4359 matches found
Responsive Gallery Grid < 2.3.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: In ids, please add the image attachme...
Permalink Manager < 2.2.15 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue https://example.com/index.php?p=%3Cimg%20src%20onerror=alert/XSS/%3E&debugurl=1...
Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS
The theme did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue https://smartdata.tonytemplates.com/car-repair-service-v4/car1/estimateresult/result?s=&serviceestimatekey=...
Post Views Count <= 3.0.2 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor+ create a new post and add...
Watu Quiz < 3.3.8.2 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open the following URL:...
LearnPress < 4.1.6.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting Fixed in 4.1.6.6 - https://example.com/wp-admin/admin.php?page=learn-press-settings&tab=emails§ion=new-order-emails&a"alert/XSS/ Fixed in 4.1.6.7 - With a lesson attached ...
Klaviyo <= 3.0.10 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Klaviyo Settings, and at Klaviyo Setting...
Video Conferencing with Zoom < 3.9.3 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=zoom-meetings&page=zoom-video-conferencing-settings&a"alert/XSS/...
WP Mail Log < 1.1.3 โ Contributor+ Arbitrary File Upload to RCE
Description The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution. Run the following JS code in any page on the server, setting the id variable to a valid ID of a log entry on the server...
Paid Memberships Pro < 2.9.12 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query. While logged in as a subscriber, send the following request: await fetch'/wp-admin/admin-ajax.php',method:'POST', headers: 'Content-Type':...
Icon Widget < 1.3.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit:...
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Subscription Form
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a post/page pumsubform namefieldtype="fullname" labelname="Name"...
WP Google My Business Auto Publish < 3.4 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Note: First, you need to connect a Google My Business, select Account, and select Location. Exploit shortcode: gmb-revi...
PowerPack Lite for Beaver Builder < 1.2.9.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/options-general.php?page=ppbb-settings&tab=%22%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
WordPress Bitcoin Payments - Blockonomics < 3.3 - Reflected Cross-Site Scripting (XSS)
The plugin does not properly sanitise its filter action when viewing Orders before outputting it back in an attribute, leading to a reflected Cross-Site Scripting vulnerability. v alert/XSS/...
Team Members < 5.2.1 - Editor+ Stored XSS
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in a multisite setup. 1. Go to the "Teams" section ยป add a new te...
WP Dark Mode < 4.0.0 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack Exploit shortcode: wpdarkmode class='" onmouseover="alert1"'...
Product Slider and Carousel with Category for WooCommerce < 2.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. wcpscwcpdtslider design='" onmouseover="alert1"'...
GiveWP < 2.24.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks givemultiformgoal image='"...
WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)
The plugin was affected by an authenticated admin+ RCE in the settings page due to input validation failure and weak $cachepath check in the WP Super Cache Settings - Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for...
Widgets on Pages <= 1.7.0 - Contributor+ Stored XSS
The plugin does not validate and escape its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. widgetsonpages tiny="...
GS Logo Slider < 3.3.8 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Print-O-Matic < 2.1.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
List Pages Shortcode < 1.7.6 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. list-pages...
WPQA < 5.9.3 - Missing validation lead to functionality abuse
The plugin which is a companion plugin used with Discy and Himer themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them...
Image Optimizer by 10web < 1.0.27 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the iowdtabsactive parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link. Make a logged in admin...
Simple URLs < 115 - Subscriber+ SQLi
The plugin does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber. Run the below command in the developer console of the web browser whi...
Elementor < 3.5.5 - Iframe Injection
Description The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs...
Seed Social < 2.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Put the following payload in any of the plugin...
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module
The plugin does not sanitise and escape the wcjdeleterole parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue The "General" module needs to be enabled in "Woocommerce - Booster Settings - Booster"...
Bold Timeline Lite < 1.1.5 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Contact Form X < 2.4.1 - Reflected Cross-Site Scripting
The plugin does not escape the tab parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=contactformx&tab="+style=animation-name:rotation+onanimationstart=alert/XSS///...
WP Responsive Testimonials Slider And Widget <= 1.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks testimonialsslider autoplay="1; alert1;...
WPML Multilingual CMS < 4.6.1 - Reflected Cross-Site Scripting
The plugin does not escape some URL attributes before outputting them to a page, leading to a Reflected Cross-Site Scripting vulnerability. After setting up the plugin, visit the following URL: /wp-login.php?wplang=%20=id=x+type=image%20id=xss%20onfoc%3C!%3Eusin+alert0%0c...
Social Sharing Toolkit <= 2.6 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Note: First y...
Themify Portfolio Post < 1.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the numofpages parameter before outputting it back the response of the themifycreatepopuppagepagination AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting alert/XSS/;'...
MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure
Description The plugin does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts. The fix made in 2.88.15 is not sufficient as it still allowed any authenticated users, such s subscriber to read arbitrary...
VikBooking < 1.5.9 - Reflected Cross-Site Scripting
The plugin does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/?test%22-alert/XSS/-%22 https://example.com/wp-admin/profile.php?test%22-alert/XSS/-%22...
WP AutoSuggest 0.24 - Unauthenticated SQL Injection
The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability. sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpasaction=query&wpaskeys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpaskeys --tamper space2comment...
Meks Flexible Shortcodes < 1.3.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit:...
Rich Table of Contents < 1.3.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: The shortcode generates the content...
Slimstat Analytics < 4.9.3 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs As an unauthenticated user, open the following URL https://example.com/?s="alert/XSS/ The XSS...
Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting
The plugin does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...
Video Conferencing with Zoom < 3.8.16 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape user data before outputting it back in attributes in some admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/edit.php?posttype=zoom-meetings&page=zoom-video-conferencing&hostid="alert/XSS/...
Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF
The LikeBtn WordPress plugin was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery SSRF. On line 7493 in likebtnlikebutton.php a hook is set to allow unauthenticated ajax calls which will call the function likebtnprx. As the name suggests, this function works as a proxy and can ...
WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
Description WordPress does not properly restrict which user fields are searchable via the REST API. from multiprocessing import Pool import requests import string import json import sys if lensys.argv != 2: printf'USAGE: sys.argv0 ' sys.exit url = sys.argv1.rstrip'/' + '/wp-json/wp/v2/users'...
FluentSMTP < 2.2.3 - Stored XSS via Email Logs
The plugin does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks XSS when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML. XSS Payload : Steps to reproduce: 1. Install...
WP Visitor Statistics (Real Time Traffic) < 6.5 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: wsmshowDayStatBox id='" onclick="javascript:alert1'...
Tickera < 3.4.8.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins. As unauthenticated, book an Event, and put the following payload ...
All-in-one Floating Contact Form < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to reflected XSS on the my-sticky-elements-leads admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=my-sticky-elements-leads&search-contact=xxxx%22%3E%3Cimg+src+onerror%3Dalert%281%29+x...