The Bello – Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue Date published :...
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via...
The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues Date published : 2021-06-01 https://wpscan.com/vulnerability/704d8886-df9e-4217-88d1-a72a71924174 https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-79%5D-Listeo-WordPress-Theme-v1.6.10.txt
The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it’s ‘s’ GET parameter before output it back the page, leading to the Cross-SIte Scripting issue. Date published : 2021-06-01...
The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine....
The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of ‘$’ and ‘n’. This is due to...
The wp_ajax_upload-remote-file AJAX action of the External Media WordPress plugin before 1.0.34 was vulnerable to arbitrary file uploads via any authenticated users. Date published : 2021-06-01 https://wpscan.com/vulnerability/4fb90999-6f91-4200-a0cc-bfe9b34a5de9 Critical Vulnerability Patched in External Media Plugin
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will...
The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the HTML tags and cause a stored...
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. Date published : 2021-06-01 https://support.f5.com/csp/article/K36926027
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. Date published : 2021-06-01 https://support.f5.com/csp/article/K45263486
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. Date published : 2021-06-01 https://support.f5.com/csp/article/K04884013
Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster. Date published : 2021-06-01 https://support.f5.com/csp/article/K97002210
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash...