4359 matches found
Export Users With Meta < 0.6.5 - Authenticated SQL Injection
The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. POST /wp-admin/users.php?page=uewmsettings HTTP/1.1 Accept:...
Secure File Manager < 2.8.2 - Authenticated Remote Command Execution
The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands. v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager men...
Download from files <= 1.48 - Unauthenticated Arbitrary File Upload
The downloadfromfiles617fileupload AJAX action f the plugin, available to both unauthenticated and authenticated users does not properly restrict the files to be uploaded, which could allow unauthenticated users to upload PHP4 files for example POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
MStore API < 3.4.5 - Unauthenticated PHP File Upload
The api/flutterwoo/configfile REST endpoint of the plugin, does not have proper authorisation in place only checking if the plugin has a license, nor enough validation against the config file sent in the request. As a result, unauthenticated users could use such endpoint to upload a PHP file,...
WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access
The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked to admininit. As a result, unauthenticated users can call them and access arbitrary post data, including password protected or private ones. Access an...
Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF
The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. The following HTML code can be used...
LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR
The plugin was affected by an IDOR issue, allowing students to see other student answers and grades - Add 2 users with Student role for the scenario . - Create A course With a quiz I picked True or Flase question for my quiz - Set Enrol on Free for the ease of scenario - Enrol into the Course wit...
Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode
The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...
Donate With QRCode <= 1.4.5 - Plugin's Setting Update via CSRF
The plugin does not have CSRF check in place when saving its settings, which could allow attackers to make a logged in admin update them...
Social Tape <= 1.0 - CSRF to Stored XSS
The plugin does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack alert/XSS/' /...
Colorful Categories < 2.0.15 - Arbitrary Colors Update via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack csrf.submit...
Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload
The plugin does not perform capability checks in its spluploadserimg AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload images. v6.9.0 removed the unauthenticated hook, however, no capability and CSRF checks were implemented,...
Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API
The plugin does not properly check for capability in its REST API, allowing - Any authenticated user with the uploadfile capability such as author+ to call them in versions before 4.1.9 - Any unauthenticated user to call them except the restallsettings endpoint, in 4.1.9 One endpoint in...
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output i...
Simple eCommerce <= 2.2.5 - Arbitrary File Upload
The plugin does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE...
Availability Calendar < 1.2.1 - Authenticated SQL Injection
The plugin does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ With an account role as low as contributor, put the following in...
SP Project & Document Manager < 4.22 - Authenticated Shell Upload
The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for...
Advanced Menu Manager <= 3.0 - Unauthorised Menu Creation/Deletion
The plugin is lacking any capability and CSRF checks in its myactiondeletemenu and myactioncreatemenuajax AJAX actions, allowing any authenticated users such as subscriber to call them. Such attack could also be performed via a CSRF vector against any logged in user. - To delete a menu: POST...
Simple Admin Language Change < 2.0.2 - Arbitrary User Locale Change
The plugin did not have proper capability and CSRF checks in its changeuserlocale AJAX action, and was also affected by an IDOR issue, allowing any authenticated user to change the locale of another user. v2.0.1 fixed the authorisation and IDOR but still had an incorrect CSRF logic which was fixe...
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
The plugin does not have proper access control when updating a timeslot, allowing any user with the editposts capability contributor+ to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with...
RestroPress < 2.8.3.1 - Unauthorised AJAX Calls
The plugin did not check for CSRF as well as capability in some of its AJAX calls which should only be accessible by admin. As a result, any authenticated user can change arbitrary order status, as well as access arbitrary order details including PII such as phone number and address Change the...
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example When replacing the file, select "Replace the file, use new file name and update...
Poll Maker < 3.2.1 - Authenticated Blind SQL Injections
The getpollcategories, getpolls and getreports functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby...
Scroll Baner <= 1.0 - CSRF to RCE
The plugin does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE via a file upload as well as XSS function submitRequest var xhr = new...
Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections
The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard When we WPScanTeam confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not...
AutomatorWP < 1.7.6 - Missing Authorization and Privilege Escalation
The plugin does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. Attack Procedures 1 Run this in Dashboard while logged in as Subscribe...
Popup Like box - Page Plugin < 3.5.3 - Authenticated Blind SQL Injections
The getfblikeboxes function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQ...
WordPress Related Posts <= 3.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin contains an authenticated admin+ stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. Put the following payload in the "Related Posts Title" settings of the plugin...
Database Backups <= 1.2.2.6 - CSRF to Backup Download
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. When generating a backup, the file is created in the /wp-content/uploads/database-backups directory, with ...
WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection
The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+. Edit WPScanTeam: September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates,...
NotificationX < 2.3.12 - Unauthenticated SQLi
The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks. The apikey is the md5 of the homeurl either with http or https protocol...
Visitor Traffic Real Time Statistics < 3.9 - Subscriber+ SQL Injection
The plugin does not validate and escape user input passed to the todaytrafficindex AJAX action available to any authenticated users before using it in a SQL statement, leading to an SQL injection issue POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
The plugin does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to an SQL Injection issue POST /wp-admin/admin.php?page=side-menu-lite&tab=list HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...
Side Menu Lite < 2.2.1 - Authenticated SQL Injection
The plugin does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack...
WP SEO Redirect 301 < 2.3.2 - Redirect Deletion via CSRF
The plugin does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=wp-seo-redirect-301/seoredirectlist.php&deleteid=12&deleteurl=https://example.com/yolo deleteid is the po...
Paid Member Subscriptions < 2.4.2 - Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to a Reflected Cross-Site Scripting XSS on the edit member page. No CSRF nonce was required. http://www.example.com/wp-admin/admin.php?page=pms-members-page&subpage=editmember&memberid=1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF
The delreistereddomains AJAX action of the plugin does not have any CSRF checks, and is vulnerable to a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=delreistereddomain&id=1...
User Rights Access Manager <= 1.0.5 - Access Restriction Bypass
The plugin does not properly restrict access to pages, allowing admin users with restricted access done by the plugin to still access the related pages. The issue is the same technique than https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-controlled-admin-access-plugin/ The PoC will...
Giveaway <= 1.2.2 - Authenticated SQL Injection
The plugin is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $postid on the options.php page. 1. Navigate in Wordpress panel to Settings - Giveaway 2. Intercept the request in Burp Suite 3. Click on "Select" button at the very to...
AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection
The plugin does not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. https://drive.google.com/file/d/1UBTpW3RcPR7iqTi94ueyXLwWH8aFHuoe/view?usp=sharing Payload: aps-social id="1 and sleep3"...
jQuery Reply to Comment <= 1.31 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. Put the following payload in the 'Quote String' or 'Reply String' settings of...
Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload
The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. 1 As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php 2 Press on the new picture's thumbnail to see the attachment's details 3...
Per Page Add to Head < 1.4.4 - CSRF to Stored XSS
The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this could lead to Stored XSS issue which will b...
Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection
The plugin allows unauthenticated users to perform SQL injection via the aysfinishpoll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. This requires a valid nonce, which can be obtained by going to a...
uListing < 2.0.9 - Arbitrary Blog Option Update via CSRF
The plugin does not have CSRF check in the uListingimportlayout function, nor perform any validation on the option/post meta key to update to ensure it belongs to the plugin. As a result, attackers could make a logged in admin change any of the blog option such as siteurl, blogname etc as well as...
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion
The plugin does not have proper access control when deleting a timeslot, allowing any user with the editposts capability contributor+ to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in wit...
Print My Blog < 3.4.2 - Plugin Deactivation via CSRF
The plugin does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link...
Photo Gallery by Ays - Responsive Image Gallery < 4.4.4 - Authenticated Blind SQL Injections
The getgallerycategories and getgalleries functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --leve...
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. The function wantispampgetip is vulnerable to IP spoofing because of the general usage of $SERVER'HTTPXFORWARDEDFOR' curl -i -H...
Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion
The plugin provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts...