4359 matches found
ExactMetrics < 7.12.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, add a "Popular Posts" block and put...
Anti-Malware Security and Brute-Force Firewall < 4.21.86 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. 1. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via AJAX actions available to unauthenticated users, leading to SQL Injections order and columns parameters are affected curl 'https://example.com/wp-admin/admin-ajax.php' --data...
AceIDE <= 2.6.2 - Authenticated (admin+) Arbitrary File Access
The plugin does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory...
Ultimate Maps by Supsystic < 1.1.17 - Authenticated SQL Injections
The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for maps in the dashboard, leading to an authenticated SQL Injection issues...
Digital Publications by Supsystic <= 1.6.11 - Authenticated Stored Cross-Site Scripting (XSS)
When creating or editing a publication, all values such as Area Width, Publication Width are vulnerable to stored XSS. It is possible to store code in all input fields as the code does not sanitize any user input. v1.6.11 attempted to fix the issue by using sanitizetextfield, however the output i...
WordPress Jitsi Shortcode <= 0.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
Top Bar < 3.0.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Top Bar" in WP Admin 2. Save...
EventON (Free < 2.2.8, Premium < 4.5.5) - Reflected XSS
Description The plugins do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
ArtPlacer Widget < 2.20.7 - Editor+ SQLi
Description The plugin does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor or above As an editor, open...
WP-UserOnline < 2.88.3 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks. curl https://example.com -H 'X-Forwarded-For: ' Then, as a high-privileged user, visit...
Enable SVG, WebP & ICO Upload <= 1.0.3 - Author+ Stored XSS
The plugin does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability. 1. Upload an SVG file with the following contents. 2. View the SVG file on the frontend and see the alerts. alert/XSS2/...
All In One Redirection < 2.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. When adding a redirection, sourceurlinsert is vulnerable with the payload: sourceurlinsert...
Contact Form by WD <= 1.13.23 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 1. When editing a form, go to "Settings MySQL Mapping". 2. Click "Add a Query" 3. When mapping the form to the database in...
Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote
The plugin does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. 1. Create a poll and publish a page with a poll. 2. Visit the page with the poll. ...
WooCommerce Box Office < 1.1.52 - Unauthenticated Ticket Barcode Update
The plugin does not have authorisation and CSRF when updating a ticket bar-code, allowing unauthenticated users to perform such action curl https://example.com/wp-admin/admin-ajax.php -d "action=saveticketbarcode&ticketbarcodeimage=xxx&ticketbarcodetext=xxxxx&ticketid=86"...
Get Your Number <= 1.1.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the plugin's settings, enter the payload...
RapidExpCart <= 1.0 - Stored XSS via CSRF
The plugin does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection...
ChatBot < 4.4.5 - Stored XSS via CSRF
The plugin does not escape most of its settings before outputting them back in the dashboard, and does not have a proper CSRF check, allowing attackers to make a logged in admin set XSS payloads in them. Note: v4.4.5 fixed the CSRF issue, the lack of escaping was fixed in 4.5.1 and a separate iss...
Conditional Payment Methods for WooCommerce <= 1.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin|users with a role as low as admin...
ImageMagick-Engine < 1.7.6 - Command Injection via CSRF
The plugin is missing CSRF checks in multiple actions, which could allow attackers to make a logged in admin perform unwanted actions. In this case, it could lead to RCE via Command Injection https://example.com/wp-admin/admin-ajax.php?action=imetestimpath&clipath=payload...
Mihdan: No External Links < 5.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the text field...
Enfold Theme < 4.8.4 - Reflected Cross-Site Scripting (XSS)
The Enfold theme was vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder. The issue appears when pagination comes in place while navigating on a WordPress site with Enfold theme active. When that occurs,...
SEO Backlinks <= 4.0.1 - CSRF to Stored XSS
The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the locconfig function found in the /seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1. CSRF PoC alert1" / alert1" / function csrfSubmit let submit...
SEOPress < 7.8 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks. As a contributor, create a new Post, at the bottom of the page put the following payload in the "SEO Title" fie...
ArForms < 6.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add or edit an existing form and in...
Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1...
HL Twitter <= 2014.1.18 - Unlink Twitter Account via CSRF
Description The plugin does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack Make an admin open an HTML file containing: The Twitter connection will be removed API tokens reset to ''...
Woostify Sites Library < 1.4.8 - Subscriber+ Arbitrary Options Update to DoS
Description The plugin does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name Login as subscriber, open...
Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection
Description The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...
WP Crowdfunding < 2.1.10 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Affected settings: - Crowdfunding...
easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update
Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D", , "body":...
Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks. 1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2. run the following in...
SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure
Description The plugin does not prevent unauthorised users from accessing password-protected posts' content. As unauthenticated, view the source via the web browser of any password protected post and find The content of the post will be disclosed in the meta and script tags after this, example:...
WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the...
WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as authors to perform Stored Cross-Site Scripting attacks. 1. Add the following shortcode to a post: wordpressfileupload redirect="true" redirectlink="javascript:alert1" 2. Upload...
Ultimate Addons for Contact Form 7 < 3.1.29 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. 1. Ensure Contact Form 7 is installed, along with this plugin 2. Visit Contact Ultimat...
TinyMCE Custom Styles < 1.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "Settings" » "TinyMCE Custom Styles"...
Social Media Share Buttons & Social Sharing Icons < 2.8.2 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Put the payload in any text field of the "8 Do y...
Ko-fi Button < 1.3.3 - Admin+ Stored XSS
The plugin does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup, and we consider it a low risk. 1. In the Kofi plugin settings, change...
Bit Form < 1.9 - RCE via Unauthenticated Arbitrary File Upload
The plugin does not validate the file types uploaded via it's file upload form field, allowing unauthenticated users to upload arbitrary files types such as PHP or HTML files to the server, leading to Remote Code Execution. As an unauthenticated user access a form containing a File Upload form...
WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Tutor LMS < 2.0.9 - Reflected Cross-Site Scripting
The plugin does not escape an URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting The issue was initially fixed in 1.9.13 but re-introduced in 2.0.0 https://example.com/wp-admin/post.php?post=1369&action=edit&settingstab=general&a'alert/XSS/...
Fluent Support < 1.5.8 - Admin+ SQLi
The plugin does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection vulnerability exploitable by high privilege users With at least one support ticket in the system:...
mTouch Quiz <= 3.1.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the delimiter...
Add Post URL <= 2.1.0 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping " document.getElementById"test".submit; XSS will be...
ToTop Link <= 1.7.1 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain. https://example.com/wp-content/plugins/totop-link/trunk/totop-link.css.php?vars=base64encodedpayload...
Floating Chat Widget < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go "Chaty Create New Widgets 3...
Business Card <= 1.0.0 - Card Edit via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks Make a logged in admin open an HTML document containing where is a valid ID: " method="post"...
WP Plugin Lister <= 2.1.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. Make an admin open an HTML page containing the following code: ' ' document.forms0.submit...