4359 matches found
LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltredhtml capability is disallowed When adding new courses, the following fields can have XSS payloads like "alert1...
Quiz And Survey Master < 7.1.18 - Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise or escape its resultid parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link...
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. Go to Plugin's Settings page, in "Tool" tab, import a CSV file with Betterlinks option. Put a simple XSS payload into "linktitle" colu...
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Private Content Disclosure
The plugin, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID. If the post 1234, created by other users, is set as private, save gutenbergpostblocks id="1234...
StoryChief < 1.0.31 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise and escape its StoryChief Key setting before outputting it in an attribute, leading to an Authenticated Stored Cross-Site Scripting issue Put the following payload in the StoryChief Key setting and save them: "alert/XSS/...
Woocommerce Customers Manager < 26.6 - Authenticated Reflected Cross-Site Scripting (XSS)
The wccmcustomersids and wccmcustomersemails parameters are output in href attributes, after being sanitised with the sanitizetextfield function, which is not appropriate for such case, as payload such as ' injected-attribute=value will still be injected. This lead to a reflected XSS issue in the...
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts
By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete...
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitra...
Weekly Schedule < 3.4.3 - Authenticated Stored XSS
The "Schedule Name" input in the plugin general options did not properly sanitize input, allowing a user to inject javascript code using the Go to Weekly Schedule - General Options /wp-admin/admin.php?page=weekly-schedule - Schedule Name - Fill the field with a payload such as alertxss...
Form Vibes < 1.4.5 - Admin+ SQLi
The "deleteentries" function does not filter parameters from the request. This leads to an SQL Injection vulnerability. - Create a submission using the Contact From 7 plugin. - On the Form Vibes tab in the dashboard, click "submissions" and implement the delete function on an entry. - Intercept t...
Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. Create or edit a Slide and put the following payload in the Name field: " onfocus=alert/XSS/ autofocus=" The XSS will be triggered when editing the slide again...
Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue. insert page='pageslug' display='all' Where pagesl...
Simple File Downloader <= 1.0.4 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor+ create a new post and add...
Coming Soon, Under Construction & Maintenance Mode By Dazzler < 1.6.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue Via the plugin's settings: - Enable the...
WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. 1. go to Forms. 2. go to Add New Form 3. In th title put alert"Ehlo"; 4. Save...
Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Timeline: May 18th, 2021 - Vendor...
Picture Gallery < 1.4.4 - Authenticated Stored XSS
The plugin does not properly sanitize input on a field found in the plugin's settings page, leading to a stored cross site scripting risk where authenticated users can target other authenticated users. Enter a XSS payload like "alertdocument.location in the "Content URL" field found on the plugin...
WP Dialog <= 1.2.5.5 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Welcome message stcontent parameter of the...
WP CSV Exporter < 1.3.7 - CSV Injection
The plugin does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability. - create a post using =5+5 as the title - export the data as CSV - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula gets executed...
Contact Form 7 Zoho < 1.1.8 - Reflected Cross-Site Scripting
The plugin does not escape some of its filters before outputting them back in the admin dashboard, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=vxcfzoho&tab=logs&startdate="alert/XSS-startdate/&enddate="alert/XSS-enddate/...
Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id
The plugin does not validate or escape the forumid parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue POST /wp-admin/admin.php?page=asgarosforum-structure HTTP/1.1 Accept:...
Game Server Status <= 1.0 - Contributor+ SQL Injection
The plugin does not validate or escape the server id shortcode attribute before using it in a SQL statement, allowing any user with a role as low as contributor to perform SQL Injection attacks As a contributor or above, put the below shortcode in a page/post and view/preview it game-servers...
Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue /wp-admin/admin.php?page=contact-form-supsystic&tab="onmouseover=alert1//...
Internal Links Manager < 2.1.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS)
Due to lack of user input filtering and validation, the "Add New Link" and "All Links" features are vulnerable to cross-site scripting. The following fields are vulnerable: Internal Title title, Link Title titleattr. Issues were reported to vendor and WP plugins team by reporter. Edit WPScanTeam:...
Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi
The plugin does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks. Note: A Calendar is needed if there is not one already. Run the below command in the develope...
Paid Membership Pro < 2.9.8 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the code parameter before using it in a SQL statement via the /pmpro/v1/order REST route, leading to a SQL injection exploitable by unauthenticated users curl...
Pardakht Delkhah < 2.9.3 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin. 1. Install and activate WoocCommerce dependency, no configuration...
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
The plugin performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultpoptions values. You can run this from a browser's javascript console:...
Social Slider Widget < 1.8.5 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin allowed Authenticated Reflected XSS in the plugin settings page as the ‘tokenerror’ parameter can be controlled by users and it is directly echoed without being sanitized /wp-admin/admin.php?page=settings-wisw&tokenerror=alert/XSS/;...
Correos Oficial <= 1.3.0.0 - Unauthenticated Arbitrary File Download
The plugin does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server. Dependency: WooCommerce plugin Use the following curl command to download the contents of the wp-config.php file: curl...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/admin.php?page=letsrecover-templates&subscriberid=6&cartid=10+AND+SELECT+5926+FROM+SELECTSLEEP5erUA HTTP/1.1...
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks in the ppomsettingspanelaction AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues 1. Use the new settings panel framewor...
Popup Builder < 4.2.3 - Unauthenticated Stored XSS
Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...
WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code
The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues 1. On the dashboard, navigate to WP Courses Courses Add New Video...
Form Builder 1.9.8.4 - Reflected Cross-Site Scripting (XSS)
The plugin does not properly sanitise and escape its fromid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue. The formid digits before the payload must be valid: https://example.com/wp-admin/admin.php?page=smuz-forms&formid=1242;alert/XSS/...
WordPress Simple Shopping Cart < 4.6.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed The teamcolor field ie "Main color" setting of a team is affected POST /wp-admin/post.php HTTP/1.1 Accept:...
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add/edit a product and put the following payload in the Product Affiliate URL, Custom Button Text fields...
All Thrive Themes and Plugins - Unauthenticated Option Update
The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty apikey parameter in vulnerable versions if Zapier was not enabled. Attackers coul...
Discounts Manager for Products < 3.4.5 - Reflected Cross-Site Scripting
The plugin does not escape the wcdptab parameter before outputting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting issue v alert/XSS/ v 3.4.5 - https://example.com/wp-admin/admin.php?page=wcwcdp&wcdptab=a';alert/XSS/;//...
All 404 Redirect to Homepage < 2.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin v1.21 attempted to fix a Stored Cross-Site scripting issue in its "Redirect All 404 page to" settings, however the fix is insufficient, still allowing the issue to be triggered. This could allow high privilege users even with the unfilteredhtml disabled to use malicious payloads in it,...
OAuth Single Sign On - SSO (OAuth Client) Free < 6.24.2 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=delete&app=wordpress...
GPT3 AI Content Writer < 1.4.38 - Subscriber+ Arbitrary Post Content Update
The plugin does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts. fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', , body:...
WP Server Health Stats < 1.7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following payload in the "Provide your IP-API Pro key", "Memcached Server Host", "Set the realti...
SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. With the Advanced Mode enabled, put the following payload in the...
Tutor LMS < 1.9.11 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue https://example.com/student-registration/?userlogin="alert/XSS/...
Booking.com Banner Creator < 1.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Open the plugin's add new banner page B.com Banner - Add New Banner The form field named "Banner...
Themify Builder < 5.3.2 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes and tags in an admin page, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=themify-global-styles&status="alert/XSS/...
One User Avatar < 2.3.7 - Avatar Update via CSRF
The plugin does not check for CSRF when updating the Avatar in page where the avatarupload shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack Click...
Html5 Audio Player < 2.1.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...