1339 matches found
TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Unauthenticated Arbitrary Admin Account Creation
The tcpregisterandloginajax AJAX action of the plugin allows unauthenticated users to create accounts with an arbitrary role such as admin POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5...
3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
Description The plugin does not have any authorisation and does not check the uploaded file in its p3dlitehandleupload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as...
WordPress 3DPrint Lite 1.9.1.4 Shell Upload
Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload Google Dork: inurl:/wp-content/plugins/3dprint-lite/ Date: 22/09/2021 Exploit Author: spacehen Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/ Version: spacehen www.github.com/spacehen" def printusage:...
Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctpswitch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations. 1 Turn off "Turn On Catch Themes & Catch Plugin tabs" jQuery.postajaxurl,...
CVE-2020-18125
A reflected cross-site scripting XSS vulnerability in the /plugin/ajax.php component of Indexhibit 2.1.5 allows attackers to execute arbitrary web scripts or HTML...
Path Traversal in os4ed/opensis-classic
โ๏ธ Description The ajax.php modname parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. ๐ต๏ธโโ๏ธ Proof of Concept // Ajax.php GET /Ajax.php?modname=../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 302 Found Location: index.php...
CVE-2021-37389
CVE-2021-37389 affects Chamilo 1.11.14. The vulnerability is a stored XSS in the installer paths main/install/index.php and main/install/ajax.php via the port parameter. The connected documents consistently describe this CVE as a stored XSS issue in Chamilo LMS and do not provide exploitation det...
Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting
The createpostpage AJAX action of the plugin available to authenticated user does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue '...
CVE-2021-35343
Cross-Site Request Forgery CSRF vulnerability in the /op/op.Ajax.php in SeedDMS v5.1.x5.1.23 and v6.0.x6.0.16 allows a remote attacker to edit document name without victim's knowledge, by enticing an authenticated user to visit an attacker's web page...
Email Encoder < 2.1.2 - Reflected Cross Site Scripting
The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data. The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable...
uListing < 2.0.6 - Modify User Roles via CSRF
An Add/Edit User Roles via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC | CSRF | Add/Edit User Roles: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: cookies User-Agent: Mozilla/5.0 Content-Type:...
Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection
The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...
Design/Logic Flaw
An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php tdblockid parameter in a tdajaxblock API call...
Haxcan <= 1.0.0 - Arbitrary File Access
The plugin does not properly ensure that the file to be accessed is within the blog, allowing high privilege users to read any file on the web server. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Workreap < 2.2.2 - Multiple CSRF + IDOR Vulnerabilities
Several AJAX actions available in the theme lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary object...
Title Field Validation <= 1.1 - Unauthorised AJAX Calls
The plugin does not properly check for CSRF in its findposttype, savevalidation, editvalidation, updatevalidation and deletevalidation AJAX actions. Additionally, the actions were also missing any capability checks. As a result, any authenticated user such as subscriber could call them to create,...
WordPress wpDiscuz 7.0.4 Shell Upload
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress wpDiscuz Unauthenticated File Upload Vulnerability', 'Description' = %q This module exploits an arbitrary file upload in the WordPress...
Code injection
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework before 1.2.2 wp-content/themes/elemin/themify/themify-ajax.php file...
Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action, leading to a Reflected Cross-site Scripting XSS vulnerability. POST /demo/wp-admin/admin-ajax.php HTTP/1.1 Host: jannah.tielabs.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:89.0...
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection
The joomsportmdload AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other...