4359 matches found
Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure
Low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connection. Usage: php poc.php subscriber password $wpuser, 'pwd' = $wppas...
Membership by Supsystic <= 1.5.0 - Authenticated SQL Injection
The GET parameter "sidx" and "search are used in a SQL statement without being sanitised when searching for badges in the dashboard, leading to authenticated SQL Injection issues. v1.4.8 attempted a fix, which was found to not be sufficient The PoC will be displayed once the issue has been...
Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection
The POST parameter "datasearchtextlike" was used in a SQL statement without being sanitised when searching for Tables in the dashboard, leading to an authenticated SQL Injection issue. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: YOLO Accept: / Accept-Language:...
Jetpack < 13.2.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks When the "Let visitors subscribe...
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Click SendPress in the Admin menu...
Inline Related Posts < 3.5.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in the CSS margin-top settings: 0 em" onmouseover=alert/XSS/// Th...
Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Register a student account and go to the...
WP Inventory Manager < 2.1.0.12 - Reflected XSS
The plugin does not sanitise and escape the message parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators. On a page where the wpinventory shortcode is embed, append the following payloa...
Ajax Search Lite < 4.11.1, Pro < 4.26.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
PDF.js Viewer < 2.1.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. pdfjs-viewer viewerheight='"...
WPC Smart Wishlist for WooCommerce < 2.9.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the key parameter before outputting it back in the wishlistquickview AJAX action's response available to any authenticated user, leading to a Reflected Cross-Site Scripting alert/XSS/;' The source and destination should use the https:// protocol for the...
Sync iCloud COS < 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the 本地文件夹 or URL前缀 settings of the plugin: " style=animation-name:rotation...
Auto Featured Image < 3.9.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the postid parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. https://example.com/wp-admin/upload.php?page=menu-media-apt&postid=alert/XSS/...
WP Hardening < 1.2.2 - Reflected XSS via URI
The plugin did not sanitise or escape the $SERVER'REQUESTURI' before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/plugins.php?%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3Cv=...
Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
The plugin is affected by a loose comparison issue, which could allow any user to log in as administrator. An attacker can manipulate $GET'algwcevverifyemail' and set this payload: eyJpZCI6MSwiY29kZSI6MH0= Example: https://example.com/my-account/?algwcevverifyemail=eyJpZCI6MSwiY29kZSI6MH0= after...
VikBooking < 1.6.8 - Broken Access Control
Description The plugin's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting categories for example despite initial settings prohibitin...
Call Now Button < 1.4.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate to All Buttons, and add a...
WP Google Review Slider < 13.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "WP Google Reviews Templates"...
Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install Formidable...
SVG Uploads Support <= 2.1.1 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
Smart Manager < 8.28.0 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. The vulnerability can be demonstrated using the following POST request: POST...
WordPress Users <= 1.4 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Create an HTML with the following and open it when logged in as an Editor or above: document.forms0.submit;...
User Registration < 3.0.4.2 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Install and activate this plugin -...
PostX - Gutenberg Post Grid Blocks < 3.0.6 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below the post value is the ID of a post/page creat...
Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting
The plugin does not escape or sanitize chat messages, leading to a stored Cross-Site Scripting vulnerability. Submit the following in the chat message: """ See the XSS in Querlo...
Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API
The plugin does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available. 1. Create a new Course, add a Topic, and add a Lesson to the Topic. 2. In Tutor LMS Settings Course, ensure...
KIWIZ Invoices Certification & PDF System <= 2.1.3 - Unauthenticated Arbitrary File Download
The plugin does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization assuming they can upload a file on the server To download ../../../../wp-config.php:...
Google Maps Anywhere <= 1.2.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the plugin settings:...
Login using WordPress Users < 1.13.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "IDP Metadata" "IdP...
New User Email Set Up <= 0.5.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
Wow Forms <= 3.1.3 - Admin+ SQL Injection
The plugin does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection https://plugins.trac.wordpress.org/browser/mwp-forms/trunk/admin/partials/main.phpL13 As admin,...
Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin is affected by an Unauthenticated Stored Cross-Site Scripting XSS vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel. $ curl -i http://localhost:10008/ --user-agent "alert1" The payload will be executed o...
KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks 1. Send a POST request to /wp-admin/admin.php?page=kkpb-add-project with the BODY action=edit-project&id=sleep5 2. Observe the delay in respons...
Carousel Slider < 2.2.7 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new slider at "Carousel Slide...
WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak
Description The plugin does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address. Run the below command in the developer console of the browser when being logged in the blog as a subscriber and on your own edit account...
EventPrime < 3.2.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. POC 1 - Visit any of the following pages created by the plugin: - Event Organize...
Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection
Description The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin: class Test...
WP-EMail < 2.69.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the "Email Options" section of t...
MStore API < 3.9.7 - Subscriber+ Unauthorized Settings Update
The plugin does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Make sure the site also has WooCommerce installed and activated, then, while logged-in as a subscriber, visit the following URLs: -...
jQuery T(-) Countdown Widget < 2.3.24 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. tminus t='2100-01-01' width='"...
Social Warfare < 4.4.0 - Post Meta Deletion via CSRF
The plugin does not have CSRF checks in some AJAX actions, allowing attackers, to make a logged in admin call them and delete arbitrary post meta as well as reset access tokens related to network via CSRF attacks...
Mesmerize Companion < 1.6.135 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Required them...
SMSA Shipping for WooCommerce < 1.0.5 - Subscriber+ Arbitrary File Download
The plugin does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server Open the following URL when being logged in as any user...
Flat PM < 3.0.13 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin v 3.0.13 the blockid needs to start with an existing block ID...
Coming Soon - Under Construction <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed As admin, put the following payload in the "More text information" settings of the plugin: The XSS will be triggered...
WP Paginate < 2.1.9 - Admin+ Stored Cross-Site Scripting
The plugin does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload on the Preset settings of the plugin: '+accesskey="X"+onclick="alert1"'...
Poll Maker < 3.2.9 - Reflected Cross-Site Scripting
The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the /admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8...
Photo Gallery by 10web < 1.5.69 - Reflected Cross-Site Scripting (XSS)
The plugin did not properly sanitise the bwgsearchX GET parameter, available in a frontend gallery when the Show Search Box setting is enabled disabled by default, leading to a reflected Cross-Site Scripting issue Append the below payload in a page with an embedded gallery and the Show Search Box...
Inquiry Cart <= 3.4.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert9995'...
Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control
Description The plugin does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions While logged as a subscriber, paste the following in your browser's console: fetch'/wp-admin/admin-ajax.php', method:...