4359 matches found
WP Responsive Menu < 3.1.7.1 - Subscriber+ Settings Update to Stored XSS
The plugin does not have capability and CSRF checks in the wprliveupdate AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visito...
KiviCare < 2.3.9 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajaxpost AJAX action with the getdoctordetails route, leading to SQL Injections exploitable by unauthenticated users With at least one doctor created via the plugin: v 2.3.4 curl...
Welcart e-Commerce < 2.1.1 - Authenticated SQL Injection
The Welcart e-Commerce WordPress plugin, less than version 2.1.1 and possibly below, was vulnerable to authenticated SQLI Injection in the searchordercolumn0 POST parameter of the "/wp-admin/admin.php?page=uscesorderlist" page. Refer to references...
Featured Image from URL < 4.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup POST...
Ultimate Product Catalog < 5.2.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to the plugin setup page. 2. Go to the...
JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP. Setup: 1. Install the vulnerable plugin jobboardwp version 1.2.1 2. In the toast message that appears on the plugin's installation...
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi
The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks. PoC for filter-operator1 parameter: POST...
MapPress Maps for WordPress < 2.88.14 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the Point of Interest Title and Description options in a map, allowing Contributor and above role to perform Stored Cross-Site Scripting attacks As a contributor, add/edit a Map and search any location you want. Add XSS Payload on Location’s...
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them Install the plugin and configure any mailer other than Default. Access the wp-admin area with a Subscriber+ user an...
JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE
Description The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server Navigate to the site, and paste the following in your browser's console: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers:...
Collapse-O-Matic <= 1.8.5.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor user create a new post and add a shortcode containing the following payload: expand elwraptag="img...
Motors - Car Dealer, Classifieds & Listing < 1.4.4 - Arbitrary File Upload
The plugin does not properly validate uploaded files for dangerous file types such as .php in an AJAX action, allowing an attacker to sign up on a victim's WordPress instance, upload a malicious PHP file and attempt to launch a brute-force attack to discover the uploaded payload. This PoC was...
Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues All settings...
XCloner < 4.3.6 - Plugin Settings Reset
The plugin does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. v4.3.5 added capability check, but CSRF one still missing. v...
Coming Soon and Maintenance by Colorlib < 1.0.99 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting when unfilteredhtml is disallowed for example in multisite setup Put the following payload in the "Google Analytics" settings of the plugin in the General...
Astra Pro Addon < 3.5.2 - Unauthenticated SQL Injection
The plugin did not properly sanitise or escape some of the POST parameters from the astrapaginationinfinite and astrashoppaginationinfinite AJAX action available to both unauthenticated and authenticated user before using them in SQL statement, leading to an SQL Injection issues Via...
wpForo Forum < 1.9.7 - Open Redirect
The plugin did not validate the redirectto parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimat...
Smart Slider 3 < 3.5.0.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may...
Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE
The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. Note WPScanTeam: - The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the...
Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. 1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2...
WP Sessions Time Monitoring Full Automatic < 1.0.9 - Unauthenticated SQL injection
Description The plugin does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique. Blind time...
Quttera Web Malware Scanner < 3.4.2.1 - Directory Listing to Sensitive Data Exposure
Description The plugin doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code http://yoursite/wordpress/wp-content/plugins/quttera-web-malware-scanner/runtime.log...
Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update
Description The plugin does not prevent users with low privileges like subscribers from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS. Once the site gets at least 25 conversions using the plugin, a notice will show up on the...
hiWeb Migration Simple <= 2.0.0.1 Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. The hiweb-migration-simple plugin is vulnerable to POST based XSS on endpoint...
Newsletter < 7.4.6 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitise the preheadertext setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed Go to Newsletters of Newsletter at wordpress admin panel eg...
Fancy Comments WordPress < 1.2.15 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Put...
popup-builder < 4.2.6 - Admin+ SSRF & File Read
Description The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. 1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" wit...
EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update
Description The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240: curl -X POST --da...
WP Adminify < 3.1.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Several fields in the plugin are...
tagDiv Composer < 4.2 - Admin+ Stored XSS
Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...
OSMapper <= 2.1.5 - Unauthenticated Arbitrary Post Deletion
The plugin contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result,...
Responsive Menu < 4.0.4 - CSRF to Arbitrary File Upload
"Attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site." function submitRequest var xhr = new XMLHttpRequest;...
Testimonial Slider < 2.3.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Testimonial Shortcode" 2. Ad...
Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts The postid is the ID of a saved layout...
Email Subscribers & Newsletters < 5.3.2 - Unauthenticated arbitrary option update
The plugin lacks both authentication and nonce checks in its esdismissadminnotice function, allowing an external attacker to set arbitrary plugin options to "yes". https://example.com/?optionname=userroles&esdismissadminnotice=1 This will set the option igesuserroles to "yes"...
Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfilteredhtml is disabled Enable taxes...
FormCraft Premium < 3.9.7 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. 1. View the plugin settings and intercept the request and add the payload sortOrder=ASC%2cselectfromselectsleep20a 2. See...
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
The plugin does not have proper authorisation in one of its REST endpoint, allowing unauthenticated users to update the "Toggle thecontent filter" setting POST /wp-json/yikes/cpt/v1/settings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
NextCellent Gallery <= 1.9.35 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its image settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a gallery with at least one image, pu...
Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities
The theme did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues - Unauthenticated Reflected XSS | Search query, vulnerable parameters: keywordsearch and locationsearch - Authenticated Persistent XSS & XFS |...
Change WordPress Login Logo < 1.1.5 - Authenticated Stored Cross-Site Scripting
The height, and width fields used to update the custom logo was found to be vulnerable to stored XSS, as they did not sanitize user input properly before publishing the changes. It is triggered when a user loads the login page. Set the following payload as Height or Width in the plugin's settings...
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Admin+ RCE
Description The plugin loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged users. 1. As an admin, visit rtMedia Settings Export/Import. 2. Click the "Browse File" button beside "Import rtMedia Settings". 3. Upload a file with the extension .js...
SEOPress < 6.5.0.3 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks add new payment method with XSS exploit: fetch'http://localhost/tester-wp/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Activate the Share Icons feature of the...
Discy < 5.0 - Subscriber+ Broken Access Control to change settings
The theme lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change the theme options by sending a crafted POST request. POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...
MailChimp for Woocommerce < 2.7.1 - Subscriber+ SSRF
The plugin has an AJAX action that allows any logged in users such as subscriber to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example As any logged in user:...
iQ Block Country <= 1.2.18 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. curl -i -H 'CF-CONNECTING-IP: 0.0.0.0' https://example.com...
WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection
An endpoint of the API, which is exposed when the 'use cache plugin' setting is enabled by default disabled, is vulnerable to an unauthenticated blind SQLi issue. time curl -X POST 'http://host/wp-json/wpstatistics/v1/hit' --data...
Accordion & FAQ < 1.9.9 - Reflected XSS
The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting Make a logged-in admin open one of the URLs below when the feature notice has not been dismissed yet...