The Contact Form 7 Integrations plugin for WordPress suffers from a Reflected XSS attack on a file which is included by the default plugin installation, named ‘includes/toAdmin.php’. If both the ‘uE’ and ‘uC’ QSAs are provided the input provided is...
After updating my ColdFusion 9 development machine from Apache 2.2 to version 2.4, Apache simply refused to come back up. The root cause of this was the mod_jrun22 module complaining about a missing symbol. After some Googling, I found others...
Due to exposing a single AJAX function to anonymous users by using the ‘nopriv’ method of adding AJAX actions, anonymous users are able to update the settings for this plugin, including updating the Custom Opt-In Message with HTML content. Utilizing...
The Infusionsoft Gravity Forms Add-on plugin for WordPress has a script included in the default plugin installation which is intended to allow the user to re-generate certain templates, however there is no authentication required to access this...
Arbitary command execution. Requires authentication. A user with access to the settings panel to the WordPress Flash Uploader has the ability to execute arbitary shell commands via specially crafted form input. While it is true, that if an attacker...
Arbitrary file upload in Gravity Upload Ajax 1.1 allows remote unauthenticated user to upload files of any type. Provides the ability to upload a PHP shell.