The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will…
The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved Zafiyet ile ilgili Genel…
The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files Zafiyet ile ilgili Genel Bilgi, Etki ve Çözümleri için Devamını Oku Kaynak: National Vulnerability Database
The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files Devamını Oku Kaynak: NIST
The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to…
The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to…
The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as…
The Cost Calculator WordPress plugin through 1.4 allows users with a role as low as Contributor to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post’s Layout Zafiyet ile ilgili Genel Bilgi, Etki ve Çözümleri için Devamını Oku Kaynak: National Vulnerability Database
The Cost Calculator WordPress plugin through 1.4 allows users with a role as low as Contributor to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout Devamını Oku Kaynak: NIST
The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. Devamını Oku
The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values Devamını Oku
The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks Devamını Oku