4359 matches found
Advanced Database Cleaner < 3.0.2 - Authenticated SQL injection
The plugin did not properly sanitise user input given, allowing high privilege users admin+ to perform SQL injection attacks. https://drive.google.com/file/d/1ljyMPfcwLXP2VS8lbAKNR9SzNfX1sm3W/view?usp=sharing...
WP Import Export Lite < 3.9.5 - Subscriber+ Extensions Update
The plugin does not have any CSRF and authorisation checks done in wpieextsaveextensions AJAX action. This could allow any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF to set the extensions to be used by the plugin, as well as disable all of them To disabled al...
AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage
In the plugin, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the accessallyorderform shortcode, no login o...
Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them even when the unfiletedhtml is disabled Use a payload such as a" in the plugin settings for example, the Powered by Text input...
WP Import Export Lite < 3.9.5 - Subscriber+ Arbitrary Blog Options Update
The plugin does not have any CSRF and authorisation checks done in the wpieextsaveextensiondata AJAX action, nor do perform any validation on the option to be updated. As a result, any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF could update any of the blog...
Shantz WordPress QOTD <= 1.2.2 - Arbitrary Setting Update via CSRF
The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values...
Tutor LMS < 1.8.8 - Authenticated Local File Inclusion
The plugin is affected by a local file inclusion vulnerability through the maliciously constructed subpage parameter of the plugin's Tools, allowing high privilege users to include any local php file https://your.domain/wp-admin/admin.php?page=tutor-tools&subpage=..%2F..%2F..%2F..%2F..%2F..%2Find...
Per Page Add to Head <= 1.4.4 - Authenticated Stored XSS
The plugin does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues. Note: The plugin is no longer maintained. Put the following payload in t...
Email Log < 2.4.7 - Admin+ SQL Injection
The plugin does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections https://example.com/wp-admin/admin.php?page=email-log&orderby=sentdate+AND+SELECT+3025...
Custom Login Redirect <= 1.0.0 - CSRF to Stored XSS
The plugin does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue alert/XSS/' /...
Profile Builder < 3.4.9 - Admin Access via Password Reset
The plugin has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example. The password reset key is checked against the...
The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending
The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect...
Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass
The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any other header in LoginNoCaptcha::getipaddress which is then checked against the whitelist and...
Stream < 3.8.2 - Admin+ SQL Injection
The plugin does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. https://example.com/wp-admin/admin.php?page=wpstream&order=+AND+SELECT+9940+FROM+SELECTSLEEP5vqNl...
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
The plugin does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, 2 Get title of a password-protected post as...
WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF
The plugin did not have CSRF check in place before saving its Email Template setting, allowing attackers to make a logged in admin change them via a CSRF attack...
PDF Light Viewer < 1.4.12 - Authenticated Command Injection
The plugin allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. 1 Go to Import PDF. 2 Select PDF file. 3 Set compression as 60 | calc | echo 4 Toggle import the first checkbox 5 Publish or update 6 Command executes...
All In One WP Security & Firewall < 5.1.3 - Configuration Leak
The plugin leaked settings of the plugin publicly, including the used email address. Config leak in previous versions: "aiowpsremovewpgeneratormetainfo" filetype:txt https://www.google.com/search?q=%22aiowpsremovewpgeneratormetainfo%22+filetype%3Atxt Search for aiowpsemailaddress...
Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read
The plugin does not properly validates paths generated with user input in the almrepeatersexport function, which could allow high privilege users to read arbitrary files form the server even when they should not be able to have access to any, for example in multisite setup This is due to an...
Ajax Load More < 5.3.2 - Authenticated SQL Injection
The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep5=test. The attacker needs to be authenticated with the editthemeoptions capability, which only administrators have by default...
Light Messages <= 1.0 - CSRF to Stored XSS
The plugin is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them even with the unfilteredhtml disallowed. As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the...
Phoenix Media Rename < 3.4.4 - Author Arbitrary Media File Renaming
The plugin does not have capability checks in its phoenixmediarename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own. As an Author, go to the page to edit one of your own Media ie /wp-admin/post.php?post=1993&action=edit,...
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...
EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution
The plugin does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code As a contributor, create/edit a post and put the below code while in Code Editor mode: \naa\n Save or Preview the page,...
Popup box < 2.3.4 - Authenticated Blind SQL Injections
The getayspopupboxes and getpopupcategories functions of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard Exploit All of them with same technique. SQLMAP:...
WPGraphQL < 1.3.6 - Denial of Service
The plugin suffers from a Denial of Service vulnerability by Field Duplication. It is possible to create an expensive query by duplicating the number of fields, while simultaneously sending these requests in batches using GraphQL's Batching capability. v1.3.6 added a setting to disable batch...
Header Footer Code Manager < 1.1.14 - Admin+ SQL Injections
The plugin does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections...
Timetable and Event Schedule by MotoPress < 2.4.0 - Arbitrary User's Hashed Password/Email/Username Disclosure
The plugin outputs the Hashed Password, Username and Email Address along other less sensitive data of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the editposts capability. Combined with the other Unauthorised Event...
WP Editor < 1.2.7 - Authenticated SQL injection
The plugin did not sanitise or validate its setting fields leading to an authenticated admin+ blind SQL injection issue via an arbitrary parameter when making a request to save the settings. https://drive.google.com/file/d/1KT4lHePmYuX36jvA4AEQ1MVDwJBlZOO/view?usp=sharing payload:...
301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51 POST...
Redux Framework < 4.1.21 - CSRF Nonce Validation Bypass
The plugin did not properly validate some nonces, only checking them if their value was set. As a result, CSRF attacks could still be performed by not submitting the nonce in the request, bypassing the protection they are supposed to provide. Just don't send the parameters: $POST'nonce' or...
Contact Form 7 Captcha < 0.0.9 - CSRF to Stored XSS
The plugin does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manageoptions change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. All cf7sr parameters are...
Check & Log Email < 1.0.3 - Admin+ SQL Injections
The plugin does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues With the 'Enable Log' settings of the plugin activated: -...
WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)
Arbitrary database queries can be executed in an unauthenticated context of the "WP-Advanced-Search Plugin". E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution RCE would be possible in the end. PoC: Update th...
WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation
The plugin has a flaw allowing unauthenticated attackers to create an admin account and take over the blog POST /wp-json/wp/v2/users HTTP/1.1 Host: 127.0.0.1 Upgrade-Insecure-Requests: 1 Accept:...
WP Super Cache < 1.9 - Unauthenticated Cache Poisoning
The plugin is affected by a cache poisoning issue curl 'https://example.com//?s=12333'...
wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF
The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary...
HM Multiple Roles < 1.3 - Arbitrary Role Change
The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by eith...
MouseWheel Smooth Scroll < 5.7 - Plugin's Setting Update via CSRF
The plugin does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack...
Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the eventid in the rtecsendunregisterlink AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL injection. The below request will send an email to [email protected] wi...
BCS BatchLine Book Importer < 1.5.8 - Unauthenticated Product Import
The plugin did not correctly check for permission in its wc/v3/bcsbertlinebookimport REST route, allowing unauthenticated to import arbitrary products or update existing ones POST /wp-json/wc/v3/bcsbertlinebookimport HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflat...
WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. Note: The visitorId parameter's numerical prefix before the %27 must be different on each try...
Cookie Notice & Compliance for GDPR / CCPA < 2.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfilteredhtml capability is disallowed. Put the following payload in the Button text setti...
Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection
The plugin did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users contributor+ to perform Blind SQL Injection attacks To exploit, the site administrator must add a question set and a question first. This requirement is usually met for all...
Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts
The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts. Set the category 107 to the post 1537: POST /wp-admin/admin-ajax.php...
Meow Gallery < 4.1.9 - Contributor+ SQL Injection
The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode available for users as low as Contributor before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that...
Language Bar Flags <= 1.0.8 - CSRF to Stored XSS
The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in t...
Keywords & Meta <= 3.0 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF...
StoryChief < 1.0.31 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its tab parameter in the Settings page before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=storychief&tab=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E...
PhastPress < 1.111 - Open Redirect
There is an open redirect in the plugin that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/ that...