4359 matches found
Download Manager < 3.2.44 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=wpdmpro&page=wpdm-stats&type=history&userids=1&"alert/XSS/...
404s < 3.5.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a new 404 via the plugin and put the following payload in the "Please enter the 40...
Call Now Button < 1.1.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled With premium enabled: http://example.com/wp-admin/admin.php?page=call-now-button&bid=xxxxx" accesskey=X onclick=alert/XSS/...
Bookster <= 1.1.0 - Unauthenticated Appointment Status Update
Description The plugin allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment the request body to change its status from pending to approved. 1. Open the Wordpress where the plugin is installed with default...
CSSable Countdown <= 1.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Simple Ajax Chat < 20240412 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup This was partially fixed in 0240216 bu...
Site Reviews < 7.0.0 - IP Spoofing
Description The plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based blocking Request sent to the server to add review: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8888...
Newsletter Popup <= 1.2 - Subscriber Deletion via CSRF
Description The plugin does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack Make an admin open a link where is a valid user:...
Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
Counter Box < 1.2.4 - Counter Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks Make a logged in admin open an HTML file where ID is a valid ID: action...
Tickera < 3.5.2.5 - Ticket leakage through IDOR
Description The plugin does not prevent users from leaking other users' tickets. After a user has bought a ticket, an example of a ticket would look like https://www.website.com/?downloadticket=1&orderkey=1234567890&downloadticketnonce=ab903b7c71, but due to missing validation, the URL can be...
WooCommerce Customers Manager < 29.7 - Subscriber+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role. Note: v29.5 added authorisation, however the injection was not fixed and still exploitable by users with the managewoocommerce...
Shortcodes Ultimate < 7.0.5 - Contributor+ Stored XSS
Description The plugin does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks. sunote notecolor='123"onmouseover="alert/XSS/"' textcolor='1' radius='1' class='1' id="1"No...
Scalable Vector Graphics (SVG) <= 3.4 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
WP All Import < 3.7.3 - Admin+ Arbitrary File Upload to RCE
Description The plugin accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code...
Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF
Description The plugin does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack 1. Make an enquiry from the frontend form 2. Go to "Woo Quote Popup Enquiry List" 3. Get the ID of an item 4. Add the ID to the...
Debug Log Manager < 2.3.0 - Sensitive Logs Exposure
Description The plugin contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sensitive data https://yoursite/wordpress/wp-content/uploads/debug-log-manager/...
WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
Description The plugin does not validate and sanitise the wpquery parameter which allows an attacker to run arbitrary command on the remote server 1. Go to "All Export" "New Export" 2. Select "WP Query Results" as the export type 3. Enter the payload phpinfo for the query. 4. Click customize and...
Simple Social Buttons < 5.1.1 - Unauthenticated Password Protected Post Access
Description The plugin leaks password-protected post content to unauthenticated visitors in some meta tags As unauthenticated, view the source of any password-protected post and see that the content of the post is disclosed in the og:description and twitter:description meta tags...
myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion
Description The plugin does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. 1. Visit myStickymenu + Create new Welcome Bar. Ensure "Collect leads" is enabled, enable the toggle at the top, and Save. 2. In a logged-out window, fill the lead form in the...
Ninja Forms < 3.6.34 - Admin+ Stored XSS
Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however the...
NextGEN Gallery < 3.39 - Admin+ Local File Inclusion
Description The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks 1. Create a gallery and upload an image. 2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery creat...
DoLogin Security < 3.7 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form. 1. Put javascript payload on html.cafe. const url = 'https://s…t/wp-admin/user-new.php'; fetchurl...
Orders Tracking for WooCommerce < 1.2.6 - Admin+ Arbitrary File Access/Read
Description The plugin doesn't validate the fileurl parameter when importing a CSV file, allowing high privilege users with the managewoocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file. As an...
Bit Assist < 1.1.9 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the plugin's settings, click on...
WP Brutal AI < 2.06 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. In the plugin settings, for a campaig...
Greeklish-permalink <= 3.3 - Unauthenticated Post Slug Update
The plugin does not implement correct authorization or nonce checks in the cyrtransajaxold AJAX action, allowing unauthenticated and low-privilege users to trigger the plugin's functionality to change Post slugs either directly or through CSRF. 1. Create a post with the name "Νέα ανάρτηση". 2...
Responsive CSS EDITOR <= 1.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admin. 1. Send a request with the payload:...
Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins 1. Login as a WordPress administrator or any of the custom roles from GroundHogg 2. Navigate to the URL:...
Checkout for PayPal < 1.0.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a page/post checkoutforpaypal...
OWM Weather < 5.6.9 - Contributor+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as contributor Logon as contributor and open the below URL, which will result in a delayed response If the "could not find original...
JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF
The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. XSS will be triggered when...
WP Admin Logo Changer <= 1.0 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. csrf.submit...
Securimage-WP-Fixed <= 3.5.4 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting issue due to the use of $SERVER'PHPSELF' in the /securimage-wp.php file which allows attackers to inject arbitrary web scripts https://example.com/wp-admin/options-general.php/"alert/XSS//script%3E?page=securimage-wp-options%2F...
Block and Stop Bad Bots < 6.60 - Authenticated SQL Injections
The plugin did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections...
Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection
The id GET parameter of one of the plugin's page available via forced browsing is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection. Note: The URL /wp-admin/admin.php?page=edit-video-embed&id=1 is...
Responsive video embed < 0.5.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, create a post...
Search & Replace < 3.2.2 - Admin+ SQL injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks such as within a multi-site network. 1. Go to the Tools parameter 2. Select Search & Replace 3. Click "Do Search & Replace" 4. Change the parameters...
Marketing Twitter Bot <= 1.11 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Have an admin open an HTML page containing the following: ' document.forms0.submit;...
Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin
Description Any unauthenticated user may send e-mail from the site with any title or content to the admin fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=getwidsendmail", "headers": "content-type": "application/x-www-form-urlencoded", , "body": "datasubject=Urgent WordPress update neee...
Job Manager & Career < 1.4.4 - Directory listing to Sensitive Data Exposure
Description The plugin contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of...
Robo Gallery < 3.2.16 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
Multiple Plugins - Cross-Site Scripting From Third-party Library
The plugins use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability. WP-Optimize - Reflected Cross-Site Scripting 1. Go to the plugin settings and in the "Images" section check the box "Create WebP version of image". 2. Visit th...
HTTP Headers < 1.18.8 - Admin+ SQL Injection
This plugin has an import functionality which executes arbitrary SQL on the server, leading to an SQL Injection vulnerability. 1. Create an SQL file with the following contents: UPDATE wpoptions SET optionvalue = "Hacked" WHERE optionname = "blogname" 2. As an admin user within WP Admin, navigate...
Side Cart Woocommerce < 2.2 - Settings Reset via CSRF
The plugin does not have CSRF check when reseting its Settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes...
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain To simulate a gadget chain, put the following code in a plugin class Evil...
Simple Basic Contact Form < 20221201 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "Settings » Contact Form » Plugin Option...
Better Click to Tweet < 5.10.4 - Settings Update via CSRF
The plugin lacks CSRF protection when updating the bctt-twitter-handle option, allowing an attacker to change the plugin settings by tricking a logged in admin to submit a form. curl -b .cookies -d bctt-twitter=$NEWHANDLE 'https://example.com/wp-admin/?page=bctt-welcome&step=welcome'...
StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org Run the below command in the developer console of the web browser while being on the blog as a...
Automations By Autonami < 2.1.2 - Subscriber+ Automation Creation
The plugin does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations var data = new FormData data.append'file',new...