4359 matches found
WP Limit Login Attempts <= 2.6.4 - IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based restrictions on login forms. Set HTTPCLIENTIP or HTTPXFORWARDEDFOR as used in wplimitgetip to spoof the IP address and bypass the block...
3D Print Lite < 1.9.1.6 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape some user input before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=p3dlitematerials&materialtext="alert/XSS/...
Advanced Booking Calendar < 1.6.8 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.phpL550...
PostmagThemes Demo < 1.0.8 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files such as PHP leading to RCE. 1. Go to Appearance » Import Demo Data » Manual demo files upload » Run "Choose a JSON file for customizer import" and import a PHP file. 2. Click Impo...
WP CSV Exporter < 1.3.7 - Admin+ SQLi
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacks As an admin, go to Tools CSV Export, leave everything as default and click on Export POSTS CSV Intercept the request...
FV Flowplayer Video Player < 7.5.3.727 - Reflected Cross-Site Scripting
The plugin does not escape or validate the playerid parameter before outputting back in the Stats page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator...
Icegram Express < 5.5.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber Open the below URL when logged in as a subscriber and notice the 5s delay...
Forminator < 1.15.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed As an admin, create or edit a Forminator form, add an email field and put the following payload in the label...
Availability Calendar < 1.2.2 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create a new category via the plugin...
WP All Export < 1.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed 1. Create a new export via "New Export" page. 2. Go to "Manage Exports...
Site Reviews < 5.13.1 - Authenticated Stored XSS
The plugin does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfilteredhtml is disallowed As an admin, create a review via the Admin dashboard /wp-admin/post-new.php?posttype=site-review and add t...
tagDiv Composer < 4.2 - Unauthenticated Stored XSS
Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scriptin...
Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. Note: v1.0.7 added capability check, making the issue still exploitable by high privilege users such a...
WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS
The plugin does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping...
Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting XSS vulnerability. The Payload will then be triggered when an admin visits the...
Optimize images ALT Text (alt tag) & names for SEO using AI < 2.0.8 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Use the following form to abuse the CSRF vulnerability on the settings page: action layout textColor contentBackgroundColor starColor...
About Author Box < 1.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. With a role as low as Contributor, put the following payloads in one of the Social Profi...
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Contributor+ Stored Cross-Site Scripting
The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's block. PoC can be entered with code editor the example below uses Taxonomy block; all blocks are vulnerable:...
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Contributor+ Stored Cross-Site Scripting
The plugin, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode. Create a page as any user with the following shortcode block: gutenbergpostblocks id='a"...
Float to Top Button <= 2.3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Text for the button" or "URL ...
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
The plugin does not enforce path validation, authorisation and CSRF checks in the omgfajaxemptydir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard...
PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
The slider import search feature of the plugin settings did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=wcps&page=importlayouts&keyword="onmouseover=alert1;//...
SEO Redirection < 6.4 - Authenticated Reflected Cross-Site Scripting (XSS)
The setting page of the plugin is vulnerable to reflected Cross-Site Scripting XSS as user input is not properly sanitised before being output in an attribute. Timeline WPScanTeam January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team who confirmed to have received...
My Chatbot <= 1.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its tab parameter in the Settings page before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=my-chatbot&tab=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E...
WP Coder < 2.5.3 - Code Deletion via CSRF
The plugin does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack https://example.com/wp-admin/admin.php?page=wp-coder&info=del&did=1...
SliceWP < 1.0.46 - Reflected Cross-Site Scripting (XSS)
The plugin does not escape the converted parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=slicewp-visits&converted="alert/XSS/...
WP Reset < 1.90 - Authenticated Stored XSS
The plugin did not sanitise or escape its extradata parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue PoC | Authenticated Persistent XSS | Enter snapshot name or brief description:...
Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure
The plugin does not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. Although the API only retur...
Email Log < 2.4.8 - Reflected Cross-Site Scripting
The plugin does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=email-log&d="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Form Builder < 1.9.8.4 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed Create a new Form via the plugin, go to Form Settings then add the following payload in the Title...
uListing < 2.0.6 - Modify User Roles via CSRF
An Add/Edit User Roles via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC | CSRF | Add/Edit User Roles: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: cookies User-Agent: Mozilla/5.0 Content-Type:...
Easy Digital Downloads 3.1.0.2 & 3.1.0.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the s parameter before using it in a SQL statement via the edddownloadsearch AJAX action , leading to a SQL injection exploitable by unauthenticated users curl...
Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS
The plugin does not have any authorisation and CSRF checks on some of its AJAX actions available to authenticated users, which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users d...
Slideshow Gallery < 1.7.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create/edit a Slide /wp-admin/admin.php?page=slideshow-slides and put the...
BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
The plugin sanitise with sanitizetextfield but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/chat-rooms/?subject=asd%22%20%22%20onmouseover=javascript:alert1;%20test=%22&new-message=asd...
Coming Soon and Maintenance Mode < 3.5.3 - Authenticated Stored XSS
The plugin does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. Open the Coming Soon plugin's settings Coming Soon - Coming Soon Click on the "Title" section Inject XSS payload into the...
CM Tooltip Glossary < 3.9.21 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some glossarytooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks glossarytooltip dashicon='" style="animation-name:twentytwentyone-close-button-transition"...
MF Gig Calendar <= 1.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue...
Email Encoder < 2.1.2 - Reflected Cross Site Scripting
The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data. The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable...
Easy Media Download < 1.1.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Affected argument: url, text, target, rel and class easymediadownload url="/" text='" onerror="alert/XSS///http' easymediadownlo...
Contact Form Entries < 1.2.1 - Reflected Cross-Site Scripting
The plugin does not escape some of its filters before outputting them back in the admin dashboard, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=vxcfleads&tab=entries&startdate="alert/XSS-startdate/&enddate="alert/XSS-enddate/...
Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting
Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post 3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS...
GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Get a REST nonce logged in as admin:...
WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion
The plugin does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment Log in as any user with privileges as low as Subscriber...
Helpful < 4.4.59 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the System Miscellaneous Custom Timezone setting of the plugin: " The XSS...
Jock on air now < 5.6.2 - Arbitrary Plugin's Settings Update via CSRF
The plugin does not have CSRF check in place when saving its settings, allowing attackers to make logged in admin change them to arbitrary values via a CSRF attack...
Daily Prayer Time < 2021.08.10 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues. Put the following payload in the Fajr, Sunrise, Zuhr, Asr, Maghrib and/or Isha field of the Language settings of the plugin...
Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
The plugin did not properly sanitise and validate its settings, such as psbdistance, psbbuttonsize, psbspeed, only validating them client side. This could allow high privilege users such as admin to set XSS payloads in them -- Payloads: $ " autofocus=autofocus onfocus=alertdocument.cookie; " $ "...
GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. Add the following code in a post/page while in code editor mode with an Contributor account: Then view/preview th...
uListing < 2.0.6 - Reflected Cross-Site Scripting
An Authenticated Reflected XSS vulnerability was discovered in the plugin. Vulnerable parameters: id, user, expireddate, createddate, updateddate. WPNonce is present in the original requests, but doesn't pass the correct check, as a result of which it doesn't work. PoC 1 | Authenticated Reflected...