1339 matches found
Shortcodes Ultimate < 5.12.8 - Subscriber+ User Meta Disclosure
The plugin does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta except the userpass, such as the user email and activation key by default. Run one of the below commands in the developer console ...
ReviewX < 1.6.4 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rxexportreview AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber Run the bel...
CVE-2023-0906 SourceCodester Online Pizza Ordering System POST Parameter ajax.php delete_category missing authentication
A vulnerability classified as critical was found in SourceCodester Online Pizza Ordering System 1.0. Affected by this vulnerability is the function deletecategory of the file ajax.php of the component POST Parameter Handler. The manipulation leads to missing authentication. The attack can be...
Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation
The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET
Description I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page Proof of Concept 1. Go to https://demo.froxlor.org/ and login as any user. ie. admin 2. Now open...
WP Review Slider < 12.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access
The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones. Open the below URL as an...
CVE-2022-46950
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=deletewindow...
Sql injection
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=savequeue...
Sql injection
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=deletewindow...
WordPress Slider Revolution 4.6.5 Directory Traversal
==================================================================================================================================== | Title : WordPress - Slider Revolution 4.6.5 UpdateCaptionsCSS Directory Traversal Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro /...
CVE-2022-46951
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=deleteuploads...
CVE-2022-46955
Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/ajax.php?action=savequeue...
CVE-2022-46952
Dynamic Transaction Queuing System v1.0 is affected by a SQL injection vulnerability in the id parameter of /admin/ajax.php?action=delete_user. The CVE-2022-46952 entry documents an in-app SQLi risk with high impact (C/H I/H A/H) and network-based access with no user interaction required; privile...
WordPress Slider Revolution 4.6.5 Shell Upload
==================================================================================================================================== | Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | | Author : indoushka | | Tested on : windows 10...
Social Warfare < 4.4.0 - Post Meta Deletion via CSRF
The plugin does not have CSRF checks in some AJAX actions, allowing attackers, to make a logged in admin call them and delete arbitrary post meta as well as reset access tokens related to network via CSRF attacks...
Authenticated HTMLi via theme parameter on /lib/ajax.php
Description The theme parameter is vulnerable to HTMLi on /lib/ajax.php endpoint Proof of Concept - go to https://v2.demo.froxlor.org - Login with a user - Go to https://v2.demo.froxlor.org/lib/ajax.php?action=newsfeed&theme=%3C/br%3E%3Ch1%3EHTMLi%20by%20leorac%3C/h1%3E%3Cbr%3E - You'll see the...
Passster < 3.5.5.9 - Protection Bypass & Arbitrary Post Access
The plugin does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts such as private content, by sending a specifically crafted request. PoC The nonce can be...
Bg Bible References <= 3.8.14 - Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Steps to reproduce: 1. Install the vulnerable plugin bg-biblie-references 3.18.4 2. As an unauthenticated or authenticated user, visit the following URL which...
WPQA < 5.9.3 - Missing validation lead to functionality abuse
The plugin which is a companion plugin used with Discy and Himer themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them...