4359 matches found
Easy SVG Allow <= 1.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to trigger the XSS...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. Run the following within any page on the site. Notice that the request is delayed by the SLEEP call in th...
so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
Description The plugin does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites. 1. Create a multi-site wordpress setup, i.e. using docker-containers,...
Mmm Simple File List <= 2.3 - Subscriber+ Arbitrary Directory Listing
Description The plugin does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories. Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
Photos and Files Contest Gallery – Contact Form < 21.2.8.1 - Unauthenticated Stored XSS via HTTP Headers
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers. 1. Use a proxy such as BurpSuite to add the following header to all requests: X-Forwarded-For: 11.11.11.11 2. Create a gallery...
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Description The plugin is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mlastreamfile' parameter from the /includes/mla-stream-image.php file, where images are processe...
ND Shortcodes < 7.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks Run the below command in the developer console of the web browser while being on the blog as a...
CF7 Google Sheets Connector (Free < 5.0.2, Pro < 2.3.7) - Reflected XSS
The plugins do not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below cf7-google-sheets-connector -...
ChatBot < 4.4.7 - Unauthenticated PHP Object Injection
The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function...
Woody Code Snippets < 2.4.6 - Reflected Cross-Site Scripting
The plugin does not escape a generated URLs before outputting them back in an attribute, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=wbcr-snippets&page=import-wbcrinsertphp&a"alert/XSS/...
All In One WP Security < 4.4.11 - Authenticated Arbitrary Redirect / Reflected XSS
The plugin does not validate, sanitise and escape the redirectto parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of...
TranslatePress < 2.0.9 - Authenticated Stored Cross-Site Scripting
The plugin does not implement a proper sanitisation on the translated strings. The 'trpsanitizestring' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues. As admin...
Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users On a site with the User Login/Registration widget active, have an unauthenticated user send a...
Logo Slider < 4.0.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Using a contributor account, add a Logo Slider using the Shortco...
FS Product Inquiry <= 1.1.1 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some form submissions, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks 1. Add an inquiry form using the shortcode fspi-show-products-list 2. As a non-logged in visitor, enter the payload "...
Pet Manager <= 1.4 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a pet and publish the listing 2. View the pet on the frontend of the site and ge...
WP Chat App < 3.6.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=ntawhatsappfloatingwidge...
WPB Show Core < 2.6 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Hubbub Lite < 1.32.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup As admin, enable the 'Floating Sidebar...
PageLayer < 1.8.0 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfilteredhtml is disallowed, such as in multi-site WordPress configurations. - As a user with Author+ capabilities, create a new pos...
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE
Description The plugin does not validate files to be uploaded, which could allow attackers with a low-privilege account e.g. subscribers to upload arbitrary files such as PHP on the server If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file. After...
Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
Description The plugin is vulnerable from an RCE Remote Code Execution vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. 1 Go to main dashboard of plugin...
WP Post Popup <= 3.7.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Enter the following payload in the Close...
Bookly < 22.4 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Go to Bookly Settings Logs Do a search and intercept the request The parameter columns%5B0%5D%5Bdata%5D with...
Activity Log < 2.8.8 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Run the following code in the web browser and note on the backend that the IP address has been faked...
User Activity Log < 1.6.7 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. 1. In User Activity Log Settings, enable the setting "Allow Ip Address of users to log." and save...
Multiple plugins by vcita - CSRF to Stored XSS in settings page
The plugin does not protect the live-site-parse-vcita-callback settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a logged in user with contributor role or higher to click a link...
WP Shamsi <= 4.3.3 - Subscriber+ Attachment Deletion
The plugin has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. Exploit 1 attachment id delete: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded...
ResponsiveVoice Text To Speech < 1.7.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. responsivevoicebutton voice='"; alert1; "'...
Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure
The plugin does not prevent users with low privileges like subscribers from accessing sensitive system information. fetch'http://wpscan.local/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', , body: 'action=sendsysteminfo',...
Unyson < 2.7.27 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=fw-extensions&sub-page=extension&extension=feedbackalert/XSS/...
WP Statistics < 13.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise the REQUESTURI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting XSS in web browsers which do not encode characters GET /wp-admin/admin.php?page=wpssettingspage&a=confirm/XSS/ HTTP/1.1 Accept:...
Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal
The plugin does not have capability and CSRF checks in the tawktosetwidget and tawktoremovewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users including simple subscribers to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-i...
M-vSlider <= 2.1.3 - Authenticated (admin+) SQL Injection
The update functionality in the rsliderpage uses an rsid POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role. POST /wp-admin/admin.php?page=rsliderpage&updated=true HTTP/1.1 Host:...
Project Status <= 1.6 - Reflected Cross-Site Scripting (XSS)
The pspinduplicatepostsaveasnewpost function of the plugin does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue Open the below URL as any authenticated user...
GTranslate < 2.8.65 - Reflected Cross-Site Scripting (XSS)
In the Pro and Enterprise versions of GTranslate alert123;...
Simple Photoswipe <= 0.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1 As admin, go to plugin settings...
WP eMember < 10.3.9 - Reflected XSS
Description The plugin does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. https://www.example.com/wp-admin/admin-ajax.php?fieldId=alertdocument.cookie&action=checkname...
Button contact VR <= 4.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Click on the "Button contact" and chan...
EazyDocs < 2.4.0 - Subscriber+ Arbitrary Posts Deletion and Document Management
Description The plugin re-introduced CVE-2023-6029 https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/ in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9....
Vrm 360 3D Model Viewer <= 1.2.1 - Full Path Disclosure
Description The plugin exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode. 1. Create a page 2. Place the shortcode vrm360 canvasname=s1 modelurl=SACharacter.zip aspectratio=1.8 initialoffset=0.9 on the page SACharacter.zip should be a non-existent...
Bubble Menu < 3.0.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Click on the "Add new" tab. 2...
Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.4 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 1. Send a GET request with...
Tiempo.com <= 0.1.2 - Reflected XSS
The plugin does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' /...
Waiting: One-click Countdowns <= 0.6.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the pbcdownmetaid parameter before using it in a SQL statement via the pbcsavedowns AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Run the below command in the developer console of the web browser...
Ivory Search < 5.4.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the plugin displays the usage notice: https://example.com/wp-admin/plugins.php?"alert/XSS/...
PDF24 Article To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack input t...
Post Grid, Slider & Carousel Ultimate < 1.5.0 - Admin+ Stored XSS
The plugin does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a new Grid/Caroussel, in the General Settings, enable "Display Header Title" and put the following...
External Links in New Window / New Tab < 1.43 - Tabnabbing
The plugin does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. Create an external link, check window.opener in the newly opened tab after clicking the external link...
AP Mega Menu < 3.0.8 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=wpmm-add-theme&wpnonce="...