4359 matches found
Photo Gallery < 1.7.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the plugin displays a notice: https://example.com/wp-admin/plugins.php?"alert/XSS/...
Powerkit < 2.5.9 - Post Views Settings Update/Reset via CSRF
The plugin does not have CSRF checks when saving or reseting its post views settings, which could allow an attacker to make a logged in admin change or reset them via a CSRF attack...
LearnPress < 4.1.5 - Arbitrary Image Renaming
Users of the plugin can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request,...
WP User Frontend < 3.5.25 - Admin+ SQL Injection
The plugin does not validate and escape the postid parameter from the Subscribers list before using in a SQL statement, leading to an SQL injection https://example.com/wp-admin/edit.php?posttype=wpufsubscription&page=wpufsubscribers&postID=1+AND+%28SELECT+42+FROM+%28SELECT%28SLEEP%285%29%29%29b%2...
Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the Google Product Category setting of the plugin at wp-admin/admin.php?page=fcapcsettingspage in...
Event Geek <= 2.5.2 - Stored Cross-site Scripting (XSS)
The plugin does not sanitise or escape its "Use your own theme" setting before outputting it in the page, leading to an authenticated admin+ stored Cross-Site Scripting issue As admin, put the following payload in the "Use your own theme enter URL:" option...
Easy Preloader <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its setting fields, leading to authenticated admin+ Stored Cross-Site scripting issues Step 1: Install the plugin "Easy Preloader" Step 2: Enter the payload below in the text field "Choose overlay color" or any other text fields in the plugin's settings...
Business Card <= 1.0.0 - Category Edit via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks Make a logged in admin open an HTML document containing:...
Gutenverse < 1.9.1 - Contributor+ Stored XSS
Description The plugin does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below code in...
WooCommerce Product Filter < 1.4.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup As and admin, create a filter...
Travelpayouts < 1.1.13 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack Make a logged in admin open a page containing the HTML code below, this will make them update the plugin's...
WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.2.0 - Unauthorized Sensitive Data Exposure
Description The plugin allows access to cache files during the cloning process which provides unauthorized access to sensitive data 1 When an admin creates a staging site, an attacker can capture a .cache file which reveals sensitive information including: DBname, DBtables, DBcolumns. 2 These fil...
Popup box < 3.8.6 - Admin+ Stored XSS in Popup Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new Popup 2. In the "Popups...
Translate WordPress with GTranslate < 3.0.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. This vulnerability affects multiple...
Blog2Social < 7.2.1 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...
Quiz And Survey Master < 8.1.11 - Contributor+ Stored XSS
Description The plugin does not properly sanitize and escape question titles, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor, create or edit a Quiz with the default theme and put the following payload in a question title...
Multiple Plugins from Addify - Multiple CSRF
The plugins have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions addify-order-approval-woocommerce - To make a logged in admin approve the order with ID 103...
Getwid < 1.8.4 - Subscriber+ SSRF
The plugin does not validate a parameter via the getremotecontent REST API endpoint before making a request to it, which could allow any authenticated users, such as subscriber to perform SSRF attack. Note: We do not consider flushing of cache to be a security issue, therefore CVE-2023-1910 has n...
CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...
Paytium < 4.3.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Playtium » Settings and in the 'Test'...
Header Footer Code Manager < 1.1.24 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=hfcm-list&'alert/XSS/...
Social Stickers <= 2.2.9 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues. history.pushState'', '', '/' input type="hidden"...
Coming soon and Maintenance mode < 3.6.8 - Arbitrary Email Sending to Subscribed Users via CSRF
The plugin does not have CSRF check in its comingsoonsendmail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access
The plugin does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. As a contributor, add the...
WP Simple Booking Calendar <= 2.0.6 (before 07/12/2021) - Authenticated SQL Injection
The plugin did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue Note WPScanTeam: The issue was fixed without bumping the version, so there are two 2.0.6 versions out there, on...
WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfilteredhtml capability is disallowed Create a new map. Add an XSS payload to the title. Click "Show as map title". Add t...
3DPrint Lite < 2.1 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Have a logged in admin open an HTML page containing the following form: input type="hidden" name="p3dlitesettingscanvaswidth"...
PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode <= 1.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks paypalbutton type="addtocart"...
Widget Bundle <= 2.0.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Enable the "Text Form" widget 2. Ad...
CAS <= 1.0.0 - Unauthenticated SSRF
Description The plugin does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack https://example.com/wp-content/themes/cas/download.php?path=http://127.0.0.1:8080...
Responsive Tabs < 4.0.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Go to "Tab Sets Add New" in W...
The Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS
Description The plugin does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks As a contributor, get...
Login Lockdown – Protect Login Form < 2.09 - Subscriber+ Options Leak
Description The plugin does not prevent logged-in users of any role e.g. subscribers from leaking its settings, which may include allowlisted IP addresses as well as a global unlock key, with which they could add their own IP address to the plugin's list. As a logged-in subscriber, visit the...
Chart.js for WordPress <= 2023.2 - Editor+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "Charts Settings". 2. For th...
Wp-Adv-Quiz < 1.0.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Add a new quiz. 2. Under the created quiz, click on "Questions". 3. Add a question and...
Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 3.1.1 - fbplugin video...
Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. Select...
WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion
Description The plugin does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts Run the below command in the developer console of the web browser while being ...
T1 theme <= 19.0 - Open Redirect
Description The theme is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites. https://www.example.com/wp-content/themes/t1/page-templates/applyredirection.php?file=240317005410&urlnow=http://google.com&urljs=https://www.evil.com?...
WP Food Manager < 1.0.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Food manager Add Food" and a...
AI ChatBot < 4.6.1 - Admin+ Stored Cross-Site Scripting
The plugin does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Visit WPBot Lite Settings Language Center. 2. Within any of the tabs "General", "FAQ", or "ChatBot...
Contact Form and Calls To Action by vcita < 2.7.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email and uid parameters in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts into the settings, targeting higher-privileged users such as administrators...
Login Rebuilder < 2.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Settings » Login rebuilder 2. In Login...
ClickFunnels <= 3.1.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. clickfunnelsembed url="javascript:alert1"...
Calculated Fields Form < 1.1.151 - Admin+ Stored Cross-Site Scripting via Dropdown Fields
The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Partial fixes were implemented in versions...
Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion
The plugin does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. wpajaxshopoptionsajax hook calls shopoptionsajax function without nonce and without access control update shipping method name 0 shipping method id exploit...
Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
The plugin does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers https://example.com/wp-json/wp/v2/sensei-messages/...
Simple Job Board < 2.10.0 - Resume Disclosure via Directory Listing
The plugin is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations. curl https://example.com/wp-content/uploads/jobpost Search for this path / folder in search engines to find uploaded resumes...
Popup Anything < 2.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting On a post/page where the paocdetails display="keyxxx" shortcode is embed, append the following payload: ?xxx=11111%3Cscript%3Ealert/XSS/%3C/script%3E e.g:...
Advanced Admin Search < 1.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting. Affected parameters: keyword, user, metaKey, and metaValue https://example.com/wp-admin/admin.php?page=advanced-admin-search&keyword="...