Lucene search
K
WpexploitMost viewed

4359 matches found

wpexploit
wpexploit
added 2022/08/22 12:0 a.m.270 views

WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update

The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow unauthenticated attackers to change them. All settings are affected, example, to change the Thousands Separator one, run the below command in the developer console of the web browser whil...

0.4AI score
Exploits0
wpexploit
wpexploit
added 2022/08/09 12:0 a.m.270 views

Simple Single Sign On <= 4.1.0 - Authentication Bypass

The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...

7.5CVSS2AI score0.00584EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/09/11 12:0 a.m.269 views

WooCommerce < 8.1.1 - Shop Manager+ User Metadata Disclosure

Description The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data As a shop manager or product vendor admin: Edit an order/create an...

7.3AI score
Exploits0References2
wpexploit
wpexploit
added 2022/07/22 12:0 a.m.269 views

VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call

The plugin lets any user execute arbitrary PHP functions on the site. https://example.com/wp-admin/admin-post.php?vrccmd=phpinfo...

9.8CVSS2.7AI score0.12442EPSS
Exploits2
wpexploit
wpexploit
added 2021/12/13 12:0 a.m.267 views

The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure

The plugin does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts The following request allow an unauthenticated user to get the draft posts the nonce can be retriev...

7.5CVSS1.2AI score0.01815EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/02/10 12:0 a.m.267 views

Responsive Menu < 4.0.4 - CSRF to Settings Update

"Attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site." function submitRequest var xhr = new...

1.4AI score0.00796EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/08/01 12:0 a.m.266 views

Duplicator < 1.4.7.1 - Unauthenticated System Information Disclosure

The plugin does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. 1. curl 'http://example.com/wp-content/backups-dup-lite/dup-installer/main.installer.php?view=1' 2. curl -d view...

5.3CVSS2AI score0.08415EPSS
Exploits5References2
wpexploit
wpexploit
added 2022/11/22 12:0 a.m.265 views

Videojs HTML5 Player < 1.1.9 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a page/post videojsvideo url=...

5.4CVSS0.8AI score0.00471EPSS
Exploits2
wpexploit
wpexploit
added 2020/02/18 12:0 a.m.265 views

ThemeREX Addons - Remote Code Execution

"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts." Note WPScanTeam: There are major version inconsistencies in the trxaddons shipped with the affected themes. As a result, a...

7.5CVSS2.9AI score0.08877EPSS
Exploits2References3
wpexploit
wpexploit
added 2023/12/21 12:0 a.m.263 views

Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion

Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. curl --url...

9.8CVSS6.7AI score0.50673EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/16 12:0 a.m.263 views

Flexi - Guest Submit < 4.20 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting Open the following URL when authenticated as any user: https://example.com/user-dashboard/?search=keyword:...

6.1CVSS6.2AI score0.00788EPSS
Exploits2
wpexploit
wpexploit
added 2021/05/14 12:0 a.m.263 views

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

The parameters $cachepath, $wpcachedebugip, $wpsupercachefrontpagetext, $cachescheduledtime, $cacheddirectpages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to...

9CVSS1.6AI score0.23844EPSS
Exploits4References1
wpexploit
wpexploit
added 2021/07/21 12:0 a.m.262 views

SendGrid <= 1.11.8 - Authenticated Authorization Bypass

The plugin is vulnerable to authorization bypass via the getajaxstatistics function found in the /lib/class-sendgrid-statistics.php file which allows authenticated users to export statistics for a WordPress multi-site main site in versions up to 1.11.8. This vulnerability only affects the main si...

4CVSS2.2AI score0.00698EPSS
Exploits1References1
wpexploit
wpexploit
added 2023/05/04 12:0 a.m.261 views

Advanced Custom Fields < 6.1.6 - Reflected XSS

The plugins do not escape the poststatus parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...

7.1CVSS6.3AI score0.38768EPSS
Exploits3
wpexploit
wpexploit
added 2023/04/06 12:0 a.m.261 views

Formidable Forms < 6.2 - Unauthenticated PHP Object Injection

The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this plugin a...

9.6AI score0.00702EPSS
Exploits2
wpexploit
wpexploit
added 2024/04/05 12:0 a.m.259 views

Sassy Social Share < 3.3.61 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...

5.9AI score0.0048EPSS
Exploits3References1
wpexploit
wpexploit
added 2022/11/28 12:0 a.m.259 views

InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE

The plugin insecurely uses PHP's extract function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. Invoke the following shell commands to disclose the /etc/passwd file: Define the payload "pagepath" value...

9.8CVSS0.2AI score0.09519EPSS
Exploits2
wpexploit
wpexploit
added 2023/03/20 12:0 a.m.258 views

JetEngine < 3.1.3.1 - Author+ Remote Code Execution

The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. fetch"/wp-admin/admin.php?action=jetengineformsimport", "headers": "accept": "text/html", "content-type": "multipart/form-data;...

8.8CVSS9.1AI score0.01519EPSS
Exploits2
wpexploit
wpexploit
added 2017/10/11 12:0 a.m.258 views

Qards - Stored Cross-Site Scripting (XSS)

Google Dork: inurl:"plugins/qards" Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way. The vulnerable script...

4.3CVSS6.4AI score0.01933EPSS
Exploits2References2
wpexploit
wpexploit
added 2021/07/11 12:0 a.m.257 views

WPFront Notification Bar < 2.0.0.07176 - Authenticated Stored XSS

The plugin does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue v alert/XSS/ v alert/XSS/...

3.5CVSS0.3AI score0.00695EPSS
Exploits2References2
wpexploit
wpexploit
added 2022/04/13 12:0 a.m.256 views

Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload

The plugin is lacking capability check in a function hooked to admininit introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to...

8.8CVSS0.92943EPSS
Exploits10References2
wpexploit
wpexploit
added 2023/06/19 12:0 a.m.255 views

tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation

The plugin does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog. To set the user...

8.8CVSS9.4AI score0.00474EPSS
Exploits2
wpexploit
wpexploit
added 2023/12/18 12:0 a.m.254 views

WP Custom Cursors <= 3.2 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The PoC will be displayed on February...

4.8CVSS6AI score0.00335EPSS
Exploits1
wpexploit
wpexploit
added 2024/04/03 12:0 a.m.253 views

Floating Chat Widget < 3.1.9 - Editor+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Chaty New Widget" 2. Create ...

5.7AI score0.00394EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/21 12:0 a.m.253 views

Hide Admin Bar Based on User Roles < 3.1.0 - Settings Update via CSRF

The plugin does not have CSRF check when updating its settings, allowing attackers to make a logged in admin update the plugin's settings via a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=saveuserroles&caps=test&disableForAll=no...

3.1AI score
Exploits0
wpexploit
wpexploit
added 2021/11/11 12:0 a.m.253 views

Caldera forms < 1.9.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a form, and put the following payload in the Form Name via th...

4.8CVSS5AI score0.00598EPSS
Exploits2
wpexploit
wpexploit
added 2022/06/27 12:0 a.m.252 views

Page Generator Plugin < 1.6.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Got to Page Generator - Keywords - Add Keyword and put the following payload in the "Terms" field then...

4.8CVSS0.5AI score0.00493EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/01 12:0 a.m.252 views

Leaflet Map < 3.0.0 - Arbitrary Settings Update via CSRF Leading to Stored XSS

The plugin does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or usin...

4.3CVSS1.4AI score0.0056EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/14 12:0 a.m.252 views

Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)

The theme did not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action, leading to a Reflected Cross-site Scripting XSS vulnerability. POST /demo/wp-admin/admin-ajax.php HTTP/1.1 Host: jannah.tielabs.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:89.0...

6.1CVSS0.7AI score0.02697EPSS
Exploits2
wpexploit
wpexploit
added 2024/05/22 12:0 a.m.249 views

Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the plugin's settings. 2...

5.6AI score0.00456EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/03/25 12:0 a.m.249 views

Ultimate Noindex Nofollow Tool II < 1.3.6 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Ultimate Noindex" 2...

5.7AI score0.00266EPSS
Exploits2
wpexploit
wpexploit
added 2022/05/18 12:0 a.m.249 views

Latest Tweets Widget <= 1.1.4 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...

6.5CVSS1.7AI score0.00513EPSS
Exploits2
wpexploit
wpexploit
added 2022/01/24 12:0 a.m.249 views

Popup Builder < 4.0.7 - Admin+ SQL Injection

The plugin does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection...

7.2CVSS1.9AI score0.05839EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/06/01 12:0 a.m.249 views

Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE

The plugin allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. The issue is being actively exploited, and no patch is available. Further details will be made available once pathed. The Custom Product Designer plugin for WordPress offers the ability for...

9.8CVSS1.3AI score0.47091EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/10/09 12:0 a.m.248 views

Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload

Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Make sure you have Elementor installed and a page or post edited with Elementor. Here's the python script that will execute the exploit...

9.8CVSS9.7AI score0.81695EPSS
Exploits18
wpexploit
wpexploit
added 2022/06/27 12:0 a.m.248 views

Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like defaultrole, userscanregister via a CSRF attack...

4.3CVSS1.6AI score0.00368EPSS
Exploits2
wpexploit
wpexploit
added 2024/03/18 12:0 a.m.247 views

BackWPup < 4.0.4 - Unauthenticated Backup Download

Description The plugin does not prevent visitors from leaking key information about ongoing backups, allowing unauthenticated attackers to download backups of a site's database. 1 Ensure that Apache is configured with the ability to list directory content. 2 When this is done, you can see the...

6.6AI score0.02261EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/06/21 12:0 a.m.247 views

WooCommerce Product Vendors < 2.1.77 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below html alert/XSS/" /...

7.1CVSS5.9AI score0.00382EPSS
Exploits1References1
wpexploit
wpexploit
added 2021/04/30 12:0 a.m.247 views

Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE

The wpdmadminuploadfile AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden. As an author or any account with the uploadfiles capability, attach a .php4 file to a download...

7AI score
Exploits0
wpexploit
wpexploit
added 2022/02/16 12:0 a.m.246 views

Page Builder KingComposer <= 2.9.6 - Open Redirect

The plugin does not validate the id parameter before redirecting the user to it via the kcgetthumbn AJAX action available to both unauthenticated and authenticated users https://example.com/wp-admin/admin-ajax.php?action=kcgetthumbn&id=https://wpscan.com...

6.1CVSS3.8AI score0.0428EPSS
Exploits4
wpexploit
wpexploit
added 2023/06/19 12:0 a.m.244 views

EventON < 2.1.2 - Unauthenticated Post Access via IDOR

The plugin does not validate that the eventid parameter in its eventonicsdownload ajax action is a valid Event, allowing unauthenticated visitors to access any Post including unpublished or protected posts content via the ics export functionality by providing the numeric id of the post...

5.3CVSS9.2AI score0.06116EPSS
Exploits5
wpexploit
wpexploit
added 2018/12/25 12:0 a.m.244 views

JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)

The jsmol2wp WordPress plugin was affected by an Unauthenticated Server Side Request Forgery SSRF security vulnerability. http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php...

5CVSS2.7AI score0.13078EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/02/10 12:0 a.m.243 views

Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload

"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further...

1.2AI score0.08196EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/09/11 12:0 a.m.242 views

File Manager Pro < 1.8 - Remote Code Execution via CSRF

Description The plugin does not properly check the CSRF nonce in the fsconnector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. As a Super Admin, run the following code ...

8.8CVSS8.6AI score0.06838EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/05/14 12:0 a.m.241 views

Gutenberg Blocks by Kadence Blocks < 3.2.37 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add a Lottie Animation block to a post a...

5.9AI score0.00367EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/05/30 12:0 a.m.240 views

Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access

Description The plugin allows you to display custom field values for any post via shortcode without checking for the correct access 1. ADMIN: Install Advanced Custom Fields or ACF Pro 2. ADMIN: Create a new field group for posts and add a field to that 3. ADMIN: Fill in content for posts includin...

9.5AI score0.00428EPSS
Exploits2
wpexploit
wpexploit
added 2023/07/10 12:0 a.m.240 views

LMS by Masteriyo < 1.6.8 - Information Exposure

The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. curl -i -s -k -X $'GET' \ -H $'Host: localhost:8000' -H $'sec-ch-ua: ' -H $'Accept: application/json...

9.1AI score0.01926EPSS
Exploits2
wpexploit
wpexploit
added 2023/12/12 12:0 a.m.239 views

Ni Purchase Order(PO) For WooCommerce <= 1.2.1 - Admin+ File Upload to Remote Code Execution

Description The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell. 1. Create a malicious file exploit.php with the contents 2. Visit...

7.2CVSS6.7AI score0.00876EPSS
Exploits2
wpexploit
wpexploit
added 2021/11/15 12:0 a.m.239 views

All-In-One-Gallery < 2.5.0 - Admin+ Local File Inclusion

The plugin does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue https://example.com/wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex...

7.2CVSS6.8AI score0.05898EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/03/31 12:0 a.m.238 views

WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint

This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permissioncallback used for capability checking. The endpoint called a function, updatemetadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for...

7.5CVSS0.6AI score0.09106EPSS
Exploits2References1
Total number of security vulnerabilities4359