4359 matches found
WordPress Ping Optimizer <= 2.35.1.3.0 - Log Clearing via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as clearing logs. Make a logged in admin open the URL below...
Seriously Simple Podcasting < 3.0.0 - Unauthenticated Administrator Email Disclosure
Description The plugin discloses the Podcast owner's email address which by default is the admin email address via an unauthenticated crafted request. This was fixed in 3.0.0 for new plugin installation, however when upgrading, users will have to unset the "Owner email address" in the Feed Detail...
Word Balloon < 4.20.3 - Avatar Removal via CSRF
Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link. Make a logged in admin open...
Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Note that this vulnerability is identical to https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ as it was introduce...
Grid Kit Premium < 2.2.0 - Multiple Reflected Cross-Site Scripting
The plugin does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URL below...
Shareaholic < 9.7.6 - Information Disclosure
The plugin does not have proper authorisation check in one of the AJAX action, available to unauthenticated in v 9.7.5 and author+ in v9.7.5 users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc...
LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Proof of Concept PoC: ======================= 1. The stored XS...
Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure
The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. POST /wp-json/csco/v1/more-posts Accept:...
Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)
Description The theme does not sanitise the tdblockid parameter in its tdajaxblock AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. Due to a nonce check, this issue is only exploitable on unauthenticated users for as long as the nonce used in the reques...
Motor theme < 3.1.0 - Unauthenticated Local File Inclusion
Lack of authentication or validation in motorloadmore, motorgalleryloadmore, motorquickview and motorprojectquickview AJAX handlers of the theme allows an unauthenticated attacker access to arbitrary files in the server file system, and to execute arbitrary php scripts found on the server file...
reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. This requires Jetpack to be installed and to have a page/post with a Jetpack Contact Form...
Sassy Social Share < 3.3.61 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...
Shortcodes Ultimate < 7.1.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the...
WolfNet IDX for WordPress <= 1.19.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the settings of the plugin, ente...
DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export
Description The plugin does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin On a post/page where containing the following output whic...
Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection
Description The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary...
Upload Resume <= 1.2.0 - Captcha Bypass
The plugin does not validate the captcha parameter when uploading a resume via the resumeuploadform shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site. The PoC will be displayed once the issue has been remediated...
Breadcrumb < 1.5.33 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF
The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example As an admin:...
Call&Book Mobile Bar <= 1.2.2 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in any of the plugin's settings: "...
Cookie Bar <= 1.8.8 - Admin+ Stored Cross-Site Scripting
The plugin doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add the following payload in the "Cookie Bar Message" setting of the plugin...
ACF to REST API < 3.3.0 - Unauthenticated Arbitrary wp_options Disclosure
The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wpoptions table, such as a list of active plugins. List all active plugins of the blo...
The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
Description The plugin does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. e.g. password-protected events, drafts, etc. Free: 1. ADMIN: Install The Events Calendar 2. ADMIN: Create events with each status: published, private,...
WordPress Geo Controller < 8.6.5 - PHP Object Injection
Description The plugin unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
Chart.js for WordPress <= 2023.2 - Editor+ Stored Cross-Site Scripting in New Chart
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Charts New Chart HTML 3...
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload
Description The plugin does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. from io import BytesIO import requests import zipfile import sys import re if...
WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
Description The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admininit, allowing unauthenticated users to perform SQL injections Run the below command in the developer console of the web browse...
EventPrime < 3.2.0 - Booking Creation via CSRF
Description The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks. Create an Event, noting its ID. Add a ticket type to the Event the details don't matter. As a logged-in user, visit a page with t...
Transposh WordPress Translation <= 1.0.8 - Admin+ SQL Injection
The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection https://example.com/wp-admin/admin.php?page=tpeditor&action=filter-by&order=+AND+SELECT+42+FROM+SELECTSLEEP5b...
WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup On...
Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Media Optimole...
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure
The plugin does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerabilit...
Timeline Calendar <= 1.2 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin GET...
Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating
The tutorplacerating AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutor2.txt --dbms=mysql --technique=B -p courseid --dump Where tutor2.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL...
Expert Invoice <= 1.0.2 -Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to Expert Invoice Customer...
VikBooking < 1.6.8 - Insecure Direct Object References
Description The plugin allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the plugin's they shouldn't be allowed to. https://example.com/wp-admin/admin.php?option=comvikbooking&task=config...
Pz-LinkCard < 2.5.3 - Contributor+ SSRF
Description The plugin does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. Setup a listener on a localhost/LAN host such as nc -l 127.0.0.1 9000, then as a contributor, put the followi...
Innovs HR <= 1.0.3.4 - Employee Creation via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees. input type="hidden" name="maritalstatus" value="Single"...
GigPress <= 2.3.29 - Admin+ Stored Cross Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "GigPress Settings" 2. Enter...
WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR
Description The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar POC request: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: yoursite User-Agent: Mozilla/5.0 X11; Linux aarch64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept:...
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF
Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution. 1. Ensure your WordPress...
File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal
Description The plugin does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites...
CITS Support svg, webp Media and TTF,OTF File Upload < 3.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. As an author, upload an SVG with the payload: alert"xss"; View the SVG and see the XSS...
Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Note: The vendor was made aware of th...
MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi
Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note WPScan: The issue was fixed in 1.14.13, however a better patch was done in 1.14.15 a...
NEX-Forms < 8.4.4 - Authenticated Stored XSS
The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such feature. Create a new form with the...
Event Manager and Tickets Selling Plugin for WooCommerce < 3.8.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 1. Add an event in the plugin with a city meta as: " onmouseover="alert1" 2. On a n...
WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF
The plugin does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID Make a logged in admin open a page containing the HTML code below. This will regenerate the secret for the...
Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download
The plugin is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher. As contributor, navigate to https://target/blog/wp-admin/post-new.php?posttype=lanadownload Inside "File URL:" input, fill the file you want to download, for...