Lucene search
K
WpexploitMost viewed

4359 matches found

wpexploit
wpexploit
•added 2020/09/06 12:0 a.m.•845 views

Advanced Database Cleaner < 3.0.2 - Authenticated SQL injection

The plugin did not properly sanitise user input given, allowing high privilege users admin+ to perform SQL injection attacks. https://drive.google.com/file/d/1ljyMPfcwLXP2VS8lbAKNR9SzNfX1sm3W/view?usp=sharing...

3.8AI score0.01205EPSS
Exploits1References1
wpexploit
wpexploit
•added 2021/09/20 12:0 a.m.•844 views

WP Import Export Lite < 3.9.5 - Subscriber+ Extensions Update

The plugin does not have any CSRF and authorisation checks done in wpieextsaveextensions AJAX action. This could allow any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF to set the extensions to be used by the plugin, as well as disable all of them To disabled al...

0.6AI score
Exploits0
wpexploit
wpexploit
•added 2021/03/26 12:0 a.m.•844 views

AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

In the plugin, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the accessallyorderform shortcode, no login o...

5CVSS2AI score0.05404EPSS
Exploits2
wpexploit
wpexploit
•added 2021/04/01 12:0 a.m.•843 views

Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them even when the unfiletedhtml is disabled Use a payload such as a" in the plugin settings for example, the Powered by Text input...

0.4AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/09/20 12:0 a.m.•842 views

WP Import Export Lite < 3.9.5 - Subscriber+ Arbitrary Blog Options Update

The plugin does not have any CSRF and authorisation checks done in the wpieextsaveextensiondata AJAX action, nor do perform any validation on the option to be updated. As a result, any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF could update any of the blog...

0.7AI score
Exploits0
wpexploit
wpexploit
•added 2021/07/19 12:0 a.m.•842 views

Shantz WordPress QOTD <= 1.2.2 - Arbitrary Setting Update via CSRF

The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values...

4.3CVSS1.3AI score0.0045EPSS
Exploits2
wpexploit
wpexploit
•added 2021/04/05 12:0 a.m.•840 views

Tutor LMS < 1.8.8 - Authenticated Local File Inclusion

The plugin is affected by a local file inclusion vulnerability through the maliciously constructed subpage parameter of the plugin's Tools, allowing high privilege users to include any local php file https://your.domain/wp-admin/admin.php?page=tutor-tools&subpage=..%2F..%2F..%2F..%2F..%2F..%2Find...

5.5CVSS2.8AI score0.00778EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/11 12:0 a.m.•838 views

Per Page Add to Head <= 1.4.4 - Authenticated Stored XSS

The plugin does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues. Note: The plugin is no longer maintained. Put the following payload in t...

4.8CVSS4.8AI score0.00598EPSS
Exploits2
wpexploit
wpexploit
•added 2021/10/18 12:0 a.m.•834 views

Email Log < 2.4.7 - Admin+ SQL Injection

The plugin does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections https://example.com/wp-admin/admin.php?page=email-log&orderby=sentdate+AND+SELECT+3025...

8.8CVSS1.5AI score0.01292EPSS
Exploits2
wpexploit
wpexploit
•added 2021/07/19 12:0 a.m.•830 views

Custom Login Redirect <= 1.0.0 - CSRF to Stored XSS

The plugin does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue alert/XSS/' /...

4.3CVSS6AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
•added 2021/07/19 12:0 a.m.•828 views

Profile Builder < 3.4.9 - Admin Access via Password Reset

The plugin has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example. The password reset key is checked against the...

10CVSS0.4AI score0.07696EPSS
Exploits2
wpexploit
wpexploit
•added 2021/05/31 12:0 a.m.•828 views

The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending

The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect...

5.3CVSS5.4AI score0.0111EPSS
Exploits2References1
wpexploit
wpexploit
•added 2022/08/22 12:0 a.m.•827 views

Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass

The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any other header in LoginNoCaptcha::getipaddress which is then checked against the whitelist and...

4.3CVSS0.6AI score0.0057EPSS
Exploits2
wpexploit
wpexploit
•added 2021/10/18 12:0 a.m.•827 views

Stream < 3.8.2 - Admin+ SQL Injection

The plugin does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. https://example.com/wp-admin/admin.php?page=wpstream&order=+AND+SELECT+9940+FROM+SELECTSLEEP5vqNl...

8.8CVSS1.3AI score0.01504EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/08/18 12:0 a.m.•826 views

Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls

The plugin does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, 2 Get title of a password-protected post as...

5.5CVSS0.4AI score0.00615EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/09 12:0 a.m.•821 views

WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF

The plugin did not have CSRF check in place before saving its Email Template setting, allowing attackers to make a logged in admin change them via a CSRF attack...

0.8AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/09/15 12:0 a.m.•820 views

PDF Light Viewer < 1.4.12 - Authenticated Command Injection

The plugin allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. 1 Go to Import PDF. 2 Select PDF file. 3 Set compression as 60 | calc | echo 4 Toggle import the first checkbox 5 Publish or update 6 Command executes...

9CVSS2.5AI score0.04268EPSS
Exploits2
wpexploit
wpexploit
•added 2022/12/27 12:0 a.m.•819 views

All In One WP Security & Firewall < 5.1.3 - Configuration Leak

The plugin leaked settings of the plugin publicly, including the used email address. Config leak in previous versions: "aiowpsremovewpgeneratormetainfo" filetype:txt https://www.google.com/search?q=%22aiowpsremovewpgeneratormetainfo%22+filetype%3Atxt Search for aiowpsemailaddress...

5.3CVSS0.2AI score0.00658EPSS
Exploits2
wpexploit
wpexploit
•added 2022/08/24 12:0 a.m.•817 views

Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read

The plugin does not properly validates paths generated with user input in the almrepeatersexport function, which could allow high privilege users to read arbitrary files form the server even when they should not be able to have access to any, for example in multisite setup This is due to an...

0.3AI score0.01279EPSS
Exploits2
wpexploit
wpexploit
•added 2020/05/18 12:0 a.m.•815 views

Ajax Load More < 5.3.2 - Authenticated SQL Injection

The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep5=test. The attacker needs to be authenticated with the editthemeoptions capability, which only administrators have by default...

7.6AI score0.01205EPSS
Exploits1References2
wpexploit
wpexploit
•added 2021/07/19 12:0 a.m.•814 views

Light Messages <= 1.0 - CSRF to Stored XSS

The plugin is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them even with the unfilteredhtml disallowed. As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the...

4.3CVSS6AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
•added 2021/10/06 12:0 a.m.•813 views

Phoenix Media Rename < 3.4.4 - Author Arbitrary Media File Renaming

The plugin does not have capability checks in its phoenixmediarename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own. As an Author, go to the page to edit one of your own Media ie /wp-admin/post.php?post=1993&action=edit,...

4.3CVSS1.4AI score0.00654EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/30 12:0 a.m.•813 views

Countdown Block < 1.1.2 - Missing Authorisation in AJAX action

The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...

4.3CVSS0.0065EPSS
Exploits2
wpexploit
wpexploit
•added 2021/09/13 12:0 a.m.•812 views

EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution

The plugin does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code As a contributor, create/edit a post and put the below code while in Code Editor mode: \naa\n Save or Preview the page,...

8.8CVSS1.1AI score0.01753EPSS
Exploits2
wpexploit
wpexploit
•added 2021/06/29 12:0 a.m.•808 views

Popup box < 2.3.4 - Authenticated Blind SQL Injections

The getayspopupboxes and getpopupcategories functions of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard Exploit All of them with same technique. SQLMAP:...

6.5CVSS0.5AI score0.01362EPSS
Exploits2
wpexploit
wpexploit
•added 2021/04/27 12:0 a.m.•808 views

WPGraphQL < 1.3.6 - Denial of Service

The plugin suffers from a Denial of Service vulnerability by Field Duplication. It is possible to create an expensive query by duplicating the number of fields, while simultaneously sending these requests in batches using GraphQL's Batching capability. v1.3.6 added a setting to disable batch...

6.6AI score
Exploits1References1
wpexploit
wpexploit
•added 2021/10/11 12:0 a.m.•807 views

Header Footer Code Manager < 1.1.14 - Admin+ SQL Injections

The plugin does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections...

7.2CVSS2AI score0.05124EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/23 12:0 a.m.•805 views

Timetable and Event Schedule by MotoPress < 2.4.0 - Arbitrary User's Hashed Password/Email/Username Disclosure

The plugin outputs the Hashed Password, Username and Email Address along other less sensitive data of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the editposts capability. Combined with the other Unauthorised Event...

6.5CVSS0.01139EPSS
Exploits2
wpexploit
wpexploit
•added 2021/02/01 12:0 a.m.•805 views

WP Editor < 1.2.7 - Authenticated SQL injection

The plugin did not sanitise or validate its setting fields leading to an authenticated admin+ blind SQL injection issue via an arbitrary parameter when making a request to save the settings. https://drive.google.com/file/d/1KT4lHePmYuX36jvA4AEQ1MVDwJBlZOO/view?usp=sharing payload:...

2.5AI score0.00771EPSS
Exploits2
wpexploit
wpexploit
•added 2021/01/18 12:0 a.m.•806 views

301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection

The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51 POST...

0.9AI score0.01238EPSS
Exploits1References1
wpexploit
wpexploit
•added 2020/12/15 12:0 a.m.•803 views

Redux Framework < 4.1.21 - CSRF Nonce Validation Bypass

The plugin did not properly validate some nonces, only checking them if their value was set. As a result, CSRF attacks could still be performed by not submitting the nonce in the request, bypassing the protection they are supposed to provide. Just don't send the parameters: $POST'nonce' or...

0.7AI score
Exploits0References4
wpexploit
wpexploit
•added 2021/07/26 12:0 a.m.•800 views

Contact Form 7 Captcha < 0.0.9 - CSRF to Stored XSS

The plugin does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manageoptions change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. All cf7sr parameters are...

6.8CVSS0.1AI score0.00719EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/09/27 12:0 a.m.•799 views

Check & Log Email < 1.0.3 - Admin+ SQL Injections

The plugin does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues With the 'Enable Log' settings of the plugin activated: -...

7.2CVSS1.2AI score0.01275EPSS
Exploits2
wpexploit
wpexploit
•added 2020/03/05 12:0 a.m.•799 views

WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)

Arbitrary database queries can be executed in an unauthenticated context of the "WP-Advanced-Search Plugin". E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution RCE would be possible in the end. PoC: Update th...

2AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/03/23 12:0 a.m.•793 views

WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation

The plugin has a flaw allowing unauthenticated attackers to create an admin account and take over the blog POST /wp-json/wp/v2/users HTTP/1.1 Host: 127.0.0.1 Upgrade-Insecure-Requests: 1 Accept:...

9.8CVSS9.3AI score0.86919EPSS
Exploits9References1
wpexploit
wpexploit
•added 2022/10/03 12:0 a.m.•793 views

WP Super Cache < 1.9 - Unauthenticated Cache Poisoning

The plugin is affected by a cache poisoning issue curl 'https://example.com//?s=12333'...

2.6AI score
Exploits0
wpexploit
wpexploit
•added 2021/10/11 12:0 a.m.•793 views

wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF

The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary...

4.3CVSS0.5AI score0.00467EPSS
Exploits2
wpexploit
wpexploit
•added 2021/07/20 12:0 a.m.•791 views

HM Multiple Roles < 1.3 - Arbitrary Role Change

The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by eith...

6.5CVSS1.5AI score0.01509EPSS
Exploits2References2
wpexploit
wpexploit
•added 2021/10/18 12:0 a.m.•790 views

MouseWheel Smooth Scroll < 5.7 - Plugin's Setting Update via CSRF

The plugin does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack...

6.5CVSS0.6AI score0.00531EPSS
Exploits2
wpexploit
wpexploit
•added 2021/11/08 12:0 a.m.•789 views

Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection

The plugin does not sanitise and escape the eventid in the rtecsendunregisterlink AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL injection. The below request will send an email to [email protected] wi...

9.8CVSS9.5AI score0.07474EPSS
Exploits2
wpexploit
wpexploit
•added 2021/06/14 12:0 a.m.•788 views

BCS BatchLine Book Importer < 1.5.8 - Unauthenticated Product Import

The plugin did not correctly check for permission in its wc/v3/bcsbertlinebookimport REST route, allowing unauthenticated to import arbitrary products or update existing ones POST /wp-json/wc/v3/bcsbertlinebookimport HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflat...

0.4AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/04/24 12:0 a.m.•787 views

WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. Note: The visitorId parameter's numerical prefix before the %27 must be different on each try...

9.8CVSS7.8AI score0.04234EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/30 12:0 a.m.•786 views

Cookie Notice & Compliance for GDPR / CCPA < 2.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfilteredhtml capability is disallowed. Put the following payload in the Button text setti...

4.8CVSS0.4AI score0.00598EPSS
Exploits2
wpexploit
wpexploit
•added 2021/05/31 12:0 a.m.•786 views

Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection

The plugin did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users contributor+ to perform Blind SQL Injection attacks To exploit, the site administrator must add a question set and a question first. This requirement is usually met for all...

6.5CVSS0.5AI score0.01164EPSS
Exploits2
wpexploit
wpexploit
•added 2021/10/05 12:0 a.m.•783 views

Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts

The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts. Set the category 107 to the post 1537: POST /wp-admin/admin-ajax.php...

6.5CVSS0.6AI score0.00873EPSS
Exploits2
wpexploit
wpexploit
•added 2021/09/02 12:0 a.m.•783 views

Meow Gallery < 4.1.9 - Contributor+ SQL Injection

The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode available for users as low as Contributor before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that...

8.1CVSS0.1AI score0.01131EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/16 12:0 a.m.•783 views

Language Bar Flags <= 1.0.8 - CSRF to Stored XSS

The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in t...

4.3CVSS0.3AI score0.00467EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/09 12:0 a.m.•781 views

Keywords & Meta <= 3.0 - CSRF to Stored Cross-Site Scripting (XSS)

The plugin does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF...

5.4CVSS0.4AI score0.00319EPSS
Exploits2
wpexploit
wpexploit
•added 2021/08/02 12:0 a.m.•781 views

StoryChief < 1.0.31 - Reflected Cross-Site Scripting (XSS)

The plugin does not sanitise or escape its tab parameter in the Settings page before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=storychief&tab=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E...

1.3AI score
Exploits0
wpexploit
wpexploit
•added 2021/03/19 12:0 a.m.•781 views

PhastPress < 1.111 - Open Redirect

There is an open redirect in the plugin that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/ that...

5.8CVSS0.5AI score0.03066EPSS
Exploits2References1
Total number of security vulnerabilities4359