4359 matches found
E Unlocked - Student Result <= 1.0.4 - Arbitrary File Upload via CSRF
The plugin is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST",...
Chameleon CSS <= 1.2 - Subscriber+ SQL Injection
The plugin does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, removecss, also does not sanitise or escape the cssid POST parameter before using it in a SQL...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget
In the plugin, the image box widget includes/widgets/image-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript ...
Pricing Table by Supsystic < 1.8.9 - Authenticated SQL Injections
The GET parameter sidx and sord are used in a SQL statement without being sanitised when searching for pricing tables in the dashboard, leading to an authenticated SQL Injection issues...
WP Prayer <= 2.0.9 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make a logged in admin open a page containing: input type="hidden"...
SSL Zen <= 4.5.3 - Unauthenticated Private Keys Access
Description The plugin only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX. Install the plugin on a server that doesn't support...
EventON (Free < 2.2.7, Premium < 4.5.5) - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to the EventON Lite settings an...
Voting Record <= 2.0 - Subscriber+ Stored XSS
Description The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks Have a subscriber open an HTML file containing the following: ' ' document.forms0.submit; See the XSS when logged in as an admin and...
Post SMTP < 2.8.7 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open the following URL:...
Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal
Description IThe plugin does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks 1 Go to http://yoursite/wordpress/wp-admin/admin.php?page=qutterawmscannerint 2 Click "Scan Now" 3 Click "Detected Threats" 4 Navigate to some Suspicio...
WP Simple Table Manager Plugin <= 1.5.6 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click Simple Table Manager then...
USM Premium < 16.3 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Put the payload in any text field of the "8 Do y...
WP User Switch < 1.0.3 - Subscriber+ Authentication Bypass
The plugin does not properly verify the 'wpuswhoswitch' cookie value, which allows attackers with low-privilege accounts like Subscribers to bypass authentication and login as any other existing user. Log-in as a subscriber onto the affected site. Run the following JS script in your browser's...
Booking Manager < 2.0.29 - Subscriber+ SSRF
The plugin does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network. As an admin: Type in an internal URL for example...
NEX-Forms < 8.4 - Admin+ SQL Injection
The plugin does not properly escape the table parameter, which is populated with user input, before concatenating it to an SQL query. POST /wp-admin/admin-ajax.php HTTP/1.1 Deleted Headers action=nfupdaterecord&table=Injection Point&editId=1&plugin=shared&title=exploit%60&formfields=/Deleted...
Ultimate Carousel For WPBakery Page Builder <= 2.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The plugin author was made aware of this...
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
The plugin does not sanitise and escape the edit parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators. Make a logged in admin open the following URL:...
ConvertKit < 2.0.5 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins. Exploit:...
Multiple Plugins from Viszt Peter - Multiple CSRF
The plugins are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license With the woo-billingo-plus plugin installed, make a logged in user with the editshoporders capabilit...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Text Block
The plugin does not sanitise and escape its Text Block fields, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks Create a post using the plugin editor, add a Text Block and put the following payload in its content: The XSS will be triggered when...
Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing
The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes. curl https://example.com/wp-content/uploads/wpjobboard Search for this path / folder in search engines to find...
WP Sentry <= 1.0 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well ' " document.getElementById"test".submit; "...
Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not have any authorisation and CSRF in place when saving a template wpbtnsavetemplate function hooked to the init action, nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored...
SpiderCatalog <= 1.7.3 - Admin+ SQL Injection
The plugin does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category https://plugins.trac.wordpress.org/browser/catalog/trunk/Categories.phpL320 POST...
Booster for WooCommerce < 5.4.4 - Authentication Bypass
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...
Sendit WP Newsletter <= 2.5.1 - Authenticated (admin+) SQL Injection
The page lists-management feature of the plugin, available to Administrator users does not sanitise, validate or escape the idlista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection. time curl -i -s -k -X $'POST' \ -H $'Upgrade-Insecure-Requests: 1' -H...
Muslim Prayer Time BD <= 2.4 - Settings Reset via CSRF
Description The plugin does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack Make a logged in admin open an HTML file containing:...
Popup4Phone <= 1.3.2 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Popup4Phone Settings Form" ...
WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update
Description The plugin does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site. Log in as a subscriber, and paste any of the following fetch call in your...
WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints
Description The plugin does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users. The following actions may be taken by a Contributor user: --- /wmllogs - Information leak Execute the followi...
Welcart e-Commerce < 2.9.5 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below:...
tagDiv Composer < 4.0 - Reflected Cross-site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the HTML code below...
Popup Manager <= 1.6.6 - Unauthenticated Arbitrary Popup Deletion
The plugin does not have authorisation and CSRF checks when deleting popups, which could allow unauthenticated users to delete them As an unauthenticated users, or via CSRF: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', ...
WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. Run the below command in the developer console of the web browser while being on the...
Download Manager < 3.2.50 - Bypass IP Address Blocking Restriction
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based download blocking restrictions. When downloading a file, add an X-Forwarded-For header that contains a random IP address to your request...
Workreap < 2.2.2 - Missing Authorization Checks in Ajax Actions
The theme had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site. log in as arbitrary freelancer...
ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation
The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator. 'Hax0r3', 'regemail' = '[email protected]', 'regpassword'...
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
The plugin was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles. Use a proxy such as Burp Suite to capture the request made when change your own profile...
Side Menu < 3.1.5 - Authenticated (admin+) SQL Injection
The menu delete functionality of the plugin, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue GET...
Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...
Quiz And Survey Master < 9.0.2 - Contributor+ SQLi
Description The plugin is vulnerable does not validate and escape the questionid parameter in the qsmbulkdeletequestionfromdatabase AJAX action, leading to a SQL injection exploitable by Contributors and above role 1 You will need a valid nonce for deletion of quiz questions. 2 Sign in as a...
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Click SendPress which is available ...
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
Description The plugin does not prevent unauthenticated visitors from running code on vulnerable sites. Run the following JS on any site using the theme: await fetch"/wp-json/bricks/v1/renderelement", "credentials": "include", "headers": "Content-Type": "application/json" , "body":...
Custom User CSS <= 0.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Create an HTML form with the following content and make a logged in admin open it document.forms0.submit;...
WP SEO Press < 7.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=seopress-titles. 2. Input...
Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update
Description The plugin does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset Run the below command in the developer console of the web browser while...
WP Meta and Date Remover < 2.2.0 - Subscriber+ Stored XSS
Description The plugin provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site...
Forminator < 1.24.4 - Reflected XSS
The plugin does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. 1. Create a "Contact Us" form from the plugin presets 2. Click on the Message field, go to the "Settings" tab and choose a nam...
Simple Iframe < 1.2.0 - Contributor+ Stored XSS
The plugin does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks. POST /wp-json/wp/v2/posts/60?locale=user HTTP/1.1 Host: 127.0.0.1 Content-Length: 378 sec-ch-ua:...
Multiple plugins by vcita - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and the email field in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts in the plugin settings page, which could target high privilege users such as administrators...