Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin. Date published : 2021-05-14 https://lists.apache.org/thread.html/r74f72650c3590478f028ea3a1b8cab2a33d20ad9ff407e894ca70525%40%3Cannounce.trafficserver.apache.org%3E https://lists.apache.org/thread.html/r74f72650c3590478f028ea3a1b8cab2a33d20ad9ff407e894ca70525@%3Cannounce.trafficserver.apache.org%3E
Prototype pollution vulnerability in ‘101’ versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2021-05-14 https://github.com/tjmehta/101/blob/d87f63ce2a4cbdc476e8287abd78327c3144d646/set.js#L52 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25943
Prototype pollution vulnerability in ‘deep-override’ versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution. Date published : 2021-05-14 https://github.com/ASaiAnudeep/deep-override/commit/2aced17651fb684959a6e04b1465a8329b3d5268 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25941
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data...
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected...
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue Date published :...
The request_list_request AJAX call of the Car Seller – Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before...
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files...
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue. Date published : 2021-05-14 https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For...
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site. Date published...
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. Date published : 2021-05-14 https://wpscan.com/vulnerability/db4ba6b0-887e-4ec1-8935-ab21d369b329 Severe...
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository. Date published :...
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function. Date published : 2021-05-14 https://wpscan.com/vulnerability/99f30604-d62b-4e30-afcd-b482f8d66413 Severe...