Text Exploits
31,386 exploits tracked across all sources.
WordPress International Sms Contact Form 7 Integration 1.2 XSS
WordPress International SMS for Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers.
by Milad karimi
CVSS 6.1
Security Audit WordPress Plugin < 1.0.0 - Authenticated Stored Cross-Site Scripting via Data Id Setting
The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
by Shweta Mahajan
CVSS 4.8
CP Blocks < 1.0.15 - Authenticated Stored Cross-Site Scripting via License ID Setting
The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
by Shweta Mahajan
CVSS 4.8
Hospital Management System v4.0 - SQL Injection
Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/func.php via the email parameter.
by nu11secur1ty
CVSS 9.8
FileBrowser < 2.18.0 - Cross-Site Request Forgery via Malicious HTML Webpage
A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.
by FEBIN MON SAJI
CVSS 8.8
WordPress Plugin IP2Location Country Blocker 2.26.7 Stored XSS
WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page settings that execute when administrators or other authenticated users visit the plugin settings page.
by Ahmet Serkan Ari
CVSS 6.4
Flame II HSPA USB Modem - Privilege Escalation
Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Internet Telcel\ApplicationController.exe' to execute arbitrary code with elevated system privileges.
by Ismael Nava
CVSS 9.8
uBidAuction 2.0.1 mailingLog manage Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 auctions manage Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 tickets manage Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 news manage Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 posts manage Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 myAuctions loose Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 myAuctions active Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
uBidAuction 2.0.1 myOrders Reflected XSS
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
by Vulnerability-Lab
CVSS 6.1
CONTPAQi AdminPAQ 14.0.0 - Code Injection
CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup.
by Angel Canseco
CVSS 8.4
Ametys CMS 4.4.1 - Stored Cross-Site Scripting in Link Directory Input Fields
Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules.
by Vulnerability-Lab
CVSS 6.1
Firefox < 60.7.1, < 67.0.3 and Thunderbird < 60.7.2 - Type Confusion via Array.pop
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
by Forrest Orr
CVSS 8.8
Product Slider for WooCommerce < 1.13.22 - Reflected XSS via Slider Import
The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue
by 0xB9
CVSS 6.1
Post Grid < 2.1.8 - Reflected Cross-Site Scripting via Slider Import Search Feature and Tab Parameter
The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
by 0xB9
CVSS 6.1
LearnPress <4.1.5 - Info Disclosure
Users of the LearnPress WordPress plugin before 4.1.5 can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG. An attacker can use this vulnerability in order to rename an arbitrary image file. By doing this, they could destroy the design of the web site.
by Ceylan BOZOĞULLARINDAN
CVSS 4.3
Domain Check WordPress Plugin < 1.0.17 - Reflected Cross-Site Scripting via Domain Parameter
The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue
by Ceylan BOZOĞULLARINDAN
CVSS 6.1
Contact Form Check Tester < 1.0.2 - Stored Cross-Site Scripting via Plugin Settings
The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.
by 0xB9
CVSS 5.4
By Source