Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in amCharts: Charts and Maps plugin <= 1.4 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

138b6f2f09e2

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires contributor or higher role user authentication.

Publicly disclosed

2022-08-09

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress amCharts: Charts and Maps plugin (versions <= 1.4).

**Solution**

Update the WordPress amCharts: Charts and Maps plugin to the latest available version (at least 1.4.1).

**References**

CVE-2022-36405: WordPress amCharts: Charts and Maps plugin <= 1.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alpine Press Alpine PhotoTile for Pinterest plugin <= 1.3.1 at WordPress.

 Verified

 Not fixed

**4.8**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Alpine PhotoTile for Pinterest

Vulnerable versions

<= 1.3.1

PSID 

ac678906c44b

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-08-12

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by ptsfence in WordPress Alpine PhotoTile for Pinterest plugin (versions <= 1.3.1).

**Solution**

Deactivate and delete. This plugin has been closed as of August 10, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-36347: WordPress Alpine PhotoTile for Pinterest plugin <= 1.3.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (subscriber+) plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability in Akash soni's AS – Create Pinterest Pinboard Pages plugin <= 1.0 at WordPress.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

AS – Create Pinterest Pinboard Pages

Vulnerable versions

<= 1.0

PSID 

a92dbce87906

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-08-10

**Details**

Authenticated plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability discovered by ptsfence in WordPress AS – Create Pinterest Pinboard Pages plugin (versions <= 1.0).

**Solution**

No fix is available.

**References**

CVE-2022-36341: WordPress AS – Create Pinterest Pinboard Pages plugin <= 1.0 - Authenticated plugin settings change leading to Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Roman Pronskiy's Search Exclude plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

With this plugin you can exclude any page, post or whatever from the WordPress search results by checking off the corresponding checkbox on post/page edit page.  
Supports quick and bulk edit.

On the plugin settings page you can also see the list of all the items that are hidden from search.

1.  Upload search-exclude directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  Go to any post/page edit page and check off the checkbox Exclude from Search Results if you don’t want the post/page to be shown in the search results

**Does this plugin affect SEO?**

No, it does not affect crawling and indexing by search engines.  
The ONLY thing it does is hiding selected post/pages from your site search page. Not altering SEO indexing.

If you want posts/pages to be hidden from search engines you may add the following snippet to your functions.php:

    function add_meta_for_search_excluded()
    {
        global $post;
        if (false !== array_search($post->ID, get_option('sep_exclude', array()))) {
            echo '<meta name="robots" content="noindex,nofollow" />', "\n";
        }
    }
    add_action('wp_head', 'add_meta_for_search_excluded');
    

Note: already indexed pages will remain indexed for quite a while. In order to remove them from Google index, you may use Google Search Console (or similar tool for other engines).

**Are there any hooks or actions available to customize plugin behaviour?**

Yes.  
There is an action searchexclude_hide_from_search.  
You can pass any post/page/custom\_post ids as an array in the first parameter.  
The second parameter specifies state of visibility in search. Pass true if you want to hide posts/pages,  
or false – if you want show them in the search results.

Example:  
Let’s say you want “Exclude from Search Results” checkbox to be checked off by default  
for newly created posts, but not pages. In this case you can add following code  
to your theme’s function.php:

    add_filter('default_content', 'excludeNewPostByDefault', 10, 2);
    function excludeNewPostByDefault($content, $post)
    {
        if ('post' === $post->post_type) {
            do_action('searchexclude_hide_from_search', array($post->ID), true);
        }
    }
    

Also there is a filter searchexclude_filter_search.  
With this filter you can turn on/off search filtering dynamically.  
Parameters:  
$exclude – current search filtering state (specifies whether to filter search or not)  
$query – current WP\_Query object

By returning true or false you can turn search filtering respectively.

Example:  
Let’s say you need to disable search filtering if searching by specific post\_type.  
In this case you could add following code to you functions.php:

    add_filter('searchexclude_filter_search', 'filterForProducts', 10, 2);
    function filterForProducts($exclude, $query)
    {
        return $exclude && 'product' !== $query->get('post_type');
    }
    

works well for me. I think this is one of those very useful plugins which makes something an expert can do quite easily accessible to novices for free ! Thank you

Super Brilliant Plugin. Helps a lot with SEO + prevents making a mess on the web. Hope you are doing ok. My heart goes out to all suffering in Ukraine. @-/---

I spent an hour trying to hide woocommerce products from my search, added a bunch of code to functions. This baby worked in 30 seconds. Wonderful, thanks!

Simple, light, useful and free. Amazing plugin!

Does the job very well, love the bulk option

Thanks so much for coming up with this. Working in quick edit mode makes it a super star!

Read all 68 reviews

“Search Exclude” is open source software. The following people have contributed to this plugin.

Contributors

**1.2.7**

*   This is a security release. All users are encouraged to upgrade.
*   Fix possible XSS vulnerability.

**1.2.6**

*   Fix compatibility with WordPress 5.5

**1.2.5**

*   Security release. More protection added.

**1.2.4**

*   Security release. All users are encouraged to update.
*   Added filter searchexclude\_filter\_permissions.

**1.2.2**

*   Added action searchexclude\_hide\_from\_search
*   Added filter searchexclude\_filter\_search
*   Fixed Bulk actions for Firefox

**1.2.1**

*   Fixed bug when unable to save post on PHP <5.5 because of boolval() usage

**1.2.0**

*   Added quick and bulk edit support
*   Tested up to WP 4.1

**1.1.0**

*   Tested up to WP 4.0
*   Do not show Plugin on some service pages in Admin
*   Fixed conflict with bbPress
*   Fixed deprecation warning when DEBUG is on

**1.0.6**

*   Fixed search filtering for AJAX requests

**1.0.5**

*   Not excluding items from search results on admin interface

**1.0.4**

*   Fixed links on settings page with list of excluded items
*   Tested up to WP 3.9

**1.0.3**

*   Added support for excluding attachments from search results
*   Tested up to WP 3.8

**1.0.2**

*   Fixed: Conflict with Yoast WordPress SEO plugin

**1.0.1**

*   Fixed: PHP 5.2 compatibility

**1.0**

*   Initial release

CVE-2022-36282: Search Exclude

A vulnerability classified as problematic has been found in ConsoleTVs Noxen. Affected is an unknown function of the file /Noxen-master/users.php. The manipulation of the argument create_user_username with the input "><script>alert(/xss/)</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207000.

main

Switch branches/tags

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

whiex Delete README.md

8a4ee36

Aug 22, 2022

Delete README.md

8a4ee36

**Git stats**

*   **3** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

Noxen.docx

Add files via upload

Aug 22, 2022

**About**

No description, website, or topics provided.

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

**Releases**

No releases published

**Packages**

No packages published

CVE-2022-2956: GitHub - whiex/Noxen

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.4.

@@ -247,7 +247,10 @@ pimcore.settings.translation.domain = Class.create({

\];

  

var typesColumns \= \[

{text: t("key"), sortable: true, dataIndex: 'key', flex: 1, editable: false, filter: 'string'},

{text: t("key"), sortable: true, dataIndex: 'key', flex: 1, editable: false, filter: 'string',

editor: new Ext.form.DisplayField({

htmlEncode: true

})},

{text: t("type"), sortable: true, dataIndex: 'type', width: 100, editor: new Ext.form.ComboBox({

triggerAction: 'all',

editable: false,

@@ -315,7 +318,7 @@ pimcore.settings.translation.domain = Class.create({

icon: "/bundles/pimcoreadmin/img/flat-color-icons/delete.svg",

handler: function (grid, rowIndex) {

let data \= grid.getStore().getAt(rowIndex);

pimcore.helpers.deleteConfirm(t('translation'), data.data.key, function () {

pimcore.helpers.deleteConfirm(t('translation'), Ext.util.Format.htmlEncode(data.data.key), function () {

grid.getStore().removeAt(rowIndex);

}.bind(this));

}.bind(this)

CVE-2022-2796: [Admin] Translations - properly escape key on roweditor · pimcore/pimcore@2fd4685

Stored cross-site scripting vulnerability in PukiWiki versions 1.3.1 to 1.5.3 allows a remote attacker to inject an arbitrary script via unspecified vectors.

ようこそPukiWikiの公式サイトへ！！

最新バージョンは PukiWiki 1.5.4 です (PHP8.1対応)

*   ダウンロード: PukiWiki/Download/1.5.4

PukiWikiに関して、何か質問のある方は 質問箱 へ

**管理者の方へ†**

*   OSやPHPのバージョンアップでPukiWikiが動作しなくなった場合
    *   →FAQ/45 をご参照ください

1.  最新のリリースアナウンス、セキュリティアップデートなどの情報を受け取るためにPukiWiki-announce メーリングリストを購読して下さい
2.  PukiWiki開発サイトでは、次期バージョンの開発だけでなく、現行バージョンの1.5系の修正、セキュリティfixが行なわれています。開発日記で日々の作業の内容が掲載されていますので、PukiWikiを運用されている方は目を通すようお願いします。
3.  公表すべきではない\*1欠陥を発見された場合、可能な範囲で問題点を明確にし、既知の話題でない事を確認したうえでコミッター全員にメールにてお問い合わせ下さい。

**PukiWiki News†**

*   PukiWiki 1.5.4 リリース -- (2022-03-30)
*   PukiWiki 1.5.3 リリース -- (2020-03-30)
*   PukiWiki 1.5.2 リリース -- (2019-03-01)
*   PukiWiki 1.5.1 リリース -- (2016-03-07)
*   Team名の変更 -- (2016-03-07)
*   PukiWiki 1.5.0 リリース -- (2014-07-19)

**PukiWiki 1.5.4 リリース -- (2022-03-30)†**

PHP8.1対応の PukiWiki 最新版 PukiWiki 1.5.4 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.4
*   ダウンロード: https://ja.osdn.net/projects/pukiwiki/releases/77082

**PukiWiki 1.5.3 リリース -- (2020-03-30)†**

スマートフォン対応の PukiWiki 最新版 PukiWiki 1.5.3 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.3
*   ダウンロード: https://ja.osdn.net/projects/pukiwiki/releases/72656

**PukiWiki 1.5.2 リリース -- (2019-03-01)†**

PHP7.3対応の PukiWiki 最新版 PukiWiki 1.5.2 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.2
*   ダウンロード: https://ja.osdn.net/projects/pukiwiki/releases/69652

**PukiWiki 1.5.1 リリース -- (2016-03-07)†**

PHP7対応の PukiWiki 最新版 PukiWiki 1.5.1 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.1
*   ダウンロード: https://osdn.jp/projects/pukiwiki/releases/64807

**Team名の変更 -- (2016-03-07)†**

PukiWiki開発Team名を PukiWiki Development Team としました。旧 "PukiWiki Developer Team" からの改称になります。

*   詳しくは: Team

**PukiWiki 1.5.0 リリース -- (2014-07-19)†**

PHP5.5対応の PukiWiki 最新版 PukiWiki 1.5.0 をリリースしました。

*   詳しくは: PukiWiki/Download/1.5.0
*   ダウンロード: http://sourceforge.jp/projects/pukiwiki/files/

CVE-2022-36350: FrontPage - PukiWiki-official

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

**Cross site scripting in yetiforce/yetiforce-crm**

Moderate severity GitHub Reviewed Published Aug 23, 2022 • Updated Aug 30, 2022

Tag

#xss