An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site and create hundreds of thousands of posts with custom content.
CWE-79
CVE-2018-11581
Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.
CVE-2018-11512
Stored cross-site scripting (XSS) vulnerability in the “Website’s name” field found in the “Settings” page under the “General” menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.
CVE-2018-11522
Yosoro 1.0.4 has stored XSS.
CVE-2018-11532
An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB. changstats.php has XSS, as demonstrated by a subject field.
CVE-2018-11549
An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in “Account Settings -> Member Centre -> Chinese information -> Ordinary member” via a QQ number, as demonstrated by a form[qq_10]= substring.
