Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-39166: WordPress tagDiv Composer plugin < 4.4 - CSRF to XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).This issue affects tagDiv Composer: from n/a before 4.4.

CVE
Open in Source
#xss#csrf#vulnerability#wordpress#auth
CVE-2023-48068: cms/dedevCMS/dedeCMS_XSS.md at dreamcms_vul · CP1379767017/cms

DedeCMS v6.2 was discovered to contain a Cross-site Scripting (XSS) vulnerability via spec_add.php.

CVE-2023-6098: Multiple vulnerabilities in ICSSolution ICS Business Manager

An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application.

CVE-2023-40335: WordPress Cleverwise Daily Quotes plugin <= 3.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Jeremy O'Connell Cleverwise Daily Quotes allows Stored XSS.This issue affects Cleverwise Daily Quotes: from n/a through 3.2.

CVE-2023-46092: WordPress Webmaster Tools plugin <= 2.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in LionScripts.Com Webmaster Tools allows Stored XSS.This issue affects Webmaster Tools: from n/a through 2.0.

CVE-2023-4775: Advanced iFrame <= 2023.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'advanced_iframe' shortcode in versions up to, and including, 2023.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-5741: POWR <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

The POWR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'powr-powr-pack' shortcode in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-46201: WordPress Auto Login New User After Registration plugin <= 1.9.6 - CSRF leading to Stored XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Jeff Sherk Auto Login New User After Registration allows Stored XSS.This issue affects Auto Login New User After Registration: from n/a through 1.9.6.

CVE-2023-47516: WordPress Category Post List Widget plugin <= 2.0 - CSRF to Cross Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Stark Digital Category Post List Widget allows Stored XSS.This issue affects Category Post List Widget: from n/a through 2.0.

CVE-2023-47652: WordPress Auto Affiliate Links plugin <= 6.4.2.4 - CSRF lead to Stored XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto Affiliate Links allows Stored XSS.This issue affects Auto Affiliate Links: from n/a through 6.4.2.4.