#php

WordPress Core version 5.6.2 appears to suffer from an xpath injection vulnerability via the log parameter.

Education Time Indonesian School CRM version 1.7 suffers from a directory traversal vulnerability.

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.

The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0.

Red Hat Security Advisory 2023-4625-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation.

BookingWizz version 6.0.1 suffers from an information leakage vulnerability.

DBCInfoTech CMS version 2.0 suffers from an unauthenticated administrator reinstall vulnerability.

Education Time Indonesian School CRM version 1.7 suffers from a cross site scripting vulnerability.

Eden CMS version 1.02 suffers from a cross site scripting vulnerability.