Show filters
18 Total Results
Displaying 1-10 of 18
Sort by:
Attacker Value
Unknown

CVE-2023-0424

Disclosure Date: April 24, 2023 (last updated October 08, 2023)
The MS-Reviews WordPress plugin through 1.5 does not sanitise and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks
Attack Vector: NetworkPrivileges: LowUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2022-4761

Disclosure Date: February 21, 2023 (last updated October 08, 2023)
The Post Views Count WordPress plugin through 3.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Attack Vector: NetworkPrivileges: LowUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2022-2555

Disclosure Date: August 22, 2022 (last updated February 24, 2025)
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.
Attack Vector: NetworkPrivileges: NoneUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2022-1772

Disclosure Date: June 13, 2022 (last updated February 23, 2025)
The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.
Attack Vector: NetworkPrivileges: HighUser Interaction: Required
0
0
Attacker Value
Unknown

CVE-2021-24492

Disclosure Date: August 02, 2021 (last updated February 23, 2025)
The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.
Attack Vector: NetworkPrivileges: LowUser Interaction: None
0
0
Attacker Value
Unknown

CVE-2019-15560

Disclosure Date: August 26, 2019 (last updated November 27, 2024)
The Reviews Module before 2019-06-14 for OpenSource Table allows SQL injection in database/index.js.
0
0
Attacker Value
Unknown

CVE-2018-20626

Disclosure Date: March 21, 2019 (last updated November 27, 2024)
PHP Scripts Mall Consumer Reviews Script 4.0.3 has directory traversal via a direct request for a listing of an uploads directory such as the wp-content/uploads/2018/12 directory.
0
0
Attacker Value
Unknown

CVE-2018-20627

Disclosure Date: March 21, 2019 (last updated November 27, 2024)
PHP Scripts Mall Consumer Reviews Script 4.0.3 has HTML injection via the search box.
0
0
Attacker Value
Unknown

CVE-2017-17614

Disclosure Date: December 13, 2017 (last updated November 26, 2024)
Food Order Script 1.0 has SQL Injection via the /list city parameter.
0
0
Attacker Value
Unknown

CVE-2015-7226

Disclosure Date: September 17, 2015 (last updated October 05, 2023)
The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler.
0
0
View More Topics  Next >