Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

CVE-2019-1000031: [article2pdf (Wordpress plug-in)] Multiple vulnerabilities (CVE-2019-1000031, CVE-2019-1010257)

A disk space or quota exhaustion issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. Visiting PDF generation link but not following the redirect will leave behind a PDF file on disk which will never be deleted by the plug-in.

CVE
#vulnerability#web#mac#wordpress#php#perl#pdf
CVE-2019-9912: wpGoogleMaps 7.10.41 - Reflected XSS (WordPress Plugin)

The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.

CVE-2019-9913: WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)

The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.

CVE-2019-9909: Give 2.3.0 - Reflected XSS (WordPress Plugin)

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.

CVE-2019-7385: Welcome to Kaustubh security advisories

An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device.

CVE-2019-5924: Smart Forms – when you need more than just a contact form

Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.

CVE-2019-9567: Forminator – Contact Form, Payment Form & Custom Form Builder

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

CVE-2018-15877: Offensive Security’s Exploit Database Archive

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

CVE-2018-9864

The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.

CVE-2018-6195: Changeset 1807349 for wp-splashing-images – WordPress Plugin Repository

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.