4359 matches found
WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
Description WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden...
Perfect Survey < 1.5.2 - Unauthenticated SQL Injection
The plugin does not validate and escape the questionid GET parameter before using it in a SQL statement in the getquestion AJAX action, allowing unauthenticated users to perform SQL injection. The questionid must start with an existing post ID...
ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget
The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $POST as $GET which meant that in some cases this could be replicated with just $GET parameters and no need...
Unauthorised AJAX Calls via Freemius
Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
Description The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges. 1. As one user, create a new password protected post. Ensure...
Fusion Builder < 3.6.2 - Unauthenticated SSRF
Description The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network...
uListing < 2.0.4 - Unauthenticated SQL Injection
An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameters: custom. SQL Injection types: Error-based, Boolean-based Blind, Time-based Blind. PoC 1 | Unauthenticated SQL Injection | Tables: sqlmap...
Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
WP < 6.5.2 - Unauthenticated Stored XSS
Description WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such attack. However, if the blog is using the mentioned settings in the comment template...
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
The plugin allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading o...
ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload
The plugin contained a PHP file, allowing unauthenticated users to upload an arbitrary file anywhere on the web server. Note WPScanTeam: It's unclear which version fixed the issue exactly, however we were able to confirm the issue on version as high as v5.96 and that the related file has been...
WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
Description WordPress does not properly escape the "tagName" attribute in the "Template Part block" allowing high-privileged users to perform Stored Cross-Site Scripting XSS attacks. As a contributor, add a "Template Part" block to a post, click on "Start Blank" and then Create. Go into Editor mo...
Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak
The Jetpack Carousel module allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhgvcs that allowed the comments of non-published page/posts to be leaked. Please refer to th...
All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize
The plugin enables authenticated users with "aioseotoolssettings" privilege most of the time admin to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool Import/Export". However, the plugin attempts to...
Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection
The plugin was reported to be affected by a critical Authenticated Blind SQL Injection vulnerability. http://www.example.com/wp-json/wc/store/products/collection-data?calculateattributecounts0taxonomy=a%252522%252529%252520or%252520sleep%25252810.1%252529%252523...
Slider Hero < 8.2.7 - Contributor+ SQL Injection
The plugin does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. As a contributor, add the following shortcode in a post and preview it to execute the SQLi hero-butto...
Elementor < 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import
Description The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. 1. Edit a post in Elementor. 2. Import a template folder...
Loco Translate < 2.5.4 - Authenticated PHP Code Injection
The plugin mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. 1. Using a User with the translator role, navigate...
Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators...
MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple
The plugin had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. The plugin must have a valid purchase code for the request to work curl -X GET --header 'Content-Type: application/json' --header 'Accept:...
Titan Framework <= 1.12.1 - Reflected Cross-Site Scripting (XSS)
Description The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues Edit WPScanTeam: - The original report mentioned the issue...
Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow...
Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue https://example.com/forum/?subscribetopic=1%20union%20select%201%20and%20sleep10...
WP Advanced Search < 3.3.6 - Unauthenticated SQL Injection
Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php. After a month of trying to contact the Plugin author Twitter, email, we followed...
Formcraft3 < 3.8.28 - Unauthenticated SSRF
The plugin does not validate the URL parameter in the formcraft3get AJAX action, leading to SSRF issues exploitable by unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=formcraft3get&URL=https://wpscan.com...
Contact Form Submissions <= 1.6.4 - Authenticated SQL Injection
The wpcf7contactform GET parameter is vulnerable to SQL injection when submitting a filter request as a high privilege user admin+ Edit WPScanTeam September 28th, 2020 - Escalated to WP & WP Investigating October 26th, 2020 - Received another submission related a SQL injection in the same paramet...
Call Now Accessibility Button < 1.1 - Admin+ Stored Cross Site Scripting
Description The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the plugin's "Quick Start" field, add the...
Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting
The plugin does not sanitise and escape user input appended to the DOM via malicious Lightbox settings, resulting in a DOM Cross-Site Scripting issue...
Media Library Assistant < 3.06 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. POST /wp-admin/tools.php?page=insertfixit-tools HTTP/1.1...
Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users admin+ to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is...
WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
Description A user with the ability to upload files like an Author can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity XXE vulnerability affecting PHP versions 8 and above. Thi...
BookingPress < 1.0.11 - Unauthenticated SQL Injection
The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection - Create a new "category" and associate i...
MC4WP: Mailchimp for WordPress < 4.8.5 - Unauthorised Actions via CSRF
The plugin did not properly check for CSRF in some of its actions handled by the listenforactions method hooked as admininit, allowing attackers to make logged in users with the manageoptions capability do unwanted actions such as empty the logs, dismiss notice and so on...
WP Statistics < 13.0.8 - Unauthenticated SQL Injection
The plugin relied on using the WordPress escsql function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones...
Outdated php-mod/curl Library - Unauthenticated Reflected Cross-Site Scripting (XSS)
The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation WPScanTeam, the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputtin...
WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE
We noticed 0-day in the plugin https://woocommerce.com/products/woocommerce-help-scout/ being actively exploited. This vulnerability affects at least versions 2.6-2.8 current latest published version and allows unauthenticated users to upload any files to the site which by default will end up in...
Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting
Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vxdebug GET parameter...
NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
The plugin does not sanitise and escape the nxid parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection time wget 'https://example.com/?restroute=/notificationx/v1/analytics' --post-data="nxid=sleep2 -- x" -q -O-...
All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin-...
Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE
Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and export...
Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning
The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution RCE of the system due to log poisoning and therefore potentially a full compromise of the underlying structure RCE through chaining LFI with log poisoning 1. Path Traversal / Local File...
WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting
Description Post authors are able to bypass KSES restrictions in WordPress = 5.9 and or Gutenberg = 9.8.0 due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks As a user without the UNFILTEREDHTML capability, create a post containing the...
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS
The plugin uses the wrong content type for, and does not properly escape the response from the ai1wmexport action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. "...
Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Stored Cross-Site Scripting XSS in the "hotjar script" textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users. Step 1: Install and activate the plugin "Hotjar...
Telugu Bible Verse Daily <= 1.0 - CSRF to Stored XSS
The plugin is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading...
Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctpswitch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations. 1 Turn off "Turn On Catch Themes & Catch Plugin tabs" jQuery.postajaxurl,...
WP Image Zoom < 1.47 - Local File Inclusion
The plugin did not validate its tab parameter before using it in the includeonce function, leading to a local file inclusion issue in the admin dashboard PoC: https://example.com/wp-admin/admin.php?page=zoooomsettings&tab=whatever This URL shows includeonce error, which indicates that the paramet...
Simple School Staff Directory <= 1.1 - Admin+ Arbitrary File Upload
The plugin does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE As admin, upload a PHP file via the Add Logo page of the plugin...
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection
SQL injection in the Photo Gallery 10Web Photo Gallery plugin before 1.5.55 exists via the frontend/models/model.php bwgsearchx parameter. Impact All gallerytype is affected by this bug and any unauthenticated remote attacker can exploit the plugin. Sqlmap payload: sqlmap -u...
Insert Pages < 3.7.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit: inse...