4359 matches found
WP Blogs' Planetarium <= 1.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.forms0.submit;...
CommentTweets <= 0.6 - Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks HTMLFormElement.prototype.submit.call document.forms0 ;...
Font Awesome 4 Menus <= 4.7.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the "A custom...
WPCode < 2.0.13.1 - Reflected XSS
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting Make a logged in admin open https://example.com/wp-admin/admin.php?page=wpcode&a"alert/XSS/=2...
W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)
The plugin was vulnerable to a reflected Cross-Site Scripting XSS security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a...
Travelpayouts < 1.1.17 - Open Redirect
Description The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayoutsredirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...
Member Hero <= 1.0.9 - Unauthenticated RCE
The plugin lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. curl https://example.com/wp-admin/admin-ajax.php?action=memberherosendform&memberherohook=phpinfo...
Biteship for WooCommerce < 2.2.25 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the biteshiperror and biteshipmessage parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs belo...
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
In the plugin, unauthenticated users can use the wpcf7rgetnonce AJAX action to retrieve a valid nonce for any WordPress action/function. 'wpcf7rgetnonce', 'param' = 'ANY ACTION HERE' ; $output = curlexec$ch; curlclose$ch; printr$output; ?...
Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
Description The plugin does not disallow listing the backups-dup-lite/tmp directory or the backups-dup-pro/tmp directory in the Pro version, which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to...
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.61 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the admin dashboard when the WPML plugin is also active and configured, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page...
Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect
Description The plugin has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. 1. Add a form to a footer widget area 2. Disable JavaScript 3. Access the URL: https://example.com/%0a/google.com 4. Fill out the form and submit 5. The browser wi...
Dokan < 3.7.6 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users Setup: - Install WooCommerce dependency, no setup required - Install the plugin, complete the wizard no special configuration was...
360 Product Rotation <= 1.5.8 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. http://example.com/wp-content/plugins/360-product-rotation/includes/iframe.php?licenseid=1"ale...
Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API
The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. curl --json ' "media": "tmpname": "/WPCONTENTPATH/wp-config.php",...
WPDashboardNotes < 1.0.11 - Unauthorised Deletion of Private Notes
Description The plugin is vulnerable to Insecure Direct Object References IDOR in postid= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises...
Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak
Description The plugin does not protect file download's passwords, leaking it upon receiving an invalid one. 223 being the ID of a password protected download: curl -X POST --data 'wpdmID=223&dataType=json&execute=wpdmgetlink&action=wpdmajaxcall&password=123322'...
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink...
Menu Image, Icons made easy < 3.0.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggere...
Ultimate Member 2.1.3 - 2.8.2 - Unauthenticated SQL Injection
Description The plugin does not sanitize and escape the sorting parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks when the "Enable custom table for usermeta" option is enabled. Requirement: "Enable custom table for usermeta" option to be...
JetBackup < 2.0.9.9 - Directory Listing Exposing Backups
Description The plugin doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files. A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct...
Microsoft Advertising Universal Event Tracking < 1.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Due to the nature of this plugin, well crafted XSS can also leak into the frontpage. Put the following...
WP Amour < 1.5.7 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise and escape its setting fields, leading to Stored Cross-Site Scripting issues. Furthermore, the lack of CSRF checks could also allow attackers to trigger the XSS via CSRF attacks against a logged in administrator alert/XSS-Field/' / alert/XSS-Error/' /...
JNews < 8.0.6 - Reflected Cross-Site Scripting (XSS)
The theme did not sanitise the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory, leading to a Reflected Cross-Site Scripting XSS issue. POST /?ajax-request=jnews HTTP/1.1 Accept: text/html, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,...
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the userscanregister and defaultrole,...
Hide Admin Bar Based on User Roles < 3.0.0 - Subscriber+ Settings Update
The plugin does not have authorisation and CSRF checks, allowing any authenticated users, such as subscriber, to update the plugin's settings https://example.com/wp-admin/admin-ajax.php?action=saveuserroles&caps=test&disableForAll=no...
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
The Import feature of the plugin /wp-admin/tools.php?page=rsvpmakerexportscreen takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack. Go to the...
Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF
The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF Server Side Request Forgery and RFI Remote File Inclusion vulnerabilities on...
Leaflet Map < 3.0.0 - Contributor+ Stored XSS
The plugin does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues Most of the shortcode attributes are not escaped, so these are just one of them: leaflet-map...
Paid Member Subscriptions < 2.4.2 - Authenticated SQL Injection
The plugin did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages. http://www.example.com/wp-admin/admin.php?page=pms-members-page&orderby=userid&order=asc,select from...
WP Advanced Search <= 1.1.6 - Admin+ SQL Injection
Description The plugin does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations. 1. Log in as an administrator 2. Visit...
Filebird 4.7.3 - Unauthenticated SQL Injection
The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the getcol function and it allows SQL injection. The Rest...
File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE
Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager confirmed with v6.8, which was the latest version available in wordpress.org. File lib/php/connector.minimal.php can be by default opened directly, and this file loads...
JobSearch WP Job Board < 2.3.4 - Authentication Bypass
Description The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user's email address. Browse to the site, paste the following in your browser's console replace the email address with that site's administrator's email address:...
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
The plugin does not sanitise and escape the time parameter before using it in a SQL statement in the mecloadsinglepage AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue...
Kaswara Modern VC Addons (0-day) - Unauthenticated Arbitrary File Upload
The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fontsicon directory with no checks for malicious files such as PHP. The vendor has been unresponsive to both the reporter and Envato,...
Royal Elementor Addons < 1.3.95 - Unauthenticated IP Spoofing
Description The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to IP Address Spoofing due to insufficient IP address validation. This makes it possible for unauthenticated attackers to spoof their IP addresses. Set any of the following server headers as used in getclienti...
WP Go Maps < 9.0.28 - Unauthenticated Stored XSS
Description The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site. Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&mapid=1...
KiviCare Management System < 3.2.1 - Multiple CSRF
The plugin does not have CSRF checks either flawed or missing completely in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update...
Backup Migration < 1.3.8 - Unauthenticated RCE
Description The plugin is vulnerable to Remote Code Execution via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated...
Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcopdupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection curl 'http://example.com/wp-admin/admin-ajax.php' --data...
Testimonial Rotator <= 3.0.3 - Authenticated Stored Cross-Site Scripting
Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users Contributor to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation Edit WPScanTeam: The https://wordpress.org/plugins/themify-portfolio-post/ plugin...
Betheme < 26.6 - Contributor+ PHP Object Injection
The plugin unserializes user input provided via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfnbuilderimport, mfnbuilderimportpage, importdata, importsinglepage, and importfromclipboard functions. This could allow users with a role as low as contributor t...
Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing
Description The Avada theme for WordPress is vulnerable to Sensitive Information Exposure via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. Access t...
Download Manager < 3.2.71 - Broken Access Controls
The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's...
User Private Files < 1.1.3 - Subscriber+ Arbitrary File Upload
The plugin does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded. 1 Create a file named exploit.php, which contains: ?php phpinfo; 2 Find the upfajaxnonce on the site's front page. 2 Run the following cURL request, curl --ur...
System Dashboard < 2.8.10 - XSS via Header Injection
Description The plugin does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks X-Forwarded-For: 11.11.11.11alert1...
WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Run the command: curl -i -s -k -X POST --data-binary...
W3 Total Cache < 2.1.5 - Reflected XSS in Extensions Page (JS Context)
The plugin was affected by a reflected Cross-Site Scripting XSS issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This...
Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
Description The plugin allows forum administrators, who may not be WordPress super-administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files e.g. .php, .phtml, potentially leading to remote code execution. Any user who has the rights to modify the...