The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Date published : 2022-03-21 https://plugins.trac.wordpress.org/changeset/2684307...
The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. Date published : 2022-03-21 https://wpscan.com/vulnerability/fd8c720a-a94a-438f-b686-3a734e3c24e4
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack Date...
The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users Date published : 2022-03-21 https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47
The BulletProof Security WordPress plugin before 5.8 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed....
Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4. Date published : 2022-03-21 https://huntr.dev/bounties/efb93f1f-1896-4a4c-a059-9ecadac1c4de https://github.com/crater-invoice/crater/commit/2b7028b7c83fd6e8897f244a2e6723baa20479e5
Business Logic Errors in GitHub repository crater-invoice/crater prior to 6.0.5. Date published : 2022-03-21 https://huntr.dev/bounties/af08000d-9f4a-4743-865d-5d5cdaf7fb27 https://github.com/crater-invoice/crater/commit/fadef0ea07d2f7fb3f41c2cae444ebca2f479679
Malicious translator is able to inject JavaScript code in few translatable strings (where HTML is allowed). The code could be executed in the Package manager. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.32...
The 3D FlipBook WordPress plugin before 1.12.1 does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site...
Remote Command Execution in uploading repository file in GitHub repository gogs/gogs prior to 0.12.6. Date published : 2022-03-21 https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902 https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710. Date published : 2022-03-21 https://www.sophos.com/en-us/security-advisories/sophos-sa-20220321-utm-9710
The Modern Events Calendar Lite WordPress plugin before 6.4.0 does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored...
The miniOrange’s Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated...
Beijing Wisdom Vision Technology Industry Co., Ltd One Card Integrated Management System 3.0 is vulnerable to SQL Injection. Date published : 2022-03-20 https://www.cnvd.org.cn/flaw/show/3454201