4359 matches found
Popup Manager <= 1.6.6 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored XSS payloads as well fetch'/wp-admin/admin-ajax.php', method: 'POST', headers...
Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload
The plugin was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. This vulnerability was seen actively exploited by Sucuri in the wild for ransomware attacks. 1. Authenticate as any user. 2. Paste below HTML...
Post Content XMLRPC <= 1.0 - Admin+ SQL Injections
The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections https://example.com/wp-admin/admin.php?page=pcxaddsites&mode=add&id=1%20AND%20SELECT%207953%20FROM%20SELECTSLEEP5AgUn...
Font Farsi <= 1.6.6 - Admin+ Stored XSS in Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Testimonial Slider < 2.3.7 - Author+ Settings Update
Description The plugin does not properly ensure that a user has the necessary capabilities to edit certain sensitive plugin settings, making it possible for users with at least the Author role to edit them. 1 Go to a page where one of the sliders is already in use and intercept the nonce tss 2...
CM Download Manager < 2.9.0 - Download Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack Make an admin open the URL below https://example.com/cmdownload/del/id/...
Product Enquiry for WooCommerce < 3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Form Customizer: 1. Navigate to...
Enable SVG Uploads <= 2.1.5 - Author+ Stored XSS via SVG
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. 1. Upload a malicious SVG: alert"XSS Test"; 2. Add to post and view SVG to see XSS...
Clock In Portal <= 2.1 - Staff Deletion via CSRF
The plugin does not have CSRF check when deleting Staff members, which could allow attackers to make logged in admins delete arbitrary Staff via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Staff with ID 1...
Sidebar Widgets by CodeLights <= 1.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Insert the following shortcode in a post:...
Event Timeline <= 1.1.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a Timeline, put the following payload in the "Text" field at the bottom: alert/XSS/ Click save...
Kudos Donations < 3.1.2 - Arbitrary Items Deletion via CSRF
The plugin has a logic flaw in its CSRF checks when deleting items such as Donors, Transactions, Subscriptions etc, allowing attackers to make a logged in admin delete them https://example.com/wp-admin/admin.php?page=kudos-transactions&action=delete&id=1...
WordPress + Microsoft Office 365 < 15.4 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise error descriptions before outputting them in the log notice, which could allow unauthenticated users to perform Cross-Site Scripting attacks against a logged in administrator POST / HTTP/1.1 Content-Length: 242 Content-Type: application/x-www-form-urlencoded...
underConstruction < 1.19 - Reflected Cross-Site Scripting
The plugin does not escape the PHPSELF before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=under-construction...
iFlyChat – WordPress Chat <= 4.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue Step1: Install and activate the plugin "iFlyChat – WordPress Chat-4.6.4" Step2: Enter the following payload in the "APP ID" field of the plugin...
Salon booking system < 9.6.6 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make an admin open a page containing the code: input type="submit" valu...
Responsive Pricing Table < 5.1.11 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks - Create a new Pricing Table...
WP Fastest Cache < 1.2.2 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. 1. Visit WP Fastest Cache Settings. Ensure "Cache System" is enabled, and "Logged-in Users" is disabled. Click "Submit" at...
WooCommerce Product Vendors < 2.1.79 - ShopManager+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as ShopManager As ShopManager, open the URL below...
WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF
The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcodeactivatesnippets capability delete arbitrary log files on the server, including outside of the blog folders Make a...
JoomSport < 5.2.8 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users 1. Install the vulnerable plugin joomsport-sports-league-results-management version 5.2.6, skip the demo data import when prompted 2...
WP ALL Export Pro < 1.7.9 - Authenticated SQLi
The plugin uses the contents of the ccsql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports...
Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection
The plugin does not sanitise and escape the postid parameter before using it in a SQL statement via a REST route of the plugin accessible to any authenticated user, leading to a SQL injection As any authenticated user, such as subscriber To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonc...
Everest Forms < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue The formid needs to be a valid one...
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component
There is functionality in the plugin to add file uploads to user registrations and profile updates that had no file type checking in place making it possible for arbitrary files to be uploaded. fh = open'shell.php', 'wb' fh.writeb'\xFF\xD8\xFF\xE0' + b'' fh.close 'Hax0r', 'regemail' =...
Email Subscribers by Icegram Express < 5.7.21 - Unauthenticated SQL Injection via hash
Description The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...
Popup4Phone <= 1.3.2 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins. Run the following JavaScript in the browser console: fetch"/", "headers": "content-type": "application/x-www-form-urlencoded", ,...
Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup To replicate this vulnerability, follo...
EventPrime < 3.3.6 - Unauthenticated Event Access
Description The plugin lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. 1. Create a password-protected event or a private event then publish it. 2. Access to the URL on a private...
Seraphinite Accelerator < 2.20.32 - Unauthorised Settings Reset/Import
Description The plugin does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them The issue was partially fixed in 2.20.29 only adding authorisation checks. CSRF checks were added in 2.20.32 As an unauthenticated user, open...
Post Timeline < 2.2.6 - Reflected XSS
Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...
Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/all-ads/?"alert/XSS/ https://example.com/all-properties/?"alert/XSS/...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Both can be used against authenticated and unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=ftsrefreshtokenajax&accesstoken=...
Contact Form 7 Captcha < 0.1.2 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers https://example.com/wp-admin/options-general.php?page=cf7sredit&"alert/XSS/...
Preview E-mails for WooCommerce < 2.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to reflected XSS via the searchorder parameter found in the /views/form.php file. alert1" /...
Pricing Table by Supsystic < 1.9.0 - Authenticated Stored Cross-Site Scripting
The label and datahtml POST parameter are not properly sanitised and escaped before being saved and output back in the page, leading to stored Cross-Site Scripting issues v alert1alert1 instead of the one above v 1.9.0, the edit HTML feature was removed client side but a crafted request could sti...
Easy Notify Lite < 1.1.33 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks. - Create/edit a Notification https://example.com/wp-admin/post-new.php?posttype=easynotify - Put the following...
KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open an HTML file containing where is a valid ID: "...
Wow Skype Buttons < 4.0.4 - Button Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks As an admin open HTML file containing: action...
MM-email2image <= 0.2.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add the following payload to a...
Salon Booking System < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the...
Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. otwshortcodebutton...
Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass
Description The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handleauthrequest' and 'hadleloginrequest'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an...
WP Review Slider < 13.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add the payload "...
Modern Events Calendar lite <= 5.16.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to the import/export section. 2. Enter the...
Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF
The plugin does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin...
Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add the following payload to a new quote:...
Themify - WooCommerce Product Filter < 1.3.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting ' /...
Quotes Collection <= 2.5.2 - Admin+ SQL Injection
The plugin does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection https://example.com/wp-admin/admin.php?page=quotes-collection&s=&wpnonce=6e21e0a8b6&action=makepublic&paged=1&bulkcheck=1%20and%20sleep10--%20-&action2=makepublic...