Stefan Broeder

#10147of 53,633
27.2Total CVSS
Vulnerabilities · 4
Medium
3
Critical
1
PT-2018-18796
5.4
2018-04-04
Relevanssi · Relevanssi · CVE-2018-9034
**Name of the Vulnerable Software and Affected Versions** Relevanssi plugin version 4.0.4 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary JavaScript or HTML. This is achieved via the `tab` GET parameter in the lib/interface.php file. **Recommendations** For Relevanssi plugin version 4.0.4, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2018-18797
9.6
2018-04-04
WordPress · Contact Form 7 To Database Extension · CVE-2018-9035
**Name of the Vulnerable Software and Affected Versions** Contact Form 7 to Database Extension plugin version 2.10.32 **Description** The issue allows remote attackers to inject spreadsheet formulas into CSV files via the contact form. This is achieved through a CSV Injection vulnerability in the ExportToCsvUtf8.php file of the plugin. **Recommendations** For version 2.10.32, update to a newer version that contains a fix for this issue to prevent remote attackers from injecting malicious spreadsheet formulas into CSV files.
PT-2018-18147
6.1
2018-03-26
Snapcreek · Snapcreek Duplicator · CVE-2018-7543
**Name of the Vulnerable Software and Affected Versions** SnapCreek Duplicator plugin version 1.2.32 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary JavaScript or HTML via the `json` parameter in the installer/build/view.step4.php file. **Recommendations** For SnapCreek Duplicator plugin version 1.2.32, consider updating to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the vulnerable installer/build/view.step4.php file to minimize the risk of exploitation. Avoid using the `json` parameter in the affected API endpoint until the issue is resolved.
PT-2018-18603
6.1
2018-03-15
WordPress · Wp Activity Log · CVE-2018-8729
**Name of the Vulnerable Software and Affected Versions** Activity Log plugin versions prior to 2.4.1 for WordPress **Description** The issue allows remote attackers to inject arbitrary JavaScript or HTML via a title that is not properly escaped, potentially leading to cross-site scripting (XSS) attacks. This could enable attackers to execute malicious scripts on the client-side. **Recommendations** For versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue. As a temporary workaround, consider restricting user input for titles to minimize the risk of exploitation.