| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| SeaCMS <=13.0 is vulnerable to command execution in phome.php via the function Ebak_RepPathFiletext(). |
| Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). Vulnerable at &widget-wpp[2][post_type]. |
| Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. |
| SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_editplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges. |
| Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings. |
| Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration. |
| An issue was discovered in SeaCMS version 12.9, allows remote attackers to execute arbitrary code via admin notify.php. |
| Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in WordPress uListing plugin (versions <= 2.0.5) as it lacks CSRF checks on plugin administration pages. |
| Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to modify user roles. |
| SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php. |
| Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5). |
| Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom. |
| Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration. |
| Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, &yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocus=alert(/Visse/);// v=' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: &yith_maintenance_message, &yith_maintenance_custom_style, &yith_maintenance_mascotte, &yith_maintenance_title_font[size], &yith_maintenance_title_font[family], &yith_maintenance_title_font[color], &yith_maintenance_paragraph_font[size], &yith_maintenance_paragraph_font[family], &yith_maintenance_paragraph_font[color], &yith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: &yith_maintenance_background_image, &yith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: &yith_maintenance_logo_image, &yith_maintenance_logo_tagline, &yith_maintenance_logo_tagline_font[size], &yith_maintenance_logo_tagline_font[family], &yith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: &yith_maintenance_newsletter_email_font[size], &yith_maintenance_newsletter_email_font[family], &yith_maintenance_newsletter_email_font[color], &yith_maintenance_newsletter_submit_font[size], &yith_maintenance_newsletter_submit_font[family], &yith_maintenance_newsletter_submit_font[color], &yith_maintenance_newsletter_submit_background, &yith_maintenance_newsletter_submit_background_hover, &yith_maintenance_newsletter_title, &yith_maintenance_newsletter_action, &yith_maintenance_newsletter_email_label, &yith_maintenance_newsletter_email_name, &yith_maintenance_newsletter_submit_label, &yith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: &yith_maintenance_socials_facebook, &yith_maintenance_socials_twitter, &yith_maintenance_socials_gplus, &yith_maintenance_socials_youtube, &yith_maintenance_socials_rss, &yith_maintenance_socials_skype, &yith_maintenance_socials_email, &yith_maintenance_socials_behance, &yith_maintenance_socials_dribble, &yith_maintenance_socials_flickr, &yith_maintenance_socials_instagram, &yith_maintenance_socials_pinterest, &yith_maintenance_socials_tumblr, &yith_maintenance_socials_linkedin. |
| OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. |
| OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Management module. |
| OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component {{rootpath}}/links. |
| Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state. |
| Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post. |
| Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions. |
