CVE-2021-36568 cve.mitre.org Dec 2021 In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle… Show more In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.https://lists.fedoraproject.org/archives/list/[email protected]/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC/https://lists.fedoraproject.org/archives/list/[email protected]/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW/https://blog.hackingforce.com.br/en/cve-2021-36568/ Show less

CVE-2022-2222 cve.mitre.org The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b

CVE-2022-2546 cve.mitre.org The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret keyhttps://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58

CVE-2022-2654 cve.mitre.org The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scriptinghttps://wpscan.com/vulnerability/845f44ca-f572-48d7-a19a-89cace0b8993

CVE-2022-2655 cve.mitre.org The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scriptinghttps://wpscan.com/vulnerability/acc9675a-56f6-411a-9594-07144c2aad1b