4359 matches found
Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
The plugin has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username /pie-register-login/ is the login page of the plugin, ie the one with pieregisterlogin v 3.7.1.5 POST /pie-register-login/ HTTP/1....
LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Request: POST...
ArForms < 6.6 - Unauthenticated RCE
Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3. Modify i...
EventON < 4.4.1 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing one of the code below: 2.6.x the cmonth a...
Estatik Real Estate Plugin < 4.1.1 - Reflected XSS
Description The plugin does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs below some...
Tiempo.com <= 0.1.2 - Stored XSS via CSRF
The plugin does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open a page with the code below input type="hid...
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. - Create a password protected package containing one or more files. - Navigate to the download page of the package e.g. /download/package1 - Inspect...
WoodMart < 7.1.2 - Unauthenticated Arbitrary Shortcode Injection
The theme could allow arbitrary shortcode to be injected when the "Display results from blog" settings is enabled, which could lead to Reflected XSS for example, when using a shortcode vulnerable to XSS When the "Display results from blog" settings is enabled:...
Adrotate < 5.8.23 - Admin+ XSS via Advert Name
The plugin does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit an Advert and put the following payload in the Name field: " The XSS will be triggered when accessi...
Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, create/edit an Event, add the following payload in a "Hourly Schedule" title, as well as any of...
Social Icons Widget & Block < 4.2.18 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. As an administrator, visit...
Genesis Blocks < 3.1.3 - Contributor+ Stored XSS
Description The plugin does not properly escape data input provided to some of its blocks, allowing using with at least contributor privileges to conduct Stored XSS attacks. As a contributor, put the below code in a post while in Code Editor mode The XSS will be triggered when viewing/previewing...
Autotitle for WordPress <= 1.0.3 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. document.forms0.submit;...
All In One WP Security & Firewall < 5.0.8 - IP Spoofing
The plugin is susceptible to IP Spoofing attacks, which can lead to bypassed security features like IP blocks, rate limiting, brute force protection, and more. Set HTTPXREALIP or HTTPXFORWARDEDFOR used in getuseripaddress to bypass IP-based blocks...
Post SMTP < 2.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfilteredhtml capability is disallowed. Put the following payload in the Post SMTP Settings...
WP-DBManager < 2.80.8 - Admin+ Remote Command Execution
The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should. Use any WordPress plugin that allows the users to upload files with extension - ".php" is not required - for example: .jpg usually many...
Ninja Forms File Uploads Extension < 3.3.1 - Unauthenticated Arbitrary File Upload
The plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code...
Persian Woocommerce < 5.9.8 - Reflected Cross-Site Scripting
The plugin does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=persian-wc&s=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22...
All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote...
Import WP < 2.13.1 - Admin+ Server-side Request Forgery
Description The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations. 1. As an admin, create a new importer in /wp-admin/tools.php?page=importwp 2. Visit /wp-admin/admin-ajax.php?action=rest-nonce and...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Missing authentication
The plugin does not validate authorization in its vcita-wordpress/v1/actions/auth REST route endpoint, allowing an unauthenticated attacker to set the connection parameters for the vcita account connection, including businessname and email address. Furthermore, the variables are stored in the...
RSS Aggregator by Feedzy < 4.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Add the Feedzy RS...
Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection
The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present To simulate a gadget chain, put the following code in a plugin class Evil public function wakeup : void die"Arbitrary...
Fast Flow < 1.2.12 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting ' https://example.com/wp-admin/admin.php?page=fast-flow&p="...
Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it As unauthenticated: wget "https://example.com/?p=1" --header "Referer: " -O- The XSS will be...
VDZ Google Analytics or Google Tag Manager / GTM < 1.4.9 - Authenticated Stored XSS
The plugin does not properly sanitise or escape some of its settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payloads in the Google Analytics ID settings of the plugin...
Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection
The wpajaxnfoauthdisconnect from the plugin had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...
Carousel Slider < 2.2.10 - Editor+ Stored XSS
Description The plugin does not validate and escape some of its Slide options before outputting them back in the page/post where the related Slide shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting attacks As an Editor, create/edit a...
JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF
Description The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. wpfgc url="http://127.0.0.1:8084"...
Limit Login Attempts Reloaded < 2.25.26 - Admin+ Missing Authorization to Toggle Plugin Auto-Update
Description The plugin is missing authorization on the toggleautoupdate AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin. As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console: nonce =...
Woocommerce Vietnam Checkout < 2.0.6 - Unauthenticated Stored XSS
Description The plugin does not escape the custom shipping phone field no the checkout form leading to XSS 1 Install both WooCommerce and the plugin. 2 Set a WooCommerce shipping method, and the store's address to one that is in Vietnam. 3 Add product to cart, and proceed to checkout 4 Tick "Ship...
WPSchoolPress < 2.2.5 - Teacher+ SQLi
Description The plugin uses the WordPress escsql function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers. 1. Install the WPSchoolpress plugin and Import Demo Data. 2. Log in as a teache...
Chatbot < 4.7.8 - Admin+ Stored XSS in Language Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the plugin settings, select "WPB...
Hide My WP < 6.2.9 - Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For:...
My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit; sc...
Flattr <= 1.2.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Flattr" settings 2. In the...
Easy Social Feed < 6.5.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access
Description The plugin does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected Run the below...
WP Job Openings < 3.4.3 - Sensitive Data Exposure via Directory Listing
Description The plugin does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled...
All Users Messenger <= 1.24 - Subscriber+ Message Deletion via IDOR
Description The plugin does not prevent non-administrator users from deleting messages from the all-users messenger. 1 Go to the messenger 2 Catch a request that is constantly running at intervals of 3 seconds 3 Change the message time argument to true 4 Set true for permission to delete a commen...
WP Popups < 2.1.5.1 - Contributor+ Stored XSS
The plugin does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficie...
Car Dealer < 3.05 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org Run the below command in the developer console of the web browser while being on the blog as a...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthenticated LFI
The plugin does not validate and sanitise a parameter before using it to include a file via an AJAX action available to both unauthenticated and authenticated users, which could lead to Local File Inclusion POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG
The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget
In the plugin, the divider widget includes/widgets/divider.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request with this parameter set to...
FooGallery < 2.4.15 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Create a new...
Ditty < 3.1.36 - Author+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
MapPress Maps for WordPress < 2.88.15 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks As a contributor, create/edit a map with the below payload as title and attach it to a post can be...
Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Stored XSS via Arbitrary Setting Update
Description The plugin does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. 1 Make sure the plugin is configured with the "Catalog Mode" activated. 2 Launch the following from your browser's console:...
AnyWhere Elementor < 1.2.8 - Freemius API Key Disclosure
The plugin discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked. See the disclosed secret key in includes/pro.php...