4359 matches found
WooCommerce 8.8.0 - 8.9.2 - Reflected XSS
Description The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...
GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. Add the following code in a post/page while in code editor mode with an Contributor account: Then view/preview th...
Images to WebP < 1.9 - Multiple Cross Site Request Forgery (CSRF)
The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion The PoC varies based on the endpoint targeted. Here is one example that will modify the...
Form Maker < 1.13.60 - Authenticated Stored XSS
The plugin does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue Create or edit a form and add the following payload in the Form Title field "autofocus onmouseover=alert/XSS///...
Prismatic < 2.8 - Contributor+ Stored XSS
The plugin does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher...
Amazon Auto Links < 4.6.20 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes in an admin page, leading to Reflected Cross-Site Scripting issues alert/XSS-page/' / alert/XSS-tab/' /...
Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting
The createpostpage AJAX action of the plugin available to authenticated user does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue '...
Alojapro Widget < 1.1.16 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following code in the Custom CSS settings of the plugin setTimeout"alert'1'",3000...
Quiz And Survey Master < 7.1.19 - Unauthenticated Stored Cross-Site Scripting (XSS)
When the "Disable collecting and storing IP addresses?" setting is not used, the plugin retrieves the IP address of the submitting user via various methods, such as $SERVER'REMOTEADDR' but also arbitrary headers which can be tampered with. The final IP is not sanitised or validated, before being...
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR
The plugin, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter. GET...
Active Directory Integration / LDAP Integration < 3.6.95 - Reflected Cross-Site Scripting
The plugin does not escape the testusername parameter before outputting it back in the settings page, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the "Alt text" setting of the plugin, then view...
uListing < 2.0.6 - Settings Update via CSRF
A Settings Update via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC 1 | CSRF | Main Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: admin cookies User-Agent: Mozilla/5.0...
Charitable – Donation Plugin < 1.6.51 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. 1. Go to /wp-admin/edit.php?posttype=donation 2. Add new donation 3. In the first or last name forms, add the XSS payload 4. Save and the XSS payload will be executed...
Browser Screenshots < 1.7.6 - Contributor+ Stored XSS
The plugin allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the imageclass parameter of the browser-shot shortcode was not escaped. Add the following shortcode in a page, then view the page either published or as preview to trigger th...
Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. 1. Install woocommerce dependency, no setup required 2. Install the vulnerable plugin wholesale-market...
Theme-Demo-Importer < 1.1.1 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files such as PHP even when FILEMODS and FILEEDIT are disallowed. 1. Navigate to: Appearance Import Demo Content Theme Demo Importer Manually upload the demo files 2. Use the XML file...
Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting
The plugin does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting With the "Enable Logs" setting activated: https://example.com/wp-admin/admin.php?page=check-email-logs&d="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Video Lessons Manager - Admin+ Stored Cross-Site Scripting
The plugins do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks Open the CM Video Lesson Plugin's Settings page. Click on Label Tab Enter payload like "alert1 into the "channel" or "channels" field...
CBX Bookmark & Favorite < 1.6.9 - Reflected Cross-Site Scripting
The plugin does not escape a page parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS/' / alert/XSS/' /...
Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue /wp-admin/admin.php?page=popup-wp-supsystic&tab="onmouseover=alert1//...
Show-Hide / Collapse-Expand <= 1.2.5 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Login as User or Customer < 3.3 - Unauthenticated Privilege Escalation to Admin
The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user, then...
Podcast Subscribe Buttons < 1.4.2 - Contributor+ Stored XSS
The plugin allows users with any role capable of editing or adding posts to perform stored XSS. Add the below payload as a shortcode block: podcastsubscribe alignment='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alertorigin//'...
Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Go to the plugin Settings Messages Taxonomies...
SpeakOut! Email Petitions < 2.13.3 - Reflected Cross-Site Scripting
The plugin does not escape its searchString parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=dkspeakoutsignatures&action=search&searchString="alert/XSS/...
Amelia < 1.0.46 - Arbitrary Customer Deletion via CSRF
The plugin does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack...
Software License Manager < 4.5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its License Key Prefix setting before outputting it in the Add/Edit Licenses page, leading to an Authenticated Stored Cross-Site Scripting issue Go the plugin’s settings and add "alert/XSS/ as a License Key Prefix Then go the the Add/Edit Licenses page to...
Simple Social Media Share Buttons < 3.2.3 - Contributor+ Stored XSS
The plugin did not escape the align and likebuttonsize parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. SSB align='" onmouseover="alert/align///' likebuttonsize='4" onmouseover="alert/likebuttonsize///' SSB...
Chained Quiz < 1.2.7.2 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize or escape inputs in the plugin's settings. Open "Chained Quiz Social Sharing" in the WP admin panel. Under title field enter the payload : "alertdocument.domain Click on Save All Setting and the XSS will fire every time the Social Sharing page is loaded...
Two Factor Authentication < 1.0.8 - Reflected Cross-Site Scripting
The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/users.php?page=reset&action=resetedit&user="alert/XSS/...
Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting
While fixing an Authenticated Stored Cross-Site Scripting issue https://wpscan.com/vulnerability/a5837621-ee6e-4876-9f65-82658fc0341f, the vendor identified another Cross-Site Scripting issue, which could be exploited by unauthenticated users and would be triggered in the context of a logged in...
Filter Gallery < 0.0.7 - Unauthorised AJAX Calls
The plugin had a logic flaw in the CSRF checks of its AJAX calls, allowing them to be passed by not providing the related parameter in the request. This could allow attacker to make logged in users do unwanted actions. Furthermore, the AJAX calls are also lacking capability checks, allowing any...
Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
The plugin settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege...
Redirection < 1.1.5 - Plugin Reset via CSRF
The plugin does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack. https://example.com/wp-admin/admin-post.php?action=iruninstall...
Quote-O-Matic <= 1.0.5 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. https://example.com/wp-admin/edit.php?page=quote-o-matic.php&sortby=qomID+AND+SELECT+3477+FROM+SELECTSLEEP5DhVP...
WP Mail Logging < 1.10.0 - Outdated Redux Framework
The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues CVE-2021-38312 and CVE-2021-38314, and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314 The first endpoint we can identify is gathered...
Multiple Plugins from WPPlugin - Reflected Cross-Site Scripting via page Parameter
The plugins do not escape a page parameter before outputting it back in an attribute in various admin pages, leading to Reflected Cross-Site Scripting issues. The issues were reported to the vendor on August 10th, 2021 Example in easy-paypal-donation alert/XSS/' / alert/XSS/' /...
Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. Go to Setting Tab Under Calendar Lite Plugin Under Setting tab Click on Slugs/Permalinks tab Enter the XSS payload into Main Slug and Category Slug both. Both fields are vulnerable...
Email Artillery <= 4.1 - Multiple Authenticated SQL Injections
The plugin does not sanitise, validate or escape some user input before using it in SQL statements in the admin dashboard, leading to SQL Injections https://example.com/wp-admin/admin.php?page=etmbu-all-posts&s=yes&postid=1%20AND%20SELECT%2042%20FROM%20SELECTSLEEP5aa...
Connections Business Directory < 10.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfilteredhtml capability is disallowed. Add an Entry /wp-admin/admin.php?page=connectionsadd and put the following payload in the Address Line...
Book appointment Online < 1.39 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In the admin dashboard navigate to Services Add service and put the followi...
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection
The joomsportmdload AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other...
Fetch Tweets <= 2.6.4 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes in an admin page, leading to Reflected Cross-Site Scripting issues alert/XSS-page/' / alert/XSS-tab/' /...
Contact List < 2.9.42 - Reflected Cross-Site Scripting
The plugin does not escape the cardheight parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=contact&page=contact-list-printable&cardheight="alert/XSS/...
Software License Manager < 4.4.8 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape the editrecord parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue...
Wonder PDF Embed < 1.7 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginpdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. wonderpluginpdf src="a" onload="alert1"...
Request a Quote < 2.3.4 - Authenticated Stored XSS
The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. Note: By default, admins and editors are allowed to use JavaScript in posts and page, unless the...
WP Review Slider < 12.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
WP Reactions Lite < 1.3.6 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. Open Global Activation and Click on Customize Now On Step3 StylingTab Enter the XSS payload into "Whats your reaction" field Payload Used :...