Show filters
30 Total Results
Displaying 1-10 of 30
Sort by:
Attacker Value
Unknown
CVE-2021-36899
Disclosure Date: September 28, 2022 (last updated February 24, 2025)
Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Gabe Livan's Asset CleanUp: Page Speed Booster plugin <= 1.3.8.4 at WordPress.
0
Attacker Value
Unknown
CVE-2021-23373
Disclosure Date: July 25, 2022 (last updated February 24, 2025)
All versions of package set-deep-prop are vulnerable to Prototype Pollution via the main functionality.
0
Attacker Value
Unknown
CVE-2022-31579
Disclosure Date: July 11, 2022 (last updated February 24, 2025)
The ralphjzhang/iasset repository through 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.
0
Attacker Value
Unknown
CVE-2022-21231
Disclosure Date: June 24, 2022 (last updated February 24, 2025)
All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666)
0
Attacker Value
Unknown
CVE-2022-1790
Disclosure Date: June 13, 2022 (last updated February 23, 2025)
The New User Email Set Up WordPress plugin through 0.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
0
Attacker Value
Unknown
CVE-2022-25645
Disclosure Date: May 01, 2022 (last updated February 23, 2025)
All versions of package dset are vulnerable to Prototype Pollution via 'dset/merge' mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.
0
Attacker Value
Unknown
CVE-2022-25354
Disclosure Date: March 17, 2022 (last updated February 23, 2025)
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)
0
Attacker Value
Unknown
CVE-2021-23497
Disclosure Date: February 04, 2022 (last updated February 23, 2025)
This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821
0
Attacker Value
Unknown
CVE-2021-24983
Disclosure Date: February 01, 2022 (last updated February 23, 2025)
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issue
0
Attacker Value
Unknown
CVE-2021-24937
Disclosure Date: February 01, 2022 (last updated February 23, 2025)
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue
0
