d4wner/Vulnerabilities-Report

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. CSRF exists via wp-admin/admin.php.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php form_field5[label] parameter.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.

An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.

An issue was discovered in the read-and-understood plugin 2.1 for WordPress. CSRF exists via wp-admin/options-general.php.

An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_title parameter.

An issue was discovered in the read-and-understood plugin 2.1 for WordPress. XSS exists via the wp-admin/options-general.php rnu_username_validation_pattern parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php bg_color parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_height parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php social_icon_1 parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php button_text_link parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php logo_width parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_sub_title parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php coming-soon_title parameter.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. CSRF exists via wp-admin/admin.php.

An issue was discovered in the responsive-coming-soon-page plugin 1.1.18 for WordPress. XSS exists via the wp-admin/admin.php counter_title_icon parameter.

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. CSRF exists via wp-admin/admin-ajax.php.

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php security parameter.

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php PFFREE_Access_Token parameter.

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php weblizar_pffree_settings_save_get-users parameter.

An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_end parameter.

An issue was discovered in the dark-mode plugin 1.6 for WordPress. XSS exists via the wp-admin/profile.php dark_mode_start parameter.

The SrbTransLatin plugin 1.46 for WordPress has XSS via an srbtranslatoptions action to wp-admin/options-general.php with a lang_identificator parameter.

The SrbTransLatin plugin 1.46 for WordPress has CSRF via an srbtranslatoptions action to wp-admin/options-general.php.

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][post] parameter to wp-admin/options.php.

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[more_languages] parameter to wp-admin/options.php.

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php.

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[browser_redirect][redirect_by_language] parameter to wp-admin/options.php.

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[enabled_languages][en] or wpglobus_option[enabled_languages][fr] (or any other language) parameter to wp-admin/options.php.

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobus_option[post_type][page] parameter to wp-admin/options.php.

The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php.

The tabs-responsive plugin 1.8.0 for WordPress has XSS via the post_title parameter to wp-admin/post.php.

The Easy Custom Auto Excerpt plugin 2.4.6 for WordPress has XSS via the tonjoo_ecae_options[custom_css] parameter to the wp-admin/admin.php?page=tonjoo_excerpt URI.

In the "Media from FTP" plugin before 9.85 for WordPress, Directory Traversal exists via the searchdir parameter to the wp-admin/admin.php?page=mediafromftp-search-register URI.

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-tools page.

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-information page.

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the gd-rating-system-tools page.

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the gd-rating-system-transfer page.

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the gd-rating-system-information page.

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-transfer page.

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the gd-rating-system-about page.

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-about page.

The ImageInject plugin 1.15 for WordPress has CSRF via wp-admin/options-general.php.

The ImageInject plugin 1.15 for WordPress has XSS via the flickr_appid parameter to wp-admin/options-general.php.

The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php.

The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload (aka Downloadable File) parameter in an edit action to wp-admin/post.php.

The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload_thumbnail (aka File Thumbnail) parameter in an edit action to wp-admin/post.php.

Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter.

Online Ticket Booking has XSS via the admin/eventlist.php cast parameter.

Online Ticket Booking has XSS via the admin/movieedit.php moviename parameter.

Online Ticket Booking has XSS via the admin/newsedit.php newstitle parameter.

Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_name parameter.

Online Ticket Booking has XSS via the admin/manageownerlist.php contact parameter.

Online Ticket Booking has CSRF via admin/movieedit.php.

PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file upload via admin/mydetails_edit.php.

Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.

PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.

PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the view-profile.php mem_id parameter.

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_edit.php edit_id parameter.

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/state_view.php cou_id parameter.

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/caste_view.php comm_id parameter.

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slider_edit.php edit_id parameter.

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_add.php event_title parameter.

Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.

Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.

Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request.

Biometric Shift Employee Management System allows Arbitrary File Download via directory traversal sequences in the index.php form_file_name parameter in a download_form action.

Biometric Shift Employee Management System has XSS via the amount parameter in an index.php?user=addition_deduction request.

Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address.

Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic request.

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist.php fid parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter.

PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter.

Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter.

Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter.

Vanguard Marketplace Digital Products PHP has CSRF via /search.

PHP Scripts Mall Single Theater Booking has SQL Injection via the admin/movieview.php movieid parameter.

PHP Scripts Mall Single Theater Booking has XSS via the title parameter to admin/sitesettings.php.

PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php.

PHP Scripts Mall Single Theater Booking has XSS via the admin/viewtheatre.php theatreid parameter.

Vanguard Marketplace Digital Products PHP has XSS via the phps_query parameter to /search.

PHP Scripts Mall Resume Clone Script has SQL Injection via the forget.php username parameter.

FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel.

PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.

PHP Scripts Mall Professional Service Script has XSS via the admin/bannerview.php view parameter.

PHP Scripts Mall Professional Service Script has SQL injection via the admin/review.php id parameter.

PHP Scripts Mall Professional Service Script allows remote attackers to obtain sensitive full-path information via a crafted PATH_INFO to service-list/category/.

PHP Scripts Mall Professional Service Script has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address.

PHP Scripts Mall Professional Service Script has XSS via the admin/general_settingupd.php website_title parameter.

PHP Scripts Mall Professional Service Script allows remote attackers to obtain sensitive full-path information via the id parameter to admin/review_userwise.php.

PHP Scripts Mall Responsive Realestate Script has XSS via the admin/general.php gplus parameter.

PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general.

PHP Scripts Mall Car Rental Script has XSS via the admin/areaedit.php carid parameter or the admin/sitesettings.php websitename parameter.

PHP Scripts Mall Car Rental Script has SQL Injection via the admin/carlistedit.php carid parameter.

PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php.

FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the edit_profile_first_name parameter to user/edit_profile.

Readymade Video Sharing Script has XSS via the search_video.php search parameter, the viewsubs.php chnlid parameter, or the user-profile-edit.php fname parameter.

Readymade Job Site Script has SQL Injection via the location_name array parameter to the /job URI.

Readymade Job Site Script has CSRF via the /job URI.

Readymade Job Site Script has XSS via the keyword parameter to the /job URI.

Readymade Video Sharing Script has SQL Injection via the viewsubs.php chnlid parameter or the search_video.php search parameter.

Readymade Video Sharing Script has CSRF via user-profile-edit.php.

Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter.

Bus Booking Script has CSRF via admin/new_master.php.

Bus Booking Script has SQL Injection via the admin/view_seatseller.php sp_id parameter or the admin/view_member.php memid parameter.

Paid To Read Script 2.0.5 has XSS via the referrals.php tier parameter or the admin/userview.php uid parameter.

Paid To Read Script 2.0.5 has SQL injection via the referrals.php id parameter.

Paid To Read Script 2.0.5 has authentication bypass in the admin panel via a direct request, as demonstrated by the admin/viewvisitcamp.php fn parameter and the admin/userview.php uid parameter.

Paid To Read Script 2.0.5 has full path disclosure via an invalid admin/userview.php uid parameter.

Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.

admin/configuration.php in Piwigo 2.9.2 has CSRF.

Techno - Portfolio Management Panel through 2017-11-16 allows full path disclosure via an invalid s parameter to panel/search.php.

Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter.

Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter.

Techno - Portfolio Management Panel through 2017-11-16 does not check authorization for panel/portfolio.php?action=delete requests that remove feedback.

Scubez Posty Readymade Classifieds has SQL Injection via the admin/user_activate_submit.php ID parameter.

Scubez Posty Readymade Classifieds has XSS via the admin/user_activate_submit.php ID parameter.

Scubez Posty Readymade Classifieds has Incorrect Access Control for visiting admin/user_activate_submit.php (aka the backend PHP script), which might allow remote attackers to obtain sensitive information via a direct request.