845 matches found
CVE-2022-28590
A Remote Code Execution RCE vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=installtheme...
CVE-2022-28590
CVE-2022-28590 affects Pixelimity 1.0. The vulnerability enables remote code execution via admin/admin-ajax.php?action=install_theme. Multiple sources describe an arbitrary file upload path that can lead to code execution, with public PoC showing webshell upload to facilitate further access. The ...
CVE-2022-27129
An arbitrary file upload vulnerability at /admin/ajax.php in zbzcms v1.0 allows attackers to execute arbitrary code via a crafted PHP file...
Menubar < 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action available to any authenticated users, leading to a Reflected Cross-Site Scripting " /...
WordPress Easy Cookie Policy 1.6.2 Plugin - Broken Access Control to Stored XSS Vulnerability
Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS Author: 0xB9 Software Link: https://wordpress.org/plugins/easy-cookies-policy/ Version: 1.6.2 Tested on: Windows 10 CVE: CVE-2021-24405 1. Description: Broken access control allows any authenticated use...
WordPress Easy Cookie Policy 1.6.2 Cross Site Scripting
Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS Date: 2/27/2021 Author: 0xB9 Software Link: https://wordpress.org/plugins/easy-cookies-policy/ Version: 1.6.2 Tested on: Windows 10 CVE: CVE-2021-24405 1. Description: Broken access control allows any...
Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection
The plugin does not escape the artID parameter before using it in a SQL statement in the apvcresetcountart AJAX action, available to any authenticated user, leading to a SQL injection v = 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvcresetcountart&artID=sleep10 v 6.1.6 -...
LearnPress < 4.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the lp-dismiss-notice before outputting it back via the lpbackgroundsingleemail AJAX action, leading to a Reflected Cross-Site Scripting...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via post_types
The plugin does not sanitise and escape the posttypes parameter before outputting it back in the response of the postgridupdatetaxonomiestermsbyposttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting " name="posttypes"...
OSMapper <= 2.1.5 - Unauthenticated Arbitrary Post Deletion
The plugin contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result,...
Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection curl https://example.com/wp-admin/admin-ajax.php --data...
Formcraft3 < 3.8.28 - Unauthenticated SSRF
The plugin does not validate the URL parameter in the formcraft3get AJAX action, leading to SSRF issues exploitable by unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=formcraft3get&URL=https://wpscan.com...
WordPress MasterStudy LMS 2.7.5 Plugin - Unauthenticated Admin Account Creation Vulnerability
Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation Author: Numan Türle CVE: CVE-2022-0441 Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ Version: 2.7.6 https://www.youtube.com/watch?v=SIO6CHXMZk...
hub2word <= 1.1.0 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF checks in its Hub2Wordsavesettings AJAX action, and does not validate the option key to be updated. As a result, any authenticated user, such as subscriber could update arbitrary WordPress options POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not sanitise and escape the formid parameter before outputting it back in the response of an unauthenticated request via the givecheckoutlogin AJAX action, leading to a Reflected Cross-Site Scripting As an unauthenticated user: alert/XSS/' / var form1 =...
Magee Shortcodes < 2.0.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in AJAX actions available to both unauthenticated and authenticated users, leading to Reflected Cross-Site Scripting issues...
Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure
The plugin allows any logged in user, such as subscriber, to extract any other user's email address. fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded" , "body": new URLSearchParams"action": "dilazmbqueryselect", "q": "@gma",...
SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue. Note: Vendor decided to close the plugin and it won't be...
Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update
The plugin does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example To add a product: fetch"https://example.com/wp-admin/admin-ajax.php",...