4359 matches found
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
Description This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WPQuery. http://wordpress.local/?static=1&order=asc...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Blind SQLi
The plugin does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks As unauthenticated, fill the reservation form it's on a page where the reservationform is embed, intercept the...
User Activity Log < 1.4.7 - Reflected Cross Site Scripting via Query String
The plugin does not escape the $SERVER'QUERYSTRING' before outputting it back in attributes, which could lead to Reflected Cross-Site Scripting in web browsers which do not encode URL characters. With a web browser which does not encode characters or use burp suite and decode the URL via the...
Malware Scanner < 4.7.3 and Web Application Firewall < 2.1.2 - Unauthenticated Privilege Escalation
Description The plugin does not prevent unauthenticated users from resetting any account's password, allowing them to takeover sites by resetting one of its administrators' password. curl --url 'http://vulnerable-site.tld/wp-login.php' --data...
YARPP - Yet Another Related Posts Plugin < 5.30.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 5.30.3 yarpp template="'...
Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass
The plugin does not have any authorisation and CSRF checks when updating it's settings which are hooked to the init action, allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authenticatio...
Polo Video Gallery <= 1.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 - Contributor+ Stored Cross-Site Scripting via Shortcode
Description The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes insufficient input sanitization and output escaping on user supplied attributes. This makes it...
Email Artillery <= 4.1 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise, validate or escape some user input before outputting back in pages leading to Reflected Cross-Site Scripting issues which will be executed in the context of a logged in admin...
Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the invitaioncode GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/admin.php?page=prnewregistrationform&showdashwidget=1&invitaioncode=PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=...
Sitemap < 4.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. pagelist...
PDF Viewer < 1.0.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: pdfviewer height='" onmouseover="alert1"'http://localhost/file.pdf/pdfviewer...
Gravity Forms < 2.7.5 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin. Make a logged in admin open the following URL:...
WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection
The plugin unserialised the value in the thimpresshotelbooking1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be us...
Simple File List < 4.4.12 - Reflected Cross-Site Scripting
The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=ee-simple-file-list&tab="style=animation-name:rotation+onanimationstart=alert/XSS///...
Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting
The plugin does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar&tab=registrations&v="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php, leading to a reflected Cross-Site Scripting issue...
Login Logout Menu < 1.4.0 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
WP Spell Check < 9.3 - Reflected Cross-Site Scripting
The plugin does not escape the page and wpsc-scan-tab parameters before outputting them back in attributes, leading Reflected Cross-Site Scripting issues alert/XSS/' / alert/XSS/' /...
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site,...
Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload
The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE 1. Navigate to the page where ffmwp shortcode is included as Subscriber 2. Uploa...
Visual Form Builder < 3.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed Create a new Form via the plugin, fill it with any values. In the next step, change the Form name to...
Widget Shortcode <= 0.3.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
IMPress for IDX Broker < 3.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the leadID parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue https://examle.com/wp-admin/admin.php?page=edit-lead&leadID="alert/XSS/...
Zephyr Project Manager < 3.2.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=zephyrprojectmanagerprojects&projectspage=--...
Avada < 7.4.2 - Reflected Cross-Site Scripting
Description The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue. https://theme-fusion.com/forums/search/z--FAIL/...
Complianz - GDPR/CCPA Cookie Consent < 6.0.0 - Reflected Cross-Site Scripting
The plugin does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=cmplz-proof-of-consent&s=%22+style%3Danimation-name%3Ashine+onanimationstart%3Dalert%281%29+x%3D...
Amazon JS <= 0.10 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. amazonjs asin='XSS' imgsize='"...
WP Ultimate CSV Importer < 6.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones either intentionnaly or not and lead to Stored Cross-Site Scripting issues Import the following CSV as comment:...
TableOn < 1.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting issues https://example.com/?tableon-remote-page=alert/XSS-page/&anchor=1&width=alert/XSS-width/...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. " / document.forms0.submit;...
GeoDirectory < 2.2.22 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Note: First,...
Greenshift < 5.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Advanced Heading"...
MediaElement.js – HTML5 Video & Audio Player <= 4.2.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins. 1. Insert the...
WP Social Sharing <= 2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Settings » WP Social Sharing page of the...
Registrations for the Events Calendar < 2.7.10 - Reflected Cross-Site Scripting
The plugin does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting...
Web Directory Free < 1.7.0 - Unauthenticated SQL Injection
Description The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based. curl --url...
Landing Page Builder < 1.4.9.9 - Contributor+ Cross-Site Scripting via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert the...
SEO Smart Links <= 3.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Whitelisted...
Ditty (formerly Ditty News Ticker) < 3.0.15 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting XSS vulnerability. http://127.0.0.1:8001/wp-admin/edit.php?posttype=ditty&page=dittysettings&tab=%22%3E%3Cimg+src+onerror%3Dalert%281%29%3E...
Word Balloon < 4.19.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
User Activity Log < 1.4.7 - Reflected Cross-Site Scripting
The plugin does not escape the txtsearch parameter before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=useractionlog&txtsearch=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F...
WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
Description The plugin does not prevent users with at least the contributor role from leaking products they shouldn't have access to. e.g. private, draft and trashed products 1. ADMIN: Install WooCommerce 2. ADMIN: Add products of various visibility and statuses including Publish, Draft, Private,...
Intuitive Custom Post Order < 3.1.4 - Subscriber+ Arbitrary Menu Order Update
The plugin does not check for authorization in the update-menu-order ajax action, allowing any logged in user with roles as low as Subscriber to update the menu order Open the below HTML while being logged in as a subscriber...
Location Weather < 1.3.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Location Weather"...
Accordion Shortcodes <= 2.4.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: accordion class='" onmouseover="alert1" style="background:red;width:100px;height:100px;"'...
Elementor Contact Form DB < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting When there is at least one submission: https://example.com/wp-admin/edit.php?posttype=elementorcfdb&page=sbelemcfd&formid="...
Icegram < 2.0.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the messageid parameter of the getmessageactionrow AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit; The XSS will be triggered when moving the...
Genesis Columns Advanced < 2.0.4 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks which could be used against high-privilege users such as admins. 1. Insert t...