Flexible Shipping.This issue affects Flexible Shipping: from n/a through 4.24.15.
|
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Nicejob NiceJob allows Stored XSS.This issue affects NiceJob: from n/a before 3.6.5. |
| Missing Authorization vulnerability in Megamenu Max Mega Menu.This issue affects Max Mega Menu: from n/a through 3.3.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benoti Brozzme Scroll Top allows Stored XSS.This issue affects Brozzme Scroll Top: from n/a through 1.8.5.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Filtr8 Easy Magazine allows DOM-Based XSS. This issue affects Easy Magazine: from n/a through 2.1.13. |
| The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'patreon' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 5centsCDN 5centsCDN allows Reflected XSS.This issue affects 5centsCDN: from n/a through 24.8.16. |
| The UberMenu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ubermenu-col, ubermenu_mobile_close_button, ubermenu_toggle, ubermenu-search shortcodes in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Cross-Site Request Forgery (CSRF) vulnerability in harrysudana Contact Form 7 Calendar allows Stored XSS. This issue affects Contact Form 7 Calendar: from n/a through 3.0.1. |
| Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. |
| Missing Authorization vulnerability in NotFound Site Notify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Site Notify: from n/a through 1.0. |
| Plane, an open-source project management tool, has a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.17-dev. This issue may allow an attacker to send arbitrary requests from the server hosting the application, potentially leading to unauthorized access to internal systems. The impact of this vulnerability includes, but is not limited to, unauthorized access to internal services accessible from the server, potential leakage of sensitive information from internal services, manipulation of internal systems by interacting with internal APIs. Version 0.17-dev contains a patch for this issue. Those who are unable to update immediately may mitigate the issue by restricting outgoing network connections from servers hosting the application to essential services only and/or implementing strict input validation on URLs or parameters that are used to generate server-side requests. |
| The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others. |
| The WP Recipe Maker plugin for WordPress is vulnerable to SQL Injection via the 'recipes' parameter in all versions up to, and including, 9.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. |
| Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 resolves this issue by only allowing HTTP and HTTPS URLs during parsing. This affects only the `embed` property returned from `useMediaState`. In addition, the `url` property returned from `useMediaState` has been renamed to `unsafeUrl` to indicate that it has not been sanitised. The `url` property on `element` is also unsafe, but has not been renamed. If you're using either of these properties directly, you will still need to validate the URL yourself. Users are advised to upgrade. Users unable to upgrade should ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element.
|
