4359 matches found
Campaign URL Builder < 1.8.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The shortcode need to be active can be done...
Real Media Library < 4.18.29 - Author+ Stored XSS
The plugin does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks. As a user with the author role, go to Media Library and create a new folder with the following payload: " Then Add a new medi...
CPT Bootstrap Carousel <= 1.12 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Note: First y...
YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the From Email or From Nam...
Spectra < 1.25.6 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the admin notice about Usage Tracking is displayed: https://example.com/wp-admin/index?a"alert/XSS/...
LearnPress Plugin < 4.2.0 - Subscriber+ SQLi
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks Note: The original advisory mentioned that the issue is only exploitable by contributors, b...
Shortcode for Font Awesome < 1.4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. fa set='" onmouseover="alert1"...
Judge.me Product Reviews for WooCommerce < 1.3.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: First, you need to set Judge.me shop...
Portfolio for Elementor, Image Gallery & Post Grid | PowerFolio < 2.3.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Note: First,...
Booster for WooCommerce - Checkout Files Deletion via CSRF
The plugins do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack Requirements: - Enable the "Checkout File Upload" module of the plugin...
Contextual Related Posts < 3.3.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Insert a "Contextual Related Posts" block, and give ...
Easy Accept Payments for PayPal < 4.9.10 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wppaypalpaymentboxforanyamount...
W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure
The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the develop...
Arigato Autoresponder and Newsletter < 2.1.7.2 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Go to the Mailing list option and register a new user with the value "autofoc...
TemplatesNext ToolKit < 3.2.9 - Contributor+ Stored XSS
The plugin does not validate some of its shortcode attributes before using them to generate an HTML tag, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks txheading tag='script' headingtext='alert/XSS/'...
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in Product XML Feeds Module
The plugin does not sanitise and escape the wcjcreateproductsxmlresult parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue The "Product XML Feeds" module needs to be enabled in "Woocommerce - Boost...
WPCargo < 6.9.0 - Unauthenticated RCE
The plugin contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE import sys import binascii import requests This is a magic string that when treated as pixels and compressed using the png algorithm, will cause to be written to t...
Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF
The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack...
Spectra < 1.15.0 - Contributor+ Stored Cross-Side Scripting
The plugin does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks. Note: The exploit requires the Contact Form 7 plugin. Exploit Additional CSS classes for “Contact Form 7 Styler” Gutenberg block: ...
Booster for WooCommerce - ShopManager+ Arbitrary File Download
The plugins do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to for example in multisite Enable the "Checkout File Upload" module and open the following URL as a...
UpdraftPlus < 1.16.69 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the updraftrestore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting...
WooCommerce Currency Switcher < 1.3.7.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the key parameter of the woocsupdateprofilesdata AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected cross-Site Scripting issue " / var form1 = document.getElementById'hack'; form1.submit; POST...
Scriptless Social Sharing < 3.2.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Add a "Scriptless Social Sharing" Gutenberg block to a...
Page Builder: Live Composer < 1.5.23 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. dslcnotification color='red"...
Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting. Ensure WooCommerce is installed. Visit the following path, while logged in as an Admin: /wp-admin/admin.php?page=ppom&productmetaid=5&dometa=edit&"alert/XSS/=1...
EmbedSocial < 1.1.28 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks embedsocialstories id="' onmouseover='alert1...
PixCodes < 2.3.7 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
HashBar – WordPress Notification Bar < 1.3.6 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: hashbarbtn btntarget='" onmouseover="alert1"'...
Greenshift – animation and page builder blocks < 4.8.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: wpreusablerender id='2' ajax='true' height='100px;width:100px;background:red;" onmouseover="alert1"'...
WP-Lister Lite for Amazon < 2.4.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high-privilege users such as admin. 1. Install and activate WooCommerce dependency, no setup required 2. Install and activate the...
Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not sanitise and escape the formid parameter before outputting it back in the response of an unauthenticated request via the givecheckoutlogin AJAX action, leading to a Reflected Cross-Site Scripting As an unauthenticated user: alert/XSS/' / var form1 =...
FL3R FeelBox <= 8.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. 1. Visit a blog post and extract the nonce from the source search for "feelboxAjax", and extract the "token" curl -s...
Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. - Install the plugin and WooCommerce, whic...
Unauthorised AJAX Calls via Freemius
Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...
Better Font Awesome < 2.0.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. icon name='flag' class='4x border' title='"...
WordPress Filter Gallery Plugin < 0.1.6 - Admin+ Stored XSS
The plugin does not properly escape the filters passed in the ufggalleryfilters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfilteredhtml capability is disabled...
Give < 2.21.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=giveforms&page=give-tools&a"alert/XSS/...
VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack XSS will be triggered in...
Booster for Woocommerce < 5.4.9 - Reflected Cross-Site Scripting in PDF Invoicing Module
The plugin does not sanitise and escape the wcjnotice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting With the PDF Invoicing module active:...
WOOCS < 1.3.7.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the customprices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin-ajax.php?action=woocsgetcustompricehtml&customprices=%3Cimg%20src%20onerror=alertXSS%3E...
Popup Maker < 1.16.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Popup Maker Create Popup Popup Settings Triggers Add New Cookie Add Cookie...
Solidres <= 0.9.4 - Multiple Reflected XSS
The plugin does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Zoho Forms < 3.0.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, put the following in a bl...
FL3R FeelBox <= 8.1 - Moods Reset via CSRF
The plugin does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydlposts & lydlpoststimestamp DB tables Make a logged in admin open a page containing the HTML code below...
YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well. v2.2.1 fixed the authorisation issue but not the escaping...
Download Video Sidebar Widgets <= 6.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks vsw source="youtube" id="3PdILZ1P74"...
Easy Social Box < 4.1.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks easy-fb-like-box locale='"; alert1; var xss=...
Easy PayPal Buy Now Button < 1.7.4 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks wpecpp name="' accesskey='X' onclick='alert1...
Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected XSS in page-builder-add on the ulpbpost admin page. http://127.0.0.1:8001/wp-admin/edit.php?posttype=ulpbpost&page=page-builder-new-landing-page&thisPostID="+style=animation-name:rotation+onanimationstart=alert1+x=...
UpdraftPlus < 1.16.66 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the backuptimestamp and jobid parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues...