4359 matches found
Notification Bar for WordPress <= 1.1.8 – Unauthenticated Subscriber Data Disclosure
Description The plugin exposes an unauthenticated CSV export script that discloses all stored subscriber emails. https://example.com/wp-content/plugins/8-degree-notification-bar/inc/backend/blocks/export-csv.php...
360 Product Rotation <= 1.5.8 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. http://example.com/wp-content/plugins/360-product-rotation/includes/iframe.php?licenseid=1"ale...
3DPrint Lite < 2.1 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Have a logged in admin open an HTML page containing the following form: input type="hidden" name="p3dlitesettingscanvaswidth"...
WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
Description WordPress does not properly escape the "tagName" attribute in the "Template Part block" allowing high-privileged users to perform Stored Cross-Site Scripting XSS attacks. As a contributor, add a "Template Part" block to a post, click on "Start Blank" and then Create. Go into Editor mo...
WooCommerce 8.8.0 - 8.9.2 - Reflected XSS
Description The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...
Himer - Social Questions and Answers < 2.1.1 - Contributor+ Stored XSS
Description The theme does not sanitise and escape some of its Post settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks The PoC will be displayed on June 26, 2024, to give users the time to update...
Himer - Social Questions and Answers < 2.1.1 - Multiple CSRF on the Group Section
Description The theme does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group The PoC will be displayed on June 26, 2024, to give users the...
Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF
Description The theme does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack The PoC will be displayed on June 26, 2024, to give users the time to update...
WPQA < 6.1.1 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Slider settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks The PoC will be displayed on June 26, 2024, to give users the time to update...
Himer - Social Questions and Answers < 2.1.1 - Bypass Poll Voting Restrictions via CSRF
Description The theme does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack The PoC will be displayed on June 26, 2024, to give users the time to update...
Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR
Description The plugin allows any authenticated user to join a private group due to a missing authorization check on a function The PoC will be displayed on June 26, 2024, to give users the time to update...
WPQA < 6.1.1 - Arbitrary Category and Tag Follow/Unfollow via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks The PoC will be displayed on June 26, 2024, to give users the time to update...
Sitetweet <= 0.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack The PoC will be displayed on June 25, 2024, to give users the time to update...
Rank Math SEO < 1.0.219 - Authenticated Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow users with access to the General Settings by default admin, however such access can be given to lower roles via the Role Manager feature of the plugin to perform Stored Cross-Site Scripting attacks even wh...
EazyDocs < 2.5.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The PoC will be displayed on June 25,...
Quiz And Survey Master < 9.0.2 - Contributor+ SQLi
Description The plugin is vulnerable does not validate and escape the questionid parameter in the qsmbulkdeletequestionfromdatabase AJAX action, leading to a SQL injection exploitable by Contributors and above role 1 You will need a valid nonce for deletion of quiz questions. 2 Sign in as a...
Quiz And Survey Master < 9.0.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Go to to Quizzes & Surveys 2. Add/edit a...
Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them history.pushState'', '', '/'; document.forms0.submit; the response of the request above is 403, but the settings update still happens...
Animated AL List <= 1.0.6 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a new project 2. Access the URL...
Pagerank Tools <= 1.1.5 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin https://example.com/wp-admin/tools.php?page=pagepageranks&url="alert333...
Simple AL Slider <= 1.2.10 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a new project 2. As an admin, access the URL:...
Widget4Call <= 1.0.7 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make an admin open the URL:...
H5P < 1.15.8 - Contributor+ Stored XSS
Description The plugin does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues 1. Upload an H5P archive containing a malicious SVG file w/an XSS 2. Example:...
Kadence Blocks Pro < 2.3.8 - Contributor+ Arbitrary Option Access
Description The plugin does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the database. 1. ADMIN: Install Kadence Blocks Pro 2. CONTRIBUTOR: Add shortcode to any post and specify/guess the option name and save 3...
WP Chat App < 3.6.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=ntawhatsappfloatingwidg...
Spotify Play Button <= 1.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. spotify-play...
Muslim Prayer Time BD <= 2.4 - Settings Reset via CSRF
Description The plugin does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack Make a logged in admin open an HTML file containing:...
WebP & SVG Support <= 1.4.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following markup: alert"XSS"; Load the SVG and see the XSS. Code reference:...
Simple Photoswipe <= 0.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1 As admin, go to plugin settings...
Frontend Checklist <= 2.3.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to frontend-checklist admin...
Bookster <= 1.1.0 - Unauthenticated Appointment Status Update
Description The plugin allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment the request body to change its status from pending to approved. 1. Open the Wordpress where the plugin is installed with default...
Video Widget <= 1.2.3 - Admin+ Stored XSS via Widget
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a "Video Widget" to a widget ar...
Frontend Checklist <= 2.3.2 - Admin+ Stored XSS via Items
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a checklist and for an item,...
Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect
Description The plugin has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. 1. Add a form to a footer widget area 2. Disable JavaScript 3. Access the URL: https://example.com/%0a/google.com 4. Fill out the form and submit 5. The browser wi...
Easy Table of Contents < 2.0.66 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed You should create new post with two more heading. Go to the settings of the plugin and...
Logo Manager For Enamad <= 0.7.0 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert/XSS: enamad-code/" alert/XSS:...
Email Subscribers by Icegram Express < 5.7.21 - Unauthenticated SQL Injection via hash
Description The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...
Mime Types Extended <= 0.11 - Author+ Stored XSS via SVG Upload
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. 1. As an admin, enable SVG uploads at https://example.com/wp-admin/options-general.php?page=mime-types-extended 2. As an author,...
SEOPress < 7.8 - Contributor+ Open Redirect
Description The plugin does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post As a contributor, create a new Post, at the bottom of the page put the following payload in the...
SEOPress < 7.8 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks. As a contributor, create a new Post, at the bottom of the page put the following payload in the "SEO Title" fie...
PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks paypalbutton type="addtocart"...
WP Logs Book <= 1.0.1 - Log Clearing via CSRF
Description The plugin does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack Make an admin open an HTML file containing: Note: The 404 Error Logs can also be cleared by modifying the PoC...
Google CSE <= 1.0.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting 1. On the login page, enter any username and for the password enter alert1 2. As an admin, view the logs at:...
Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users On a site with the User Login/Registration widget active, have an unauthenticated user send a...
PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF
Description The plugin does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack This PoC disables the User Registration widget. To do so, make a logged in admin open an HTML file containing:...
DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add the following shortcode to a...
CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks Codes:...
CSSable Countdown <= 1.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...