WordPress Simple Schools Staff Directory plugin <= 1.1 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Chuang Li in WordPress Simple Schools Staff Directory plugin versions = 1.1. Solution This plugin has been closed as of October 24, 2019 and is not available for download. Reason: Guideline Violation...

Display users <= 2.0.0 - Authenticated SQL Injection

The Edit Role functionality in the plugin had an id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. PoC GET /wp-admin/admin.php?page=display-users=manage-role=edit=-4476+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL--+- HTTP/1.1...

Keywords & Meta <= 3.0 - CSRF to Stored Cross-Site Scripting (XSS)

The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF...

Bold Page Builder < 3.1.6 - PHP Object Injection

The btbbgetgrid AJAX action of the plugin passes user input into the unserialize function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog...

Light Messages <= 1.0 - CSRF to Stored XSS

The plugin is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them even with the unfilteredhtml disallowed. As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the...

CVE-2021-24441

The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue...

CVE-2020-24147

The CVE-2020-24147 entry describes a Server-Side Request Forgery (SSRF) in the WordPress WP Smart Import plugin, version 1.0.0, exploitable via the file field. The issue is documented as affecting WP Smart Import 1.0.0 and is mitigated by upgrading to a newer version (e.g., 1.0.1+), per multiple ...

CVE-2020-24143

CVE-2020-24143 describes a directory traversal vulnerability in the WordPress plugin “Video Downloader for TikTok” (aka downloader-tiktok), version 1.3. An attacker can access files outside the web root via the njt-tk-download-video parameter. Public details in the connected Red Hat advisory corr...

Leaflet Map < 3.0.0 - Contributor+ Stored XSS

The plugin does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues PoC Most of the shortcode attributes are not escaped, so these are just one of them: leaflet-map...

Popup Like box - Page Plugin < 3.5.3 - Authenticated Blind SQL Injections

The getfblikeboxes function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQ...

ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation

The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator. PoC 'Hax0r3', 'regemail' = '[email protected]',...

CVE-2021-24372

The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $SERVER'REQUESTURI' before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue...

RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS

The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. Vulnerable parameters: &ytnetw=, &ytnetwspan=, &ytfeedbacknetw=...

Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID

The plugin did not sanitise its facebookpixelid and googleanalyticsid settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used. PoC -- Payloads: $ 'm0ze';...

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

The parameters $cachepath, $wpcachedebugip, $wpsupercachefrontpagetext, $cachescheduledtime, $cacheddirectpages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to...

OPENSUSE-SU-2021:0664-1 Security update for gsoap

This update for gsoap fixes the following issues: - CVE-2020-13576: Fixed a remote code execution via specially crafted SOAP request inside the WS-Addressing plugin boo1182098 This update was imported from the openSUSE:Leap:15.2:Update update project...

Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)

The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/options-general.php?page=moove-redirect-settings=" onMouseOver="alert1;...

Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation

The plugin did not properly restrict access when checking user with limited access, allowing them to query pages they should not be able to, which could lead to privilege escalation by creating a new administrator with full, unrestricted access to the blog. PoC Created a temporary admin account v...

Wordpress Advanced Database Cleaner plugin SQL Injection Vulnerability

Wordpress Advanced Database Cleaner is an application plugin for Wordpress. The plugin is used to clean up the database by removing isolated items such as old revisions, spam comments, optimizing the database etc. A SQL injection vulnerability exists in versions of the Advanced Database Cleaner...

WordPress Supsystic Digital Publications 1.6.9 XSS / DoS / Traversal

Exploit Title: WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities Date: 24/07/2020 Exploit Author: Erik David Martin Vendor Homepage: https://supsystic.com/ Software Link: https://downloads.wordpress.org/plugin/digital-publications-by-supsystic.1.6.9.zip Version: 1.6...