Lucene search
K
WpexploitMost viewed

4359 matches found

wpexploit
wpexploit
added 2024/03/20 12:0 a.m.175 views

WordPress Ping Optimizer <= 2.35.1.3.0 - Log Clearing via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as clearing logs. Make a logged in admin open the URL below...

6.8AI score0.00225EPSS
Exploits2
wpexploit
wpexploit
added 2024/02/17 12:0 a.m.175 views

Seriously Simple Podcasting < 3.0.0 - Unauthenticated Administrator Email Disclosure

Description The plugin discloses the Podcast owner's email address which by default is the admin email address via an unauthenticated crafted request. This was fixed in 3.0.0 for new plugin installation, however when upgrading, users will have to unset the "Owner email address" in the Feed Detail...

6.9AI score0.02463EPSS
Exploits3
wpexploit
wpexploit
added 2023/11/13 12:0 a.m.175 views

Word Balloon < 4.20.3 - Avatar Removal via CSRF

Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link. Make a logged in admin open...

6.5CVSS7.5AI score0.00309EPSS
Exploits2
wpexploit
wpexploit
added 2023/10/23 12:0 a.m.175 views

Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload

Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Note that this vulnerability is identical to https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ as it was introduce...

9.8CVSS9.6AI score0.81695EPSS
Exploits18
wpexploit
wpexploit
added 2023/07/10 12:0 a.m.175 views

Grid Kit Premium < 2.2.0 - Multiple Reflected Cross-Site Scripting

The plugin does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URL below...

6.4AI score0.00396EPSS
Exploits2
wpexploit
wpexploit
added 2022/07/04 12:0 a.m.175 views

Shareaholic < 9.7.6 - Information Disclosure

The plugin does not have proper authorisation check in one of the AJAX action, available to unauthenticated in v 9.7.5 and author+ in v9.7.5 users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc...

5.3CVSS0.7AI score0.01633EPSS
Exploits2
wpexploit
wpexploit
added 2022/03/29 12:0 a.m.175 views

LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Proof of Concept PoC: ======================= 1. The stored XS...

4.8CVSS4.8AI score0.02691EPSS
Exploits4
wpexploit
wpexploit
added 2021/10/11 12:0 a.m.175 views

Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure

The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. POST /wp-json/csco/v1/more-posts Accept:...

5.3CVSS2.3AI score0.01131EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/12 12:0 a.m.175 views

Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)

Description The theme does not sanitise the tdblockid parameter in its tdajaxblock AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. Due to a nonce check, this issue is only exploitable on unauthenticated users for as long as the nonce used in the reques...

6.1CVSS6.1AI score0.01234EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/09 12:0 a.m.175 views

Motor theme < 3.1.0 - Unauthenticated Local File Inclusion

Lack of authentication or validation in motorloadmore, motorgalleryloadmore, motorquickview and motorprojectquickview AJAX handlers of the theme allows an unauthenticated attacker access to arbitrary files in the server file system, and to execute arbitrary php scripts found on the server file...

9.8CVSS0.5AI score0.02633EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/04/19 12:0 a.m.174 views

reCAPTCHA Jetpack <= 0.2.2 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. This requires Jetpack to be installed and to have a page/post with a Jetpack Contact Form...

5.9AI score0.00269EPSS
Exploits2
wpexploit
wpexploit
added 2024/04/05 12:0 a.m.174 views

Sassy Social Share < 3.3.61 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...

5.8AI score0.0048EPSS
Exploits3References1
wpexploit
wpexploit
added 2024/04/05 12:0 a.m.174 views

Shortcodes Ultimate < 7.1.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the...

5.9AI score0.00438EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/01/23 12:0 a.m.174 views

WolfNet IDX for WordPress <= 1.19.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the settings of the plugin, ente...

7.9AI score0.00305EPSS
Exploits2
wpexploit
wpexploit
added 2023/12/21 12:0 a.m.174 views

DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export

Description The plugin does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts...

8.1CVSS6.7AI score0.00579EPSS
Exploits2
wpexploit
wpexploit
added 2023/11/20 12:0 a.m.174 views

EmbedPress < 3.9.2 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin On a post/page where containing the following output whic...

6.1CVSS6.5AI score0.00471EPSS
Exploits2
wpexploit
wpexploit
added 2023/11/10 12:0 a.m.174 views

Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection

Description The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary...

9.8CVSS7.6AI score0.01253EPSS
Exploits2
wpexploit
wpexploit
added 2023/05/24 12:0 a.m.174 views

Upload Resume <= 1.2.0 - Captcha Bypass

The plugin does not validate the captcha parameter when uploading a resume via the resumeuploadform shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site. The PoC will be displayed once the issue has been remediated...

5.3CVSS7.3AI score0.0051EPSS
Exploits2
wpexploit
wpexploit
added 2023/01/11 12:0 a.m.174 views

Breadcrumb < 1.5.33 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...

5.4CVSS1.2AI score0.00588EPSS
Exploits2
wpexploit
wpexploit
added 2022/08/03 12:0 a.m.174 views

MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF

The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example As an admin:...

2.7CVSS0.8AI score0.00632EPSS
Exploits2
wpexploit
wpexploit
added 2022/05/09 12:0 a.m.174 views

Call&Book Mobile Bar <= 1.2.2 - Admin+ Stored Cross Site Scripting

The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in any of the plugin's settings: "...

4.8CVSS0.5AI score0.00565EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/22 12:0 a.m.174 views

Cookie Bar <= 1.8.8 - Admin+ Stored Cross-Site Scripting

The plugin doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add the following payload in the "Cookie Bar Message" setting of the plugin...

4.8CVSS0.5AI score0.00598EPSS
Exploits2
wpexploit
wpexploit
added 2020/06/28 12:0 a.m.174 views

ACF to REST API < 3.3.0 - Unauthenticated Arbitrary wp_options Disclosure

The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wpoptions table, such as a list of active plugins. List all active plugins of the blo...

5CVSS2.2AI score0.12955EPSS
Exploits2References2
wpexploit
wpexploit
added 2024/05/24 12:0 a.m.173 views

The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access

Description The plugin does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. e.g. password-protected events, drafts, etc. Free: 1. ADMIN: Install The Events Calendar 2. ADMIN: Create events with each status: published, private,...

9.6AI score0.00464EPSS
Exploits2
wpexploit
wpexploit
added 2024/04/10 12:0 a.m.173 views

WordPress Geo Controller < 8.6.5 - PHP Object Injection

Description The plugin unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

7.2AI score0.00489EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/01/19 12:0 a.m.173 views

Chart.js for WordPress <= 2023.2 - Editor+ Stored Cross-Site Scripting in New Chart

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Charts New Chart HTML 3...

7.9AI score0.0039EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/12/18 12:0 a.m.173 views

Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload

Description The plugin does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. from io import BytesIO import requests import zipfile import sys import re if...

8.8CVSS9.1AI score0.01095EPSS
Exploits2
wpexploit
wpexploit
added 2023/10/26 12:0 a.m.173 views

WP Hotel Booking < 2.0.8 - Unauthenticated SQLi

Description The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admininit, allowing unauthenticated users to perform SQL injections Run the below command in the developer console of the web browse...

9.8CVSS9.8AI score0.63711EPSS
Exploits2
wpexploit
wpexploit
added 2023/10/09 12:0 a.m.174 views

EventPrime < 3.2.0 - Booking Creation via CSRF

Description The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks. Create an Event, noting its ID. Add a ticket type to the Event the details don't matter. As a logged-in user, visit a page with t...

4.3CVSS4.7AI score0.00231EPSS
Exploits2
wpexploit
wpexploit
added 2022/07/26 12:0 a.m.173 views

Transposh WordPress Translation <= 1.0.8 - Admin+ SQL Injection

The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection https://example.com/wp-admin/admin.php?page=tpeditor&action=filter-by&order=+AND+SELECT+42+FROM+SELECTSLEEP5b...

7.2CVSS1.6AI score0.01202EPSS
Exploits5
wpexploit
wpexploit
added 2022/07/05 12:0 a.m.173 views

WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup On...

4.8CVSS0.2AI score0.00493EPSS
Exploits2
wpexploit
wpexploit
added 2022/03/21 12:0 a.m.173 views

Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Media Optimole...

4.8CVSS0.5AI score0.0073EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/03/14 12:0 a.m.173 views

Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure

The plugin does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerabilit...

5.5CVSS0.1AI score0.00609EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/24 12:0 a.m.173 views

Timeline Calendar <= 1.2 - Authenticated (admin+) SQL Injection

The plugin does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin GET...

6.5CVSS1.3AI score0.01578EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/15 12:0 a.m.173 views

Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating

The tutorplacerating AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutor2.txt --dbms=mysql --technique=B -p courseid --dump Where tutor2.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL...

4CVSS1.1AI score0.01253EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/05/28 12:0 a.m.172 views

Expert Invoice <= 1.0.2 -Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to Expert Invoice Customer...

5.6AI score0.00398EPSS
Exploits2
wpexploit
wpexploit
added 2024/04/19 12:0 a.m.172 views

VikBooking < 1.6.8 - Insecure Direct Object References

Description The plugin allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the plugin's they shouldn't be allowed to. https://example.com/wp-admin/admin.php?option=comvikbooking&task=config...

6.6AI score0.0061EPSS
Exploits2
wpexploit
wpexploit
added 2024/03/07 12:0 a.m.172 views

Pz-LinkCard < 2.5.3 - Contributor+ SSRF

Description The plugin does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. Setup a listener on a localhost/LAN host such as nc -l 127.0.0.1 9000, then as a contributor, put the followi...

9.4AI score0.00263EPSS
Exploits2References1
wpexploit
wpexploit
added 2024/02/20 12:0 a.m.172 views

Innovs HR <= 1.0.3.4 - Employee Creation via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees. input type="hidden" name="maritalstatus" value="Single"...

6.8AI score0.00366EPSS
Exploits2
wpexploit
wpexploit
added 2024/01/19 12:0 a.m.172 views

GigPress <= 2.3.29 - Admin+ Stored Cross Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "GigPress Settings" 2. Enter...

5.7AI score0.00456EPSS
Exploits2
wpexploit
wpexploit
added 2023/12/29 12:0 a.m.172 views

WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

Description The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar POC request: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: yoursite User-Agent: Mozilla/5.0 X11; Linux aarch64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept:...

4.3CVSS9.6AI score0.00405EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/11/21 12:0 a.m.172 views

WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF

Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution. 1. Ensure your WordPress...

8.8CVSS9.7AI score0.0055EPSS
Exploits2
wpexploit
wpexploit
added 2023/11/20 12:0 a.m.172 views

File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal

Description The plugin does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites...

6.5CVSS9.4AI score0.0085EPSS
Exploits2References1
wpexploit
wpexploit
added 2023/10/09 12:0 a.m.172 views

CITS Support svg, webp Media and TTF,OTF File Upload < 3.0 - Author+ Stored XSS via SVG

Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. As an author, upload an SVG with the payload: alert"xss"; View the SVG and see the XSS...

5.4CVSS5.4AI score0.0039EPSS
Exploits2
wpexploit
wpexploit
added 2023/08/30 12:0 a.m.172 views

Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Note: The vendor was made aware of th...

4.8CVSS4.8AI score0.00379EPSS
Exploits2
wpexploit
wpexploit
added 2023/07/17 12:0 a.m.172 views

MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi

Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note WPScan: The issue was fixed in 1.14.13, however a better patch was done in 1.14.15 a...

8.8CVSS9AI score0.00693EPSS
Exploits2
wpexploit
wpexploit
added 2023/06/26 12:0 a.m.172 views

NEX-Forms < 8.4.4 - Authenticated Stored XSS

The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such feature. Create a new form with the...

5.4CVSS5.6AI score0.00317EPSS
Exploits1
wpexploit
wpexploit
added 2023/01/10 12:0 a.m.172 views

Event Manager and Tickets Selling Plugin for WooCommerce < 3.8.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 1. Add an event in the plugin with a city meta as: " onmouseover="alert1" 2. On a n...

5.4CVSS0.3AI score0.00477EPSS
Exploits2
wpexploit
wpexploit
added 2022/11/10 12:0 a.m.172 views

WP OAuth Server < 3.4.2 - Client Secret Regeneration via CSRF

The plugin does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID Make a logged in admin open a page containing the HTML code below. This will regenerate the secret for the...

6.5CVSS1.5AI score0.00326EPSS
Exploits2
wpexploit
wpexploit
added 2022/08/01 12:0 a.m.172 views

Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download

The plugin is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher. As contributor, navigate to https://target/blog/wp-admin/post-new.php?posttype=lanadownload Inside "File URL:" input, fill the file you want to download, for...

6.5CVSS0.6AI score0.00911EPSS
Exploits2
Total number of security vulnerabilities4359