7 results (0.006 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. El plugin wp-symposium versiones hasta 15.8.1 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro size de wp-content/plugins/wp-symposium/get_album_item.php. The WP Symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. • https://wordpress.org/plugins/wp-symposium/#developers https://wpvulndb.com/vulnerabilities/8175 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 91%CPEs: 1EXPL: 3

Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in server/php/. Vulnerabilidad de la subida de ficheros sin restricciones en UploadHandler.php en el plugin WP Symposium 14.11 para WordPress permite a atacantes remotos ejecutar código arbitrario mediante la subida de un fichero con una extensión ejecutable, posteriormente accediéndolo a través de una solicitud directa al fichero en server/php/. The WP Symposium plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the UploadHandler.php file in versions up to, and including, 14.11. This makes it possible for attackers to upload arbitrary files on the affected sites server which may make remote code execution possible when the file is accessed from the server/php/directory. • https://www.exploit-db.com/exploits/35778 https://www.exploit-db.com/exploits/35543 http://www.exploit-db.com/exploits/35543 http://www.securityfocus.com/bid/71686 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 3

SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter in a getMailMessage action. Vulnerabilidad de inyección SQL en ajax/mail_functions.php del plugin WP Symposium anterior 14.11 de WordPress permite a usuarios remotos autenticados ejecutar comandos arbitrarios de SQL a través del parámetro en la acción getMailMessage • https://www.exploit-db.com/exploits/35505 http://secunia.com/advisories/62643 http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html http://www.exploit-db.com/exploits/35505 http://www.wpsymposium.com/2014/11/release-information-for-v14-11 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in the WP Symposium plugin before 14.11 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter in an addComment action to ajax/profile_functions.php, (2) compose_text parameter in a sendMail action to ajax/mail_functions.php, (3) comment parameter in an add_comment action to ajax/lounge_functions.php, or (4) name parameter in a create_album action to ajax/gallery_functions.php. Vulnerabilidades múltiples XSS en el plugin WP Symposium anterior a 14.11 de WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) parámetro texto en la acción addComment a ajax/profile_functions.php, (2) parámetro compose_text en la acción sendMail a ajax/mail_functions.php, (3) parámetro comentario en la acción add_comment a ajax/lounge_functions.php, o (4) parámetro nombre en la acción create_album a ajax/gallery_functions.php. • http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html http://www.wpsymposium.com/release-information-for-v14-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in invite.php in the WP Symposium plugin before 13.04 for WordPress allows remote attackers to inject arbitrary web script or HTML via the u parameter. Vulnerabilidad de XSS en invite.php en el plugin WP Symposium anterior a 13.04 para WordPress permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro u. • http://osvdb.org/92275 http://secunia.com/advisories/52864 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •