4359 matches found
AP Mega Menu < 3.0.8 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=wpmm-add-theme&wpnonce="...
RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. Vulnerable parameters: &ytnetw=, &ytnetwspan=, &ytfeedbacknetw=...
Quiz And Survey Master < 9.0.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Go to to Quizzes & Surveys 2. Add/edit a...
PostX < 4.1.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below code in a...
Sailthru Triggermail <= 1.1 - Reflected XSS
Description The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open: alert23' /...
WP Prayer <= 2.0.9 - Email Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make a logged in admin open an HTML file containing:...
Ungallery <= 2.2.4 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing the following: /" alert2' Save Changes...
Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion
Description The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged ...
WP Customer Area < 8.2.1 - Subscriber+ Account Address Update
Description The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address. You may get the nonce from your save address form fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure
Description The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set for example for Zoom curl -X POST --data "eid=240"...
WP Staging (Free < 3.1.3, Pro < 5.1.3) - Unauthenticated Backup Download
Description The plugin does not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later. The plugin creates temporary cache files when backing up sites, which are publicly accessible to anyone. Said cache fil...
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Content Disclosure
Description The plugin does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post such as draft and private via an IDOR vector. Password protected posts are not affected by...
NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
Description The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Create a Gallery called "My Gallery" and note its ID. 2. Run the following code in...
WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF
The plugin has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks Make a logged in admin open an HTML page...
HTTP Headers < 1.18.11 - Admin+ Remote Code Execution
This plugin allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability. --- " and Password as any value. 4. Navigate to Settings HTTP Headers Advanced settings and set the "Location of .hh-htpasswd" field to its previous value this is only required on...
CodeColorer < 0.10.1 – Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the plugin's settings, add the payload "aler...
Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin. Make a logged-in admin a page with the code below: Note: Make sure in Client Portal the company...
Membership Database <= 1.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Popup Builder by OptinMonster < 2.12.2 - Subscriber+ Arbitrary Post Content Disclosure
The plugin does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones. Run one of the below commands in the developer...
WooCommerce Checkout Field Manager < 18.0 - Unauthenticated Arbitrary File Upload
The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server 1. Install and activate woocommerce dependency, no setup required 2. Install and active the vulnerable plugin n-media-woocommerce-checkout-fields 17.2...
WP Memory < 2.46 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org Run the below command in the developer console of the web browser while being on the blog as a...
WP phpMyAdmin < 5.2.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "phpMyAdmin on hosting" settings...
Events Made Easy < 2.2.81 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection Obtain a valid nonce visit the "Events" page, default is /events/, and extract it from the source while looking for...
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of a...
StaffList < 3.1.5 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection https://example.com/wp-admin/admin.php?page=stafflist&search=test%'+AND+SELECT+42+FROM+SELECTSLEEP5b+AND+'aa%'='aa...
Donorbox < 7.1.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed Put the following payload in the Campaign URL settings of the plugin: "...
Cab fare calculator < 1.0.4 - Unauthenticated LFI
The plugin does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues. Despite what the original advisory claims, the issue is not exploitable by accessing the file directly as a fatal error is triggered before the vulnerable...
Google Pagespeed Insights < 4.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting...
Video Posts Webcam Recorder < 3.2.4 - Authenticated Reflected XSS
The plugin has an authenticated reflected cross site scripting XSS vulnerability in one of the administrative functions for handling deletion of videos. .../wp-content/plugins/video-posts-webcam-recorder/posts/videowhisper/recordedvideos.php?delete=%3Cscript%3Ealert1%3C/script%3E...
FAQ Builder < 1.3.6 - Authenticated Blind SQL Injections
The getfaqs function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
Newsletter by Supsystic <= 1.5.6 - Authenticated SQL Injection
The GET parameter "sidx" is used in a SQL statement without being sanitised when searching for subscribers in the dashboard, leading to an authenticated SQL Injection issue. The PoC will be displayed once the issue has been remediated...
Business Card <= 1.0.0 - Category Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks Make a logged in admin open an HTML document containing:...
WP Staging (Free < 3.4.0, Pro < 5.4.0) - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "WP Staging Backup & Migratio...
WP User Profile Avatar <= 1.0.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Enter the following shortcode in...
Enjoy Social Feed <= 6.2.2 - Unauthenticated Arbitrary Instagram Account Unlinking
Description The plugin does not have authorisation and CSRF in various function hooked to admininit, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example As unauthenticated, open the following URL to unlink the Instagram account of the user with ID ...
User Activity Tracking and Log < 4.1.4 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. 1. Add X-Forwarded-For: 11.11.11.11 to any request which will be in activity log. For example in creation of new post. 2. View the activity log and see that the...
Ultimate Maps by Supsystic < 1.2.16 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Go to the Marker Categories settings of the plugin...
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF
Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution. Submit the following form as a Super Admin notice that it does not contain a nonce. Despite the error,...
Multiple Plugins from ServMask - Unauthenticated Access Token Update
Description The plugins do not have authorisation in the init function hooked to the admininit action, allowing unauthenticated attackers to update the access token With the All-in-One WP Migration Box Extension installed, open the below URL as unauthenticated:...
Appointment booking addon for Gravity Forms < 1.10.0 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin 1. Create a "Service" and a "Provider" under the "gAppointments" sidebar menu. 2. Create a new form within Gravity...
User Activity Log < 1.6.3 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the txtsearch parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin. As an admin, visit either of the following URL's. Note that it takes several seconds for t...
Ad Inserter < 2.7.27 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitra...
Ultimate Carousel For Elementor <= 2.1.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The plugin author was made aware of this vulnerability...
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access in Maintenance Mode
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them Run the below command in the developer console of the web browser while being on the blog as unauthenticated, when maintenance mode is...
Vision Interactive For WordPress < 1.5.4 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Create a new vision item with whatever role, even if it's an Administrator 2. Connect...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. Exploit 1: The...
Image Hover Effects < 5.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Go to the plugin settings Image Hover Effects Ima...
Directorist < 7.4.2.2 - Subscriber+ Arbitrary User Password Update via IDOR
The plugin suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. The following Python script automates the exploitation of this vulnerability. The script was tested on an installation of WordPress 6.1 with the vulnerable...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape numerous parameters before outputting them back in admin pages via various AJAX actions, leading to Reflected Cross-Site Scripting With SitePress active, and with more than 1 active language: ' 6458 being a valid Product ID productid' value="6458"/ 16 being...
Fast Flow < 1.2.13 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a dashboard with an HTML widget...