845 matches found
ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS
The plugin does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS Run the below command in...
MDTF < 1.3.1 - Reflected XSS
The plugin does not sanitise and escape the taxname parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
MDTF < 1.3.1 - Reflected XSS
The plugin does not sanitise and escape the taxname parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
InPost Gallery <= 2.1.4.1 - Reflected XSS
The plugin does not sanitise and escape the imgurl parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure
The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the develop...
Authentication flaw
A vulnerability was found in SourceCodester Online Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file admin/ajax.php?action=saveuser of the component Password Change Handler. The manipulation leads to improper authentication. It is possible to...
CVE-2023-1460
CVE-2023-1460 concerns the SourceCodester Online Pizza Ordering System 1.0. The vulnerability lies in the Password Change Handler, specifically the file segment admin/ajax.php?action=save_user , enabling an improper authentication condition. It can be triggered remotely, withImpact described as h...
Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. 1. Login as Admin. 2. Go to wp-admin/admin.php?page=wp-easycart-products&subpage=products 3. Click on Import Products. Browse any file and click on import file. Intercept the...
CVE-2023-1112 Drag and Drop Multiple File Upload Contact Form 7 admin-ajax.php path traversal
A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument uploadname leads to relative path traversal. It is possible to laun...
Shortcodes Ultimate < 5.12.8 - Subscriber+ User Meta Disclosure
The plugin does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta except the userpass, such as the user email and activation key by default. Run one of the below commands in the developer console ...
ReviewX < 1.6.4 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rxexportreview AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber Run the bel...
Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation
The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
WP Review Slider < 12.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access
The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones. Open the below URL as an...
CVE-2022-46950
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=deletewindow...
WordPress Slider Revolution 4.6.5 Directory Traversal
==================================================================================================================================== | Title : WordPress - Slider Revolution 4.6.5 UpdateCaptionsCSS Directory Traversal Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro /...
CVE-2022-46955
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=savequeue...
CVE-2022-46952
Dynamic Transaction Queuing System v1.0 is affected by a SQL injection vulnerability in the id parameter of /admin/ajax.php?action=delete_user. The CVE-2022-46952 entry documents an in-app SQLi risk with high impact (C/H I/H A/H) and network-based access with no user interaction required; privile...
WordPress Slider Revolution 4.6.5 Shell Upload
==================================================================================================================================== | Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | | Author : indoushka | | Tested on : windows 10...
Social Warfare < 4.4.0 - Post Meta Deletion via CSRF
The plugin does not have CSRF checks in some AJAX actions, allowing attackers, to make a logged in admin call them and delete arbitrary post meta as well as reset access tokens related to network via CSRF attacks...