4359 matches found
Duplicate Page < 4.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. The attempt to fix the issue in 4.4.2 is insufficient and...
Premium Addons for Elementor < 4.5.2 - Subscriber+ Arbitrary Blog Option Update
The plugin does not have any CSRF and authorisation checks in the padismissadminnotice AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update...
Ninja Forms < 3.6.4 - Admin+ SQL Injection
The plugin does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5...
Shopp eCommerce <= 1.4 - Unauthenticated Arbitrary File Upload
The shoppuploadfile AJAX action of the plugin, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE...
WP LMS < 1.1.5 - Unauthenticated Arbitrary User Field Edition/Creation
The plugin is lacking any CSRF and capability checks when creating and editing User Fields, allowing unauthorised edition and creation of them either via CSRF or as any user including unauthenticated v1.1.5 added CSRF but still no capability check POST...
Blue Admin <= 21.06.01 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. Add the following...
Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal
The plugin does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory 1. Navigate to settings page /wp-admin/edit.php?posttype=wpdmpro&page=settings 2. In the “File Browser Root:” setting,...
JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation
The jsjobsajax AJAX action of the plugin available to both authenticated and unauthenticated users does not have proper authorisation and CSRF checks, in particular when using the installPluginFromAjax and activatePluginFromAjax, which could allow unauthenticated attackers to install arbitrary...
Video Gallery - Vimeo and YouTube Gallery < 1.1.5 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues Add the following payload in the Title or Description of a Video added in a List/Gallery: "onmouseover=alert/XSS/// Then view the...
Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF
The plugin does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments POST /wp-admin/admin.php?page=comment-link-remove HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...
The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue. The vulnerable code leading to the open redirect is in the function "redirecttotpcustompasswordreset" in...
VM Backups <= 1.0 - CSRF to Database Backup Download
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current theme. The files will be created in the uploads directory by default, with a timestamp in their filenames, without any access restriction,...
Post Expirator < 2.6.0 - Contributor+ Arbitrary Post Schedule Deletion
The plugin does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. Run on "Posts" page: jQuery.postajaxurl, nonce: config.ajax.nonce, action:"managewppostsusingbulkquicksavebulkedit", postids:783,...
AddToAny < 1.7.46 - Authenticated Stored XSS
The plugin does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Sharing Header setting of the...
Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored...
WP Debugging < 2.11.0 - Unauthenticated Plugin's Settings Update
The plugin has its updatesettings function hooked to admininit and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users. csrf.submit POST /wp-admin/admin-post.php HTTP/1.1 Accept:...
Email Before Download < 6.8 - Admin+ SQL Injection
The plugin does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues...
Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution
The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment ie with DISALLOWFILEEDIT, DISALLOWFILEMODS and DISALLOWUNFILTEREDHTML set to true via the 'widgetrrmsimilarpostscondition' widget setting of the plugin. Vendor was notified in July 2021, the issue was...
LearnPress < 4.1.4 - Admin+ SQL Injection
The plugin does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues Id needs to start with a valid course/lesson/quiz/question ID:...
Portfolio Responsive Gallery < 1.1.8 - Authenticated Blind SQL Injections
The getportfolios and getportfolioattributes functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to...
Affiliate Manager < 2.8.7 - Admin+ SQL injection
The plugin does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue POST /wp-admin/admin.php?page=wpam-affiliates&tab=exportdata&orderby=if&order=0,1,SLEEP10 HTTP/1.1 Accept:...
WP Mega Menu < 1.4.1 - Subscriber+ Arbitrary Post Access
The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked as AJAX actions and available to any authenticated users. As a result, low privilege authenticated users such as subscribers can call them and access...
AdRotate < 5.8.4 - Authenticated SQL Injection
Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param "id". However, this requires an admin privileged user. NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK. Param "id" is vulneable to SQL Injeciton. Example 1:...
Fileviewer <= 2.2 - Arbitrary File Upload/Deletion via CSRF
The plugin does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack To delete /phpinfo.php:...
Comments Like Dislike < 1.1.4 - Add Like/Dislike Bypass
The plugin allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user even unauthenticated to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie...
Blog2Social: Social Media Auto Post & Scheduler < 6.3.1 - Authenticated SQL Injection
SQL Injection in the Blog2Social plugin 6.3.0 for WordPress exists via Re-Share Posts feature. Please refer to the video below for steps to reproduce and demonstration of automatic exploit with sqlmap. - Mega.nz: https://mega.nz/file/mt1gFYTKe3XkA-zY0cCApTYlLZktRZ4Q4vchVhbPsNqQC6CKORo - Drive:...
Verse-O-Matic <= 4.1.1 - CSRF to Stored XSS
The plugin does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site...
WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update
An AJAX action registered by the plugin did not have capability checks, allowing low privilege users, such as subscribers, to update the license options key, email. When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action =...
Alphabetic Pagination < 3.0.8 - Unauthenticated Arbitrary Option Update
The plugin does not have any proper authorisation in place when updating some settings via a REST endpoint, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary option from the blog and allow registration with a...
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected...
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload
The plugin does not perform capability checks in its spluploadserimg AJAX action available to authenticated users, which could allow any authenticated users, such as subscriber, to upload arbitrary images...
Parcel Tracker eCourier < 1.0.2 - Plugin's Settings Update via CSRF
The plugin did not properly check for CSRF, allowing attackers to make a logged in administrator update the plugin's settings...
WordPress Ping Optimizer < 2.35.1.3.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack http://evil.com aaaa bbbb document.getElementById"test".submit;...
Catch Themes Demo Import < 2.1.1 - Admin+ Remote Code Execution
The plugin does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog ie DISALLOWUNFILTEREDHTML, DISALLOWFILEEDIT and DISALLOWFILEMODS constants set to true Author : qerogram import...
Survey Maker < 1.5.6 - Authenticated Blind SQL Injections
The getresults and getitems functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard Note WPScanTeam: Other SQLi were identified when confirming the...
Elementor Website Builder < 3.12.2 - Admin+ SQLi
The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role. 1. Go to Elementor Tools Replace URL 2. Fill the first field with http://localhost:8000/ ...
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. Put the following payload in the QR setting: "alert/XSS/ The XSS will be triggered in the plugin's...
WP TripAdvisor Review Slider < 10.8 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
Reviews Plus < 1.2.14 - Subscriber+ Reviews DoS
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page Enable reviews for post/pages, and enable the "Show...
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Deletion
The plugin does not have any authorisation and CSRF checks in place when deleting events which could allow unauthenticated attackers to delete arbitrary events As an unauthenticated user, open the code below, this will delete the event with ID 4 from the calendar with ID 1...
Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
The plugin does not have capability and CSRF checks in the dpwappluginactivate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. v 1.5.9 - jQuery.postajaxurl, action:"dpwappluginactivate", dpwapurl:"hello.php" v 1.6.0 -...
MailOptin < 1.2.35.2 - Unauthorised AJAX Call
The fetchcustomfields and fetchtags function did not have proper CSRF check and authorisation, allowing unauthorised users to call the related AJAX action via either low privilege account or CSRF attack POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. v1.3.4 fixed the CSRF, but not the sanitisation/escaping fully. Another issue has been created for it To have the XSS only trigger...
Permalink Manager Lite < 2.2.13.1 - Admin+ SQL Injection
The plugin does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection https://example.com/wp-admin/tools.php?page=permalink-manager&orderby=ID+AND+SELECT+9480+FROM+SELECTSLEEP5EXid...
MainWP Child Reports < 2.0.8 - Admin+ SQL Injection
The plugin does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue https://example.com/wp-admin/options-general.php?page=mainwp-reports-page&order=+AND+SELECT+7332 FROM+SELECTSLEEP5qiXg - the web page freezes f...
Simple Banner < 2.10.4 - Authenticated Stored XSS
The plugin does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfilteredhtml capability is disallowed. Put the following payload in the Simple Banner Text setting of the plugin: The XSS will be triggered ...
Ship To Ecourier < 1.0.2 - Plugin's Settings Update via CSRF
The plugin did not properly check for CSRF, allowing attackers to make a logged in administrator update the plugin's settings...
VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. The PoC will be displayed once the issue has been remediated...
Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
The plugin does not sanitise or escape the feedID POST parameter in its feedlocator AJAX action available to both authenticated and unauthenticated users before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will ...
Glass <= 1.3.2 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. Add the following...