4359 matches found
WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update
The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow unauthenticated attackers to change them. All settings are affected, example, to change the Thousands Separator one, run the below command in the developer console of the web browser whil...
Simple Single Sign On <= 4.1.0 - Authentication Bypass
The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...
WooCommerce < 8.1.1 - Shop Manager+ User Metadata Disclosure
Description The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data As a shop manager or product vendor admin: Edit an order/create an...
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
The plugin lets any user execute arbitrary PHP functions on the site. https://example.com/wp-admin/admin-post.php?vrccmd=phpinfo...
The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
The plugin does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts The following request allow an unauthenticated user to get the draft posts the nonce can be retriev...
Responsive Menu < 4.0.4 - CSRF to Settings Update
"Attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site." function submitRequest var xhr = new...
Duplicator < 1.4.7.1 - Unauthenticated System Information Disclosure
The plugin does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. 1. curl 'http://example.com/wp-content/backups-dup-lite/dup-installer/main.installer.php?view=1' 2. curl -d view...
Videojs HTML5 Player < 1.1.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a page/post videojsvideo url=...
ThemeREX Addons - Remote Code Execution
"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts." Note WPScanTeam: There are major version inconsistencies in the trxaddons shipped with the affected themes. As a result, a...
Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion
Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. curl --url...
Flexi - Guest Submit < 4.20 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting Open the following URL when authenticated as any user: https://example.com/user-dashboard/?search=keyword:...
WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
The parameters $cachepath, $wpcachedebugip, $wpsupercachefrontpagetext, $cachescheduledtime, $cacheddirectpages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to...
SendGrid <= 1.11.8 - Authenticated Authorization Bypass
The plugin is vulnerable to authorization bypass via the getajaxstatistics function found in the /lib/class-sendgrid-statistics.php file which allows authenticated users to export statistics for a WordPress multi-site main site in versions up to 1.11.8. This vulnerability only affects the main si...
Advanced Custom Fields < 6.1.6 - Reflected XSS
The plugins do not escape the poststatus parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Formidable Forms < 6.2 - Unauthenticated PHP Object Injection
The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this plugin a...
Sassy Social Share < 3.3.61 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...
InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE
The plugin insecurely uses PHP's extract function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. Invoke the following shell commands to disclose the /etc/passwd file: Define the payload "pagepath" value...
JetEngine < 3.1.3.1 - Author+ Remote Code Execution
The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. fetch"/wp-admin/admin.php?action=jetengineformsimport", "headers": "accept": "text/html", "content-type": "multipart/form-data;...
Qards - Stored Cross-Site Scripting (XSS)
Google Dork: inurl:"plugins/qards" Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way. The vulnerable script...
WPFront Notification Bar < 2.0.0.07176 - Authenticated Stored XSS
The plugin does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue v alert/XSS/ v alert/XSS/...
Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload
The plugin is lacking capability check in a function hooked to admininit introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to...
tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
The plugin does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog. To set the user...
WP Custom Cursors <= 3.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The PoC will be displayed on February...
Floating Chat Widget < 3.1.9 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Chaty New Widget" 2. Create ...
Hide Admin Bar Based on User Roles < 3.1.0 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, allowing attackers to make a logged in admin update the plugin's settings via a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=saveuserroles&caps=test&disableForAll=no...
Caldera forms < 1.9.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a form, and put the following payload in the Form Name via th...
Page Generator Plugin < 1.6.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Got to Page Generator - Keywords - Add Keyword and put the following payload in the "Terms" field then...
Leaflet Map < 3.0.0 - Arbitrary Settings Update via CSRF Leading to Stored XSS
The plugin does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or usin...
Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action, leading to a Reflected Cross-site Scripting XSS vulnerability. POST /demo/wp-admin/admin-ajax.php HTTP/1.1 Host: jannah.tielabs.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:89.0...
Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the plugin's settings. 2...
Ultimate Noindex Nofollow Tool II < 1.3.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Ultimate Noindex" 2...
Latest Tweets Widget <= 1.1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
Popup Builder < 4.0.7 - Admin+ SQL Injection
The plugin does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection...
Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE
The plugin allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. The issue is being actively exploited, and no patch is available. Further details will be made available once pathed. The Custom Product Designer plugin for WordPress offers the ability for...
Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Make sure you have Elementor installed and a page or post edited with Elementor. Here's the python script that will execute the exploit...
Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like defaultrole, userscanregister via a CSRF attack...
BackWPup < 4.0.4 - Unauthenticated Backup Download
Description The plugin does not prevent visitors from leaking key information about ongoing backups, allowing unauthenticated attackers to download backups of a site's database. 1 Ensure that Apache is configured with the ability to list directory content. 2 When this is done, you can see the...
WooCommerce Product Vendors < 2.1.77 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below html alert/XSS/" /...
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
The wpdmadminuploadfile AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden. As an author or any account with the uploadfiles capability, attach a .php4 file to a download...
Page Builder KingComposer <= 2.9.6 - Open Redirect
The plugin does not validate the id parameter before redirecting the user to it via the kcgetthumbn AJAX action available to both unauthenticated and authenticated users https://example.com/wp-admin/admin-ajax.php?action=kcgetthumbn&id=https://wpscan.com...
EventON < 2.1.2 - Unauthenticated Post Access via IDOR
The plugin does not validate that the eventid parameter in its eventonicsdownload ajax action is a valid Event, allowing unauthenticated visitors to access any Post including unpublished or protected posts content via the ics export functionality by providing the numeric id of the post...
JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)
The jsmol2wp WordPress plugin was affected by an Unauthenticated Server Side Request Forgery SSRF security vulnerability. http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php...
Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload
"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further...
File Manager Pro < 1.8 - Remote Code Execution via CSRF
Description The plugin does not properly check the CSRF nonce in the fsconnector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. As a Super Admin, run the following code ...
Gutenberg Blocks by Kadence Blocks < 3.2.37 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add a Lottie Animation block to a post a...
Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
Description The plugin allows you to display custom field values for any post via shortcode without checking for the correct access 1. ADMIN: Install Advanced Custom Fields or ACF Pro 2. ADMIN: Create a new field group for posts and add a field to that 3. ADMIN: Fill in content for posts includin...
LMS by Masteriyo < 1.6.8 - Information Exposure
The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. curl -i -s -k -X $'GET' \ -H $'Host: localhost:8000' -H $'sec-ch-ua: ' -H $'Accept: application/json...
Ni Purchase Order(PO) For WooCommerce <= 1.2.1 - Admin+ File Upload to Remote Code Execution
Description The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell. 1. Create a malicious file exploit.php with the contents 2. Visit...
All-In-One-Gallery < 2.5.0 - Admin+ Local File Inclusion
The plugin does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue https://example.com/wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex...
WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint
This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permissioncallback used for capability checking. The endpoint called a function, updatemetadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for...