4359 matches found
Smart Forms < 2.6.71 - Subscriber+ Form Data Download
The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. Execute the below command in the web develop...
BetterDocs < 1.9.0 - Reflected Cross-Site Scripting
The plugin does not escape the tagID before outputting it back in the edit category page of the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/term.php?taxonomy=doccategory&tagID=147"alert/XSS/...
ShiftNav – Responsive Mobile Menu < 1.7.2 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Joy Of Text Lite < 2.3.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection Invoke the following curl command to induce a 5 second sleep: time curl...
Amelia < 1.0.46 - Manager+ RCE
The plugin stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role. import requests import base64 BASEURL =...
WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed. 1. Add a new Import at "New Import", upload a random.txt...
WooCommerce Products Table < 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting issues https://example.com/?woot-remote-page=alert/XSS-page/&anchor=1&width=alert/XSS-width/ https://example.com/?woot-remote-page=1&anchor=1&arbitrary=...
Responsive WordPress Slider <= 2.2.0 - Reflected Cross-Site Scripting
The plugin does not escape the id parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue. Timeline: August 11th, 2021 - Details sent to vendor August 12th, 2021 - Vendor working on a patch August 24th, 2021 - Ticket put as 'solved' on vendor side due ...
Tutor LMS < 1.9.9 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Plugin's Settings General "Error message for...
WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup With the web browser inspector, change the input...
Give < 2.17.3 - Reflected Cross-Site Scripting via Import Tool
The plugin does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting var form1 = document.getElementById'hack'; form1.submit;...
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 2.4.2 - Multiple Admin+ Cross Site Scripting
The plugin does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks 1 Add playlist with "Optional Call to Action"'s "Label" set to: " style="animation-name:twentytwentyone-close-button-transition"...
WP Custom Cursors < 3.0.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored...
eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting
The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue...
Redirection < 1.1.4 - Redirect Creation via CSRF
The plugin does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. POST /wp-admin/admin-ajax.php HTTP/2 Host: sawcup.s2-tastewp.com Cookie: test=test; User-Agent: useragent Accept: / Accept-Language: en-US,en;q=0.5...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user including admin by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even ...
WP Airbnb Review Slider < 3.3 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
CoolClock < 4.3.5 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS which is specific to...
Search & Filter < 1.2.16 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Insert the...
Amelia < 1.0.46 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=wpamelia-dashboard&code=...
Page Generator < 1.5.9 - Reflected Cross-Site Scripting
The plugin does not properly escape user input before outputting it back in attributes, leading to reflected Cross-Site Scripting issues alert/XSS/' /...
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...
Two Way Chat < 3.1.5 - Admin+ Local File Inclusion
The plugin does not properly sanitise and validate user input before using in require statements, leading to Local File Inclusion issues https://example.com/wp-admin/admin.php?page=TWCHsettings&tab=../../index https://example.com/wp-admin/admin.php?page=TWCHsettings&tab=Float&sT=../../index...
Request a Quote < 2.3.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfilteredhtml capability is disallowed. As admin, put the below payloads in the related vulnerable field/s and save them there i...
POST SMTP Mailer < 2.5.7 - Arbitrary Log Deletion via CSRF
The plugin does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the managepostmansmtp capability delete arbitrary logs via a CSRF attack. Note: The AJAX actions are also affected by SQL injections, making the issue Make a logged in users...
Ocean Extra < 1.9.5 - Reflected Cross-Site Scripting
The plugin does not escape generated links which are then used when the OceanWP theme is active, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/?step=demo&page=owpsetup&a"alert/XSS/...
Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. As unauthenticated: wget "https://example.com/?wpamid=1"...
Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, su...
User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting
The plugin does not properly sanitise the userregistrationprofilepicurl value when submitted directly via the userregistrationupdateprofiledetails AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed 1. Login a...
Ocean Extra < 2.1.3 - Subscriber+ Arbitrary Post Content Disclosure
The plugin does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones. Note: This requires the OceanWP theme to be...
WP Popups < 2.1.4.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit:...
Image Optimizer, Resizer and CDN < 6.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Step 1: Install the plugin and register for an...
WordPress Infinite Scroll - Ajax Load More < 5.6.0.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Examples a lot of attributes are affected!,...
Tutor LMS < 1.9.12 - Subscriber+ Stored Cross-Site Scripting
The plugin does not escape the 'Job Title" field of user's profile, which could allow any authenticated users to set a Cross-Site Scripting payload in it, which will be triggered when an admin edit the related profile As a subscriber, edit your profile and add the following payload in the Job Tit...
Booking.com Product Helper < 1.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed When creating a "New product shortcode" you can inject XSS payloads like --! i...
WP-Recall < 16.24.48 - Reflected Cross-Site Scripting
The plugin does not escape some filters parameters before outputting them back in attributes when the Commerce add-on is active, leading to Reflected Cross-Site Scripting issues Activate the Commerce Add-On of the plugin and open the below URL...
Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal
The plugin does not sanitize the dir parameter when handling the getsubdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root. - Payload: ../../../../../../../../../../../../../../../../../../../ - At the "Other...
LetsRecover < 1.2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. GET /checkout/order-received/30/?key=wcorderKwss5kjkrhgKG HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux...
Ibtana - Ecommerce Product Addons < 0.2.4 - Reflected Cross-Site Scripting
The plugin does not escape some user input before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues. v alert/XSS/ v 0.2.4 - https://example.com/wp-admin/admin.php?page=ibtana-custom-post-type&posttypeid="+style=animation-name:rotation+onanimationstart=alert/XSS/...
NinjaForms < 3.6.13 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...
Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Add/edit a Quote and put the following payload in the "Quote" and "Author" fields:...
Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payload as an Admin Note Shield Security Tools Admin Notes: alert/XSS/;...
One User Avatar < 2.3.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks avatar link="javascript:alertorigin" avatar target='" style="animation-name:twentytwentyone-close-button-transition"...
Paid Memberships Pro < 2.9.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert the...
Gettext override translations < 2.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a translation and put the following...
Rezgo Online Booking < 4.1.8 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file Direct call:...
Client Invoicing by Sprout Invoices < 19.9.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in one of the vulnerable fields in the General Settings of the plugin...
SEO Redirection < 7.4 - Reflected Cross-Site Scripting
The plugin does not escape the tab parameter before outputting it back in JavaScript code, leading to a Reflected Cross-Site Scripting issue " / " /...
WP All Export < 1.3.6 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https;?/example.com/wp-admin/admin.php?page=pmxe-admin-manage&a"alert/XSS/...