The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has multiple XSS issues via AJAX requests.

*   Details
*   Reviews
*   Development

This plugin has been closed as of December 13, 2022 and is not available for download. Reason: Security Issue.

I've been using this since 2012 and it is beautiful. However, it hasn't been updated in a while and now throws PHP errors. I'm giving 5 stars because it served its purpose for me for so many years and I'm grateful for that

This was a best plug in, but now not anymore. Not working on latest WordPress. Use Urvanov Syntax Highlighter instead.

DO NOT USE THIS PLUGIN anymore, it will cause your posts' content to stop displaying from the first tag onwards. If you have it, remove it now.

Sadly this awesome, fully featured plugin does not work on the latest versions of WordPress.

WHEN SOME UPDATES? THE SITE SENDS ME TO CRASH. I HAVE THE UPDATED VERSION 5.4.2. OF WordPress. UPDATE, UPDATE PLEASE HELP ME.

Wordpress generated message: "Your Site is Experiencing a Technical Issue"

Read all 150 reviews

“Crayon Syntax Highlighter” is open source software. The following people have contributed to this plugin.

Contributors

*    akarmenia

CVE-2016-10893: Crayon Syntax Highlighter

The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.

CVE-2019-14789

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php.

** Zero-Day Advisory**

**Fortinet Discovers WordPress Give SQL Injection Vulnerability**

**Summary**

Fortinet's FortiGuard Labs has discovered a SQL injection vulnerability in Impress GiveWP Give plugin for WordPress.

Give is the highest rated, most downloaded, and best supported donation plugin for WordPress. Built from the ground up for all fundraising needs, Give provides a powerful donation platform optimized for online giving.  

A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/payments/class-payments-query.php or includes/donors/class-give-donors-query.php

**Solutions**

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

**WordPress.Impress.Give.SQL.Injection**

Users should apply the solution provided by Impress

**Timeline**

Fortinet reported the vulnerability on 11 July, 2019

Give replied the team is investigating the report on 11 July, 2019

Give confirmed the vulnerability and released patch on 13 July, 2019. Give Team asked for a disclosure as near to 11 August as possible to give users as much time as possible to upgrade.

**Acknowledgement**

This vulnerability was discovered by Tin Duong of Fortinet's FortiGuard Labs.

**IPS Subscription**

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

CVE-2019-13578: Fortiguard

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.

CVE-2019-14788

The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.

CVE-2019-14786

The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.

CVE-2016-10867: All-In-One Security (AIOS) – Security and Firewall

The simple-fields plugin before 1.4.11 for WordPress has XSS.

*   Details
*   Reviews
*   Development

This plugin has been closed as of September 16, 2019 and is not available for download. This closure is permanent. Reason: Security Issue.

I was very happy with this plugin until the moment I needed to dynamically add content that needed a textarea with "Use HTML-editor" checked (aka TinyMCE). It gives a javascript error and won't add a new row of fields. Please FIX and you'll have my 5 stars

Very useful plugin to create custom fields not available in my theme.

This is THE BEST plugin! I use it for EVERY project I do for clients. First one I install. It is incredibly powerful and flexible once you get your head around it. I can't imagine a project without it. Better documentation would be nice, but it's there - just need to search a bit... Oh - and I love the fact that it's hidden under the settings menu - so polite and unobtrusive. Great plugin.

Does what is says brilliantly.

Seems to be a worthless plug-in that I just wasted 15 minutes of my time. You set up fields and then what? It makes no sense and gets a 1-star from me..........

Read all 42 reviews

“Simple Fields” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2015-9302: Simple Fields

The events-manager plugin before 5.6 for WordPress has code injection.

CVE-2015-9298: Events Manager

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

CVE-2015-9304: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

The simple-membership plugin before 3.5.7 for WordPress has XSS.

Tag

#wordpress