4359 matches found
th23 Social <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the plugin's settings...
Jannah < 5.4.4 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the options JSON parameter in its tiegetuserweather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting XSS vulnerability. via GET:...
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
The runaction function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution. Step 1: Use the nonce...
Similarity <= 3.0 - Plugin Reset via CSRF
Description The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack Make a logged in admin open an HTML file containing:...
Add Custom CSS and JS <= 1.20 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack Make an author or above role open the following HTML: alert"frontendjs"' /...
Salon booking system < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'smsprefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...
My Calendar < 3.4.24 - Authenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks depending on the permissions set by the admin 1. Use any type of role as long as you permit it the action to Add Events. 2. Add a n...
Team Members < 5.3.2 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Team options attributes before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks. 1. Create/edit a team and...
Voting Record <= 2.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Have an admin open an HTML page containing the following: alert1' document.forms0.submit;...
JSON Content Importer < 1.5.4 - Reflected XSS
Description The plugin does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open:...
All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation
Description The plugin does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation. curl 'https://example.com/' -d...
WP Job Portal < 2.0.6 - Unauthenticated SQLi
Description The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users Setup as admin: Create a dummy company and a job if there are none Attack as unauthenticated: time curl -X POST --data...
123.chat < 1.3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup In the plugin's "User-ID" setting fiel...
IURNY by INDIGITALL < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the plugin's settings. 2...
MStore API < 3.9.8 - Unauthenticated Blind SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointment...
WP ERP < 1.12.4 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. Sign in as an admin. In WP Admin, run the following code in th...
OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. osmmap mapborder='3px solid black;background:red;width:100px;height:100px;" onmouseover="alert1"'...
FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...
Multiple themes - Unauthenticated Arbitrary File Upload
Multiple themes from ChimpStudio and PixFill does not have any authorisation and upload validation in the langupload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server. Create a malicious file "backdoor.php", then curl...
AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation
The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org Run the below command in the developer console of the web browser while being on the blog as a...
WP User Frontend < 3.5.29 - Obscure Registration as Admin
The plugin uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpufencryption. This could allow an attacker having access to the AUTHKEY and AUTHSALT constant via an arbitrary file access issue for...
Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls
The plugin exposes a couple of sensitive actions such has “tpreset” under the Utilities tab /wp-admin/admin.php?page=tputils, which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and...
WordPress Security < 4.2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup Put the following payload in the...
Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks 1 Make a new carousel /wp-admin/post-new.php?posttype=splcshortcodes 2 Set "Logo Margin" of the Style Setting to the...
Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
The plugin does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them jQuery.post"https://example.com/wp-admin/index.php", "wtlwp-nonce": "foo", // Not validated tlwpsettingsdata: defaultrole: "editor",...
Backup by 10Web <= 1.0.20 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue http://example.com/wp-admin/admin.php?page=buwdrestore&tab=general%22%3E%3Cimg%20src=x%20onerror=alertdocument.domain;%20m0ze...
FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection
The plugin does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users 1. to and from parameters Editor Level Tools - Flightlog - add a record POST...
Imagements <= 1.2.5 - Unauthenticated Arbitrary File Upload to RCE
The Imagements WordPress plugin, versions = 1.2.5, allowed images to be uploaded in comments, however, only checked for the Content-Type HTTP header for validation, which can be tampered with. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type head...
Backup by Supsystic <= 2.3.9 - Authenticated Arbitrary File Download and Deletion
The plugin does not check for path traversal attacks, allowing administrator to download and delete any file from the web server. Due to the lack of CSRF check on the file deletion, unauthenticated attacker could make a logged in administrator delete files from the web server as well The PoC will...
Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Go to the plugin settings 2. In the "Additional CSS" field, enter the payload 3. Save...
Similarity <= 3.0 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert3' /...
Newsletter Popup <= 1.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Newsletter Popup Add New" 2...
Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Ultimate Social Media Icons"...
Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS
Description The plugin does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site...
WooCommerce Product Filter < 1.4.4 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below the filter with the slug test1 needs to exist...
Add SVG Support for Media Uploader | inventivo <= 1.0.5 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
Clone < 2.4.3 - Unauthenticated Backup Download
Description The plugin uses buffer files to store in-progress backup informations, which is stored at a publicly accessible, statically defined file path. While a backup job is running, visitors can access one of the following files it might take a couple tries, as the timing needs to be right:...
Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure
Description The plugin does not adequately authorize the aysquizauthorusersearch AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. import string import requests baseurl =...
WP Matterport Shortcode < 2.1.7 - Reflected XSS
Description The plugin does not escape the PHPSELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin Make a logged in admin open https://example.com/wp-admin/admin.php/"/?page=wpms-opti...
Prevent files / folders access < 2.5.2 - Admin+ Arbitrary File Upload
Description The plugin does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server. 1 Create a PHP file cmd.php with the contents 2 Go to https://example.com/wp-admin/admin.php?page=momediarestrict&tab=privatedirectory 3 Then upload a fi...
WooCommerce Bulk Stock Management < 2.2.34 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...
Float menu < 5.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new item in the plugin settings 2. Enter...
PrePost SEO <= 3.0 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add XSS payload to plugin's "Account API key" setting: "" 2...
KiviCare Management System < 3.2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator Make a logged in admin open...
AI ChatBot < 4.5.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot 1. Go to "Settings Language Settings ChatBot Keywords" 2. Enter...
Conditional Menus < 1.2.1 - Reflected XSS
The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the HTML code below '...
WooCommerce Composite Products < 8.7.6 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin On a page where a Component Product is displayed, append...
WC Fields Factory < 4.1.7 - ShopManager+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Solidres <= 0.9.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add a new currency...
WPSmartContracts < 1.3.12 - Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author Logon as an author and open the following URL, which will result in a delayed response...