4359 matches found
Html5 Audio Player < 2.1.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
Video Conferencing with Zoom < 4.0.10 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert the...
WP Taxonomy Import <= 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting alert/XSS/" /...
ARForms Form Builder < 1.5 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the From/Replyto Name field at ARForms Lite General Settings Email Settings: "alert/X...
Quiz Tool Lite <= 2.3.15 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. When creating a new Question Pot, you can inject ...
World Travel Information <= 1.0.0 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'PHPSELF' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=ti-info...
Frontend File Manager < 21.3 - Unauthenticated File Renaming
The plugin allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server curl -i -s -k -X 'POST' --data-binary...
Easy Social Icons < 3.1.3 - Reflected Cross-Site Scripting
The plugin does not escape user input before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues Affected parameters: width, height, margin, attrid, attrclass alert/XSS/' /...
Amr Shortcode Any Widget <= 4.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert a...
Page-list < 5.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
GiveWP < 2.21.3 - DoS via CSRF
The plugin does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to...
Compact WP Audio Player < 1.9.7 - Setting Change via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. csrf.submit...
ReviewX < 1.6.4 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the filterValue and selectedColumns parameters before using them in SQL statements via the rxexportreview AJAX action available to any authenticated users, leading to a SQL injection exploitable by users with a role as low as subscriber Run the bel...
Visual Email Designer for WooCommerce < 1.7.2 - Multiple Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author. action=INSERT HERE NAME OF...
Slickr Flickr <= 2.8.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Open the plugin and intercept the request using burpsuite. Give the below payload in the parameter...
myCred < 2.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/users.php?page=mycreddefault-history&s=%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
Easy Twitter Feed < 1.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
Affiliates Manager < 2.9.14 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape parameters before outputting them back in pages, which could lead to Reflected Cross-Site Scripting GET /wp-admin/admin.php?page=wpam-settings&b=" HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
WOOCS < 1.3.7.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the woocsinordercurrency parameter of the woocsgetproductspricehtml AJAX action available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting...
Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Go to the AJAX settings of a Form and put the following payload in the "Minimum number of characters required...
NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS
The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue curl -H 'x-tomato: alert/XSS/;' 'https://example.com/?nxs-cronrun=yes' The XSS will be triggered in the Log/History...
Falang multilanguage for WordPress < 1.3.18 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site scripting issue alert/XSS/' /...
Email Artillery <= 4.1 - CSRF to Stored XSS
The plugin does not sanitise, validate or escape its settings, and is lacking any CSRF check before saving them. As a result, an attacker could make a logged in admin change them and put malicious JavaScript code as well, leading to Stored Cross-Site Scripting issues. alert/XSS/' /...
POST SMTP Mailer < 2.5.7 - Account Takeover via CSRF
The plugin does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the managepostmansmtp capability resend an email to an arbitrary address for example a password reset email could be resent to an attacker controlled email, and allow them to...
Themify Portfolio Post < 1.2.1 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin. Exploit...
Scroll To Top < 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Text" settings of the plugin...
WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprssdismissaddonnotice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and se...
QR Redirector < 1.6.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. As a contributor, create/edit a "QR Redirect" and set the following fields: "URL to Redirect to": https://example.com/"...
ELEX WooCommerce Google Shopping < 1.2.4 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the search GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue, which will be executed in a logged in admin context https://example.com/wp-admin/admin.php?page=elex-product-feed-manage&search="alert/XSS/...
BetterDocs 1.9.0-1.9.1 - Reflected Cross-Site Scripting
The plugin does not escape the daterange parameter before outputting it back in the All docs admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=betterdocs-admin&daterange="alert/XSS/...
Responsive Poll < 1.5.9 - Reflected Cross-Site Scripting
The TotalSoftPoll1Vote AJAX action available to both unauthenticated and unauthenticated users outputs the invalid nonce without escaping it first, leading to a Reflected Cross-Site Scripting issue. The issue was fixed in 1.5.5, however additional sanitisation and escaping was done in 1.5.5 to...
Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS
The plugin does not have proper authorisation even when the Require Authorisation for REST API Requests is enabled in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform...
Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/Edit a Button and put the following payload in the Amount Menu Name field...
My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins As unauthenticated, book a ticket, fill the purchase form with dum...
Simple Download Monitor < 3.9.6 - Unauthorised Log Reset
The sdmresetlog AJAX action of the plugin does not have any capability and CSRF checks, which could allow any authenticated user such as subscriber, or an attacker performing a CSRF attack against a logged in admin to reset the log entries...
Cardinity Payment Gateway for WooCommerce < 3.0.7 - Reflected Cross-Site Scripting
The plugin does not escape various parameter before outputting them in attributes, leading to Reflected Cross-Site Scripting issues Vulnerable parameters: amount, country, currency, orderid, description, returnurl, projectid, signature...
W3 Total Cache < 2.1.3 - Authenticated Stored XSS
The plugin did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue Vulnerable parameters: &cdncnames= 1, cdncnames= 2, cdncnames= 3. CDN Type:...
WP Courses LMS < 2.0.44 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=managestudents&courseid=1&studentid="alert/XSS/...
Affiliates Manager < 2.9.14 - Arbitrary Affiliates & Creatives Deletion via CSRF
The plugin does not have CSRF checks when deleting affiliates and creatives, which could allow attackers to make a logged in admin perform such actions via CSRF attacks Make a logged in admin open - https://example.com/wp-admin/admin.php?page=wpam-affiliates&deleteaid=2 -...
Easy SVG Support < 3.3.0 - Author+ Stored Cross Site Scripting via SVG
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads As an author or above, upload the below SVG file via the Media library: alert/XSS/; The XSS will be triggered when accessing the file directly, e...
WP RSS Aggregator < 4.19.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues. Add an URL to Blacklist RSS Aggregator Tools Blacklis...
YITH WooCommerce Multi Vendor < 3.8.1 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=yithvendorcommissions&message=error&text=alert/XSS/ fixed in 3.8.0 Below fixed in 3.8.1 alert/XSS/' /...
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
The plugin does not escape the 1 sdmactivetab GET parameter and 2 sdmstatsstartdate/sdmstatsenddate POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues PoC 1: This requires Firefox due to onclick+accesskey trick on hidden input. There is...
TextME SMS < 1.8.9 - Authenticated Stored XSS
The plugin does not escape its settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Account Username or Password settings of the plugin: " style=animation-name:rotation...
WP Review Slider < 11.0 - Admin+ SQL Injection
The plugin does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks Create a Twitter Source, copy it via the 'Copy' button, then change the pid parameter in the URL to 1000 UNION ALL SELECT...
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...
Mobile Events Manager < 1.4.8 - Admin+ CSV Injection
The plugin does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. Export events with malicious CSV: 1. Create and save a new Enquiry source and add the following in the name field...
Testimonial Builder < 1.6.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfilteredhtml capability is disallowed As admin, create/edit a testimonial and put the following payload in the Testimonial User Name field: "...
Compact WP Audio Player < 1.9.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. scembedplayer fileurl='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alertorigin//'...
Post SMTP < 2.8.7 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin. In ps-delete-email-logs action: Visit the Post SMTP Email Log page and run the following code in the...