Lucene search
K
WpexploitMost viewed

4359 matches found

wpexploit
wpexploit
added 2022/12/13 12:0 a.m.3516 views

WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding

Description WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden...

5.9CVSS5.8AI score0.0315EPSS
Exploits5References1
wpexploit
wpexploit
added 2021/10/05 12:0 a.m.2690 views

Perfect Survey < 1.5.2 - Unauthenticated SQL Injection

The plugin does not validate and escape the questionid GET parameter before using it in a SQL statement in the getquestion AJAX action, allowing unauthenticated users to perform SQL injection. The questionid must start with an existing post ID...

2AI score0.86896EPSS
Exploits7
wpexploit
wpexploit
added 2021/08/09 12:0 a.m.2599 views

ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget

The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $POST as $GET which meant that in some cases this could be replicated with just $GET parameters and no need...

6.1CVSS0.3AI score0.01285EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/28 12:0 a.m.2326 views

Unauthorised AJAX Calls via Freemius

Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...

7.2AI score
Exploits0
wpexploit
wpexploit
added 2021/04/15 12:0 a.m.2159 views

WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure

Description The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges. 1. As one user, create a new password protected post. Ensure...

6.5CVSS5.6AI score0.02331EPSS
Exploits1References4
wpexploit
wpexploit
added 2022/04/19 12:0 a.m.1621 views

Fusion Builder < 3.6.2 - Unauthenticated SSRF

Description The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network...

9.8CVSS9.3AI score0.71722EPSS
Exploits6References2
wpexploit
wpexploit
added 2021/07/26 12:0 a.m.1607 views

uListing < 2.0.4 - Unauthenticated SQL Injection

An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameters: custom. SQL Injection types: Error-based, Boolean-based Blind, Time-based Blind. PoC 1 | Unauthenticated SQL Injection | Tables: sqlmap...

7.5CVSS0.9AI score0.02067EPSS
Exploits1
wpexploit
wpexploit
added 2023/04/10 12:0 a.m.1557 views

Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection

The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

8.8CVSS9.6AI score0.0108EPSS
Exploits3
wpexploit
wpexploit
added 2024/04/10 12:0 a.m.1546 views

WP < 6.5.2 - Unauthenticated Stored XSS

Description WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such attack. However, if the blog is using the mentioned settings in the comment template...

7AI score
Exploits0References1
wpexploit
wpexploit
added 2022/08/01 12:0 a.m.1437 views

Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload

The plugin allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading o...

8.8CVSS0.3AI score0.01264EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/06/24 12:0 a.m.1435 views

ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload

The plugin contained a PHP file, allowing unauthenticated users to upload an arbitrary file anywhere on the web server. Note WPScanTeam: It's unclear which version fixed the issue exactly, however we were able to confirm the issue on version as high as v5.96 and that the related file has been...

0.4AI score
Exploits0
wpexploit
wpexploit
added 2024/06/25 12:0 a.m.1399 views

WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block

Description WordPress does not properly escape the "tagName" attribute in the "Template Part block" allowing high-privileged users to perform Stored Cross-Site Scripting XSS attacks. As a contributor, add a "Template Part" block to a post, click on "Start Blank" and then Create. Go into Editor mo...

6AI score
Exploits0References1
wpexploit
wpexploit
added 2021/06/03 12:0 a.m.1396 views

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak

The Jetpack Carousel module allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhgvcs that allowed the comments of non-published page/posts to be leaked. Please refer to th...

5.3CVSS0.3AI score0.01494EPSS
Exploits2References2
wpexploit
wpexploit
added 2021/05/09 12:0 a.m.1280 views

All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

The plugin enables authenticated users with "aioseotoolssettings" privilege most of the time admin to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool Import/Export". However, the plugin attempts to...

9CVSS0.3AI score0.53274EPSS
Exploits3References1
wpexploit
wpexploit
added 2021/07/15 12:0 a.m.1258 views

Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection

The plugin was reported to be affected by a critical Authenticated Blind SQL Injection vulnerability. http://www.example.com/wp-json/wc/store/products/collection-data?calculateattributecounts0taxonomy=a%252522%252529%252520or%252520sleep%25252810.1%252529%252523...

4CVSS6.4AI score0.01265EPSS
Exploits2References6
wpexploit
wpexploit
added 2021/07/26 12:0 a.m.1222 views

Slider Hero < 8.2.7 - Contributor+ SQL Injection

The plugin does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. As a contributor, add the following shortcode in a post and preview it to execute the SQLi hero-butto...

6.5CVSS0.8AI score0.01362EPSS
Exploits2
wpexploit
wpexploit
added 2023/12/08 12:0 a.m.1219 views

Elementor < 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import

Description The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. 1. Edit a post in Elementor. 2. Import a template folder...

9.9CVSS9.8AI score0.041EPSS
Exploits3References1
wpexploit
wpexploit
added 2021/10/11 12:0 a.m.1113 views

Loco Translate < 2.5.4 - Authenticated PHP Code Injection

The plugin mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. 1. Using a User with the translator role, navigate...

6.5CVSS0.1AI score0.0091EPSS
Exploits2
wpexploit
wpexploit
added 2024/03/13 12:0 a.m.1112 views

Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators...

6.1CVSS6.2AI score0.013EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/02/02 12:0 a.m.1108 views

MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple

The plugin had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. The plugin must have a valid purchase code for the request to work curl -X GET --header 'Content-Type: application/json' --header 'Accept:...

1.6AI score0.03373EPSS
Exploits1References2
wpexploit
wpexploit
added 2021/08/09 12:0 a.m.1102 views

Titan Framework <= 1.12.1 - Reflected Cross-Site Scripting (XSS)

Description The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues Edit WPScanTeam: - The original report mentioned the issue...

6.1CVSS6.3AI score0.01785EPSS
Exploits2
wpexploit
wpexploit
added 2023/05/22 12:0 a.m.1097 views

Revolution Slider <= 6.6.12 - Author+ Remote Code Execution

The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow...

8.8CVSS9.6AI score0.0254EPSS
Exploits2
wpexploit
wpexploit
added 2021/10/11 12:0 a.m.1090 views

Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection

The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue https://example.com/forum/?subscribetopic=1%20union%20select%201%20and%20sleep10...

9.8CVSS1.8AI score0.13285EPSS
Exploits3References1
wpexploit
wpexploit
added 2020/04/02 12:0 a.m.1090 views

WP Advanced Search < 3.3.6 - Unauthenticated SQL Injection

Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php. After a month of trying to contact the Plugin author Twitter, email, we followed...

0.7AI score
Exploits0
wpexploit
wpexploit
added 2022/02/28 12:0 a.m.1077 views

Formcraft3 < 3.8.28 - Unauthenticated SSRF

The plugin does not validate the URL parameter in the formcraft3get AJAX action, leading to SSRF issues exploitable by unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=formcraft3get&URL=https://wpscan.com...

9.1CVSS3.4AI score0.20249EPSS
Exploits2
wpexploit
wpexploit
added 2021/01/03 12:0 a.m.1074 views

Contact Form Submissions <= 1.6.4 - Authenticated SQL Injection

The wpcf7contactform GET parameter is vulnerable to SQL injection when submitting a filter request as a high privilege user admin+ Edit WPScanTeam September 28th, 2020 - Escalated to WP & WP Investigating October 26th, 2020 - Received another submission related a SQL injection in the same paramet...

0.6AI score0.01456EPSS
Exploits2
wpexploit
wpexploit
added 2023/06/19 12:0 a.m.1067 views

Call Now Accessibility Button < 1.1 - Admin+ Stored Cross Site Scripting

Description The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the plugin's "Quick Start" field, add the...

4.8CVSS4.8AI score0.00423EPSS
Exploits2
wpexploit
wpexploit
added 2022/06/13 12:0 a.m.1058 views

Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting

The plugin does not sanitise and escape user input appended to the DOM via malicious Lightbox settings, resulting in a DOM Cross-Site Scripting issue...

6.1CVSS1.2AI score0.2318EPSS
Exploits7References1
wpexploit
wpexploit
added 2023/02/16 12:0 a.m.1027 views

Media Library Assistant < 3.06 - Admin+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. POST /wp-admin/tools.php?page=insertfixit-tools HTTP/1.1...

7.2CVSS7.9AI score0.00785EPSS
Exploits1References1
wpexploit
wpexploit
added 2021/02/18 12:0 a.m.1026 views

Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload

The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users admin+ to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is...

7.3AI score0.84112EPSS
Exploits9
wpexploit
wpexploit
added 2021/04/15 12:0 a.m.1023 views

WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8

Description A user with the ability to upload files like an Author can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity XXE vulnerability affecting PHP versions 8 and above. Thi...

7.1CVSS6.7AI score0.85719EPSS
Exploits20References6
wpexploit
wpexploit
added 2022/02/28 12:0 a.m.1003 views

BookingPress < 1.0.11 - Unauthenticated SQL Injection

The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection - Create a new "category" and associate i...

9.8CVSS0.5AI score0.37171EPSS
Exploits11References1
wpexploit
wpexploit
added 2021/06/01 12:0 a.m.989 views

MC4WP: Mailchimp for WordPress < 4.8.5 - Unauthorised Actions via CSRF

The plugin did not properly check for CSRF in some of its actions handled by the listenforactions method hooked as admininit, allowing attackers to make logged in users with the manageoptions capability do unwanted actions such as empty the logs, dismiss notice and so on...

4.4AI score
Exploits0
wpexploit
wpexploit
added 2021/05/19 12:0 a.m.983 views

WP Statistics < 13.0.8 - Unauthenticated SQL Injection

The plugin relied on using the WordPress escsql function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones...

7.5CVSS2.5AI score0.26931EPSS
Exploits3References2
wpexploit
wpexploit
added 2021/04/16 12:0 a.m.971 views

Outdated php-mod/curl Library - Unauthenticated Reflected Cross-Site Scripting (XSS)

The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation WPScanTeam, the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputtin...

0.1AI score0.01261EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/21 12:0 a.m.964 views

WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE

We noticed 0-day in the plugin https://woocommerce.com/products/woocommerce-help-scout/ being actively exploited. This vulnerability affects at least versions 2.6-2.8 current latest published version and allows unauthenticated users to upload any files to the site which by default will end up in...

7.5CVSS0.1AI score0.07908EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/08/26 12:0 a.m.962 views

Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting

Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vxdebug GET parameter...

1.1AI score
Exploits0
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.958 views

NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection

The plugin does not sanitise and escape the nxid parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection time wget 'https://example.com/?restroute=/notificationx/v1/analytics' --post-data="nxid=sleep2 -- x" -q -O-...

9.8CVSS2.2AI score0.34359EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.940 views

All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE

The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin-...

7.2CVSS0.01687EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/12/14 12:0 a.m.932 views

Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE

Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and export...

8.8CVSS7.3AI score0.0137EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/21 12:0 a.m.917 views

Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning

The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution RCE of the system due to log poisoning and therefore potentially a full compromise of the underlying structure RCE through chaining LFI with log poisoning 1. Path Traversal / Local File...

9CVSS0.4AI score0.04956EPSS
Exploits2
wpexploit
wpexploit
added 2022/03/11 12:0 a.m.916 views

WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting

Description Post authors are able to bypass KSES restrictions in WordPress = 5.9 and or Gutenberg = 9.8.0 due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks As a user without the UNFILTEREDHTML capability, create a post containing the...

6.5AI score
Exploits0References1
wpexploit
wpexploit
added 2022/08/23 12:0 a.m.913 views

All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS

The plugin uses the wrong content type for, and does not properly escape the response from the ai1wmexport action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. "...

0.01204EPSS
Exploits3
wpexploit
wpexploit
added 2021/05/04 12:0 a.m.903 views

Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin was vulnerable to Stored Cross-Site Scripting XSS in the "hotjar script" textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users. Step 1: Install and activate the plugin "Hotjar...

5.4CVSS0.2AI score0.00624EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/19 12:0 a.m.900 views

Telugu Bible Verse Daily <= 1.0 - CSRF to Stored XSS

The plugin is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading...

4.3CVSS6.2AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/20 12:0 a.m.893 views

Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctpswitch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations. 1 Turn off "Turn On Catch Themes & Catch Plugin tabs" jQuery.postajaxurl,...

5.7CVSS1AI score0.00408EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/23 12:0 a.m.891 views

WP Image Zoom < 1.47 - Local File Inclusion

The plugin did not validate its tab parameter before using it in the includeonce function, leading to a local file inclusion issue in the admin dashboard PoC: https://example.com/wp-admin/admin.php?page=zoooomsettings&tab=whatever This URL shows includeonce error, which indicates that the paramet...

5CVSS0.4AI score0.01375EPSS
Exploits2
wpexploit
wpexploit
added 2021/08/23 12:0 a.m.866 views

Simple School Staff Directory <= 1.1 - Admin+ Arbitrary File Upload

The plugin does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE As admin, upload a PHP file via the Add Logo page of the plugin...

7.2CVSS1.3AI score0.01442EPSS
Exploits2
wpexploit
wpexploit
added 2020/05/15 12:0 a.m.865 views

Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection

SQL injection in the Photo Gallery 10Web Photo Gallery plugin before 1.5.55 exists via the frontend/models/model.php bwgsearchx parameter. Impact All gallerytype is affected by this bug and any unauthenticated remote attacker can exploit the plugin. Sqlmap payload: sqlmap -u...

2.7AI score0.05418EPSS
Exploits1References1
wpexploit
wpexploit
added 2023/01/04 12:0 a.m.860 views

Insert Pages < 3.7.5 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit: inse...

5.4CVSS0.9AI score0.00534EPSS
Exploits2
Total number of security vulnerabilities4359