Leaflet Map < 3.0.0 - Contributor+ Stored XSS

The plugin does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues Most of the shortcode attributes are not escaped, so these are just one of them: leaflet-map...

Yada Wiki < 3.4.1 - Contributor+ Stored XSS

The plugin did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue PoC - Create a wiki page. If there is already a page, you can skip. The page can be a draft. - Add this shortcode to a post/page, view it and move the mouse over...

Browser Screenshots < 1.7.6 - Contributor+ Stored XSS

The plugin allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the imageclass parameter of the browser-shot shortcode was not escaped. Add the following shortcode in a page, then view the page either published or as preview to trigger th...

Prismatic < 2.8 - Contributor+ Stored XSS

The plugin does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher...

Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection

The plugin did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users contributor+ to perform Blind SQL Injection attacks To exploit, the site administrator must add a question set and a question first. This requirement is usually met for all...

CVE-2021-24226

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the...

CVE-2021-24226

In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the...

CVE-2021-24221 Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to...

WordPress 插件信息泄露漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An information disclosure vulnerability exists in the AccessAlly WordPress plugin prior to version...

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...

AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

In the plugin, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the accessallyorderform shortcode, no login o...

Responsive Lightbox2 < 1.0.3 - Authenticated Stored Cross-Site Scripting

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using...

Wordpress Easy Media Download 1.1.4 Cross Site Scripting

Exploit Title: Wordpress Easy Media Download v1.1.4 - Persistent Cross-Site Scripting Date: 2020-08-14 Vendor Homepage: https://noorsplugin.com/ Vendor Changelog: https://wordpress.org/plugins/easy-media-download/developers Exploit Author: Melbin K Mathew @melbinkm Author Advisory:...

The vulnerability of the WordPress website content management system, related to the lack of measures taken to protect the structure of web pages, allows attackers to compromise the integrity of data.

The vulnerability of the WordPress content management system’s functions is related to an error in the execution of XSS attacks during shortcode rendering. Exploiting this vulnerability allows a remote attacker to compromise data integrity...

Media Library Assistant < 2.82 - Authenticated RCE

Remote Code Execution can occur via the taxquery, metaquery, and datequery parameter of the mlagallery shortcode...

WordPress GistPress Cross-Site Scripting Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the shortcode feature in WordPress GistPress versions prior to...

Profile Builder and Profile Builder Pro < 3.1.1 - User Registration With Administrator Role

The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin's forms. The vulnerability only exists in the Plugin's own generated Registration Form or Profile Edit Form. This mean...

CVE-2020-8498

XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users e.g., ones who have t...

Ultimate FAQ < 1.8.30 - Unauthenticated Reflected XSS

The HTML code generated by the FAQ shortcode does not sanitise the DisplayFAQ GET parameter, leading to an unauthenticated reflected Cross-Site Scripting issue on pages where such shortcode is used. PoC Append the following payload on a page where a FAQ is embedded: ?DisplayFAQ=...