4359 matches found
Opening Hours <= 2.3.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: A Set needs to be present op-is-open...
Login with Phone Number < 1.4.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ID parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin https://example.com/wp-admin/admin-ajax.php?action=lwpforgotpassword&ID=...
Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
The plugin fails to validate and sanitize the libpath parameter before it is passed into a call to require via the narnoodistributorlibrequest AJAX action available to both unauthenticated and authenticated users which results in the disclosure of arbitrary files as the content of the file is the...
WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR
"The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the orderid parameter in a fetchorderstatus action." https://example.com/wp-admin/admin-ajax.php?action=fetchorderstatus&orderid=XX...
Woo Products Widgets For Elementor < 1.0.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Install WooCommerce and add a product. 2...
Product list Widget for Woocommerce <= 1.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users such as high privilege one like admin. Make any unauthenticated or authenticated users su...
Beautiful Cookie Consent Banner < 2.10.2 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF check when updating its settings, and does not escape some of them when outputting them, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks. An initial fix was released in version 2.10.1, and completed in...
TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection
The plugins do not sanitise and escape the itemid parameter before using it in a SQL statement via the wishlist/removeproduct REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks time wget...
Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape the site-reviews parameter of the glsraction AJAX action available to unauthenticated and any authenticated users, allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin...
Timed Content < 2.73 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. timed-content-client hide="10:00:'...
PickPlugins Product Slider for WooCommerce < 1.13.42 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wcps id='" onmouseover="alert/XSS/"'...
Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection
The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection - create a post using =5+5 as the title - export the data as CSV /wp-admin/admin.php?page=post-to-csv.php - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula gets...
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
The plugin does not validate the url parameter of its uploadimagefromurl AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well 1. Create a malicious phar file. 2. Upload t...
Pagerank Tools <= 1.1.5 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin https://example.com/wp-admin/tools.php?page=pagepageranks&url="alert333...
Social Like Box and Page by WpDevArt < 0.8.41 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wpdevartlikebox height='"...
FL3R FeelBox <= 8.1 - Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open a page containing the HTML code below '...
Simple URLs < 115 - Multiple Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. https://example.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=...
Chaty Free < 2.8.3 & Pro < 2.8.2 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
ShopLentor < 2.5.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, add a "WL : FAQ" Gutenberg block to ...
Justified Gallery < 1.7.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: gallery ids="1" lightbox="' onmouseover='alert1'"...
Helloprint < 1.4.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Make a logged in admin open the following URL: https://example.com/wp-admin/admin.php?page=language-translate.php&success=added"alertXSS...
Email Subscribers & Newsletters < 5.3.2 - Subscriber+ Blind SQL injection
The plugin does not correctly escape the order and orderby parameters to the ajaxfetchreportlist action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to tri...
BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
The plugin suffers from an Insecure Direct Object Reference IDOR vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointmentid query parameter. curl -s...
Easy Affiliate Links < 3.7.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Easy Affiliate...
WP TripAdvisor Review Slider < 11.9 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to Get TripAdvisor Reviews optio...
Theme Editor < 2.6 - Authenticated Arbitrary File Download
The plugin did not validate the GET file parameter before passing it to the downloadfile function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd Edit WPScanTeam: The AJAX action wpajaxmkthemeeditorfileopen could also be used to achieve the same thing a...
Everest Forms < 2.0.8 - Unauthenticated Server-Side Request Forgery via font_url
Description The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery via the 'fonturl' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify...
Security & Malware scan by CleanTalk < 2.121 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection. Send 5 invalid login requests and thus block the IP address. POST /wp-login.php HTTP/1.1 Host: localhost...
User Post Gallery <= 2.19 - Unauthenticated RCE
The plugin does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. Invoke the following curl command to execute the "id" command via PHP's exec function: curl -i...
Burst Statistics (Free < 1.5.0, Pro < 1.5.1) - Unauthenticated SQL Injection
Description The plugins do not properly sanitise and escape the url parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated users, such as subscribers curl 'https://example.com/burst-statistics-endpoint.php' \ -H 'content-type:...
POST SMTP Mailer < 2.7.1 - Unauthenticated Cross-site Scripting
Description The plugin does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users. 1. Install Post SMTP in version 3. Visit /wp-admin/admin.php?page=postmanemaillog Post SMTP - Email Log 4...
Slider, Gallery, and Carousel by MetaSlider < 3.27.9 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add an image to a Gallery via...
Html5 Video Player < 2.5.19 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins...
Login/Signup Popup < 2.2 - Reflected Cross-Site Scripting
The plugin does not escape its tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=xoo-el-fields&tab="alert/XSS/...
MOLIE <= 0.5 - Authenticated SQL Injection
The plugin does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection https://example.com/wp-admin/post.php?post=validpostid+and+SLEEP%285%29&action=edit https://example.com/wp-admin/admin-post.php?action=edit&post=1+and+SLEEP%285%29...
PageLayer < 1.8.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Enter the following payload in the...
Business Directory Plugin < 5.11.1 - Authenticated PHP4 Upload to RCE
The plugin did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE Create a php4 file with PHP code in it, zip it and import it via the plugin import feature...
Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request coul...
Plezi < 1.0.3 - Unauthenticated Stored XSS
The plugin has a REST endpoint allowing unauthenticated users to update the plzconfigurationtrackerenable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue curl -X POST...
Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update
Description The plugin does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the process, which may lead to Object...
kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition
Description The plugin does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition. 1- Install and activate kk Star Ratings. 2- Go to the page that displays the star rating. 3- Using Burp and the Turbo Intruder extension, intercept the rating...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element
In the plugin, the column element includes/elements/column.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in th...
Post SMTP < 2.6.1 - Authenticated (Administrator+) SQL Injection
Description The Post SMTP plugin for WordPress is vulnerable to time-based SQL Injection via the logid parameter in versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...
Prime Mover < 1.9.3 - Directory Listing to Sensitive Data Exposure
Description The plugin does not prevent directory listing in sensitive directories containing export files. http://127.0.0.1/wordpress/wp-content/uploads/prime-mover-export-files/1/ 0 Go to packages and crate new If there is no backup now 1 Go to this URL manualy 2 Use Exploit...
affiliate-toolkit < 3.4.3 - Unauthenticated SSRF
Description The plugin lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkpimagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery...
iThemes Security Free (< 7.9.1) & Pro (< 6.8.4) - Hide Backend Bypass
Both the iThemes Security free and pro versions were affected. - Patched in Version iThemes Security: 7.9.1 - Patched in Version iThemes Security Pro: 6.8.4 The bug allowed attackers to bypass the "Hide Backend" feature, that, when enabled, hides the WordPress wp-login.php and wp-admin pages...
Chaty < 3.0.3 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin...
HC Custom WP-Admin URL <= 1.4 - Unauthenticated Secret URL Disclosure
The plugin leaks the secret login URL when sending a specific crafted request curl -sIXGET -H "Cookie: validloginslug=1" https://example.com/wp-login.php HTTP/2 302 x-redirect-by: WordPress location: secret...
Spiffy Calendar < 4.9.9 - Broken Access Control
Description The plugin doesn't check the eventauthor parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+. Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event. Change the...
Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload
The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE Listingo Unauthenticated File Upload Upload a File: The response give the path to the file uploaded:...