Lucene search
K
WpexploitMost viewed

4359 matches found

wpexploit
wpexploit
added 2021/06/21 12:0 a.m.734 views

Export Users With Meta < 0.6.5 - Authenticated SQL Injection

The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. POST /wp-admin/users.php?page=uewmsettings HTTP/1.1 Accept:...

7.2CVSS1AI score0.01416EPSS
Exploits2
wpexploit
wpexploit
added 2020/11/23 12:0 a.m.735 views

Secure File Manager < 2.8.2 - Authenticated Remote Command Execution

The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands. v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager men...

6.5CVSS8.9AI score0.18028EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/09/13 12:0 a.m.733 views

Download from files <= 1.48 - Unauthenticated Arbitrary File Upload

The downloadfromfiles617fileupload AJAX action f the plugin, available to both unauthenticated and authenticated users does not properly restrict the files to be uploaded, which could allow unauthenticated users to upload PHP4 files for example POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...

0.2AI score
Exploits0References1
wpexploit
wpexploit
added 2021/10/05 12:0 a.m.731 views

MStore API < 3.4.5 - Unauthenticated PHP File Upload

The api/flutterwoo/configfile REST endpoint of the plugin, does not have proper authorisation in place only checking if the plugin has a license, nor enough validation against the config file sent in the request. As a result, unauthenticated users could use such endpoint to upload a PHP file,...

0.2AI score
Exploits0References1
wpexploit
wpexploit
added 2021/09/21 12:0 a.m.731 views

WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access

The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked to admininit. As a result, unauthenticated users can call them and access arbitrary post data, including password protected or private ones. Access an...

0.5AI score
Exploits0
wpexploit
wpexploit
added 2021/10/18 12:0 a.m.729 views

Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF

The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. The following HTML code can be used...

8.8CVSS0.4AI score0.00612EPSS
Exploits2
wpexploit
wpexploit
added 2021/05/17 12:0 a.m.729 views

LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR

The plugin was affected by an IDOR issue, allowing students to see other student answers and grades - Add 2 users with Student role for the scenario . - Create A course With a quiz I picked True or Flase question for my quiz - Set Enrol on Free for the ease of scenario - Enrol into the Course wit...

5CVSS0.8AI score0.01625EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.728 views

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...

6.5CVSS0.3AI score0.01893EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/08/19 12:0 a.m.727 views

Donate With QRCode <= 1.4.5 - Plugin's Setting Update via CSRF

The plugin does not have CSRF check in place when saving its settings, which could allow attackers to make a logged in admin update them...

0.5AI score
Exploits0
wpexploit
wpexploit
added 2021/07/19 12:0 a.m.727 views

Social Tape <= 1.0 - CSRF to Stored XSS

The plugin does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack alert/XSS/' /...

4.3CVSS0.1AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
added 2021/10/13 12:0 a.m.726 views

Colorful Categories < 2.0.15 - Arbitrary Colors Update via CSRF

The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack csrf.submit...

6.5CVSS1AI score0.00531EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/29 12:0 a.m.725 views

Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload

The plugin does not perform capability checks in its spluploadserimg AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload images. v6.9.0 removed the unauthenticated hook, however, no capability and CSRF checks were implemented,...

5.3CVSS0.4AI score0.0102EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/02 12:0 a.m.725 views

Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API

The plugin does not properly check for capability in its REST API, allowing - Any authenticated user with the uploadfile capability such as author+ to call them in versions before 4.1.9 - Any unauthenticated user to call them except the restallsettings endpoint, in 4.1.9 One endpoint in...

Exploits0
wpexploit
wpexploit
added 2021/10/04 12:0 a.m.725 views

Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting

The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output i...

4.3CVSS4.4AI score0.00487EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/08/16 12:0 a.m.724 views

Simple eCommerce <= 2.2.5 - Arbitrary File Upload

The plugin does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE...

8.8CVSS0.4AI score0.00612EPSS
Exploits2
wpexploit
wpexploit
added 2021/08/04 12:0 a.m.724 views

Availability Calendar < 1.2.1 - Authenticated SQL Injection

The plugin does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ With an account role as low as contributor, put the following in...

8.8CVSS1AI score0.01292EPSS
Exploits2
wpexploit
wpexploit
added 2021/05/25 12:0 a.m.723 views

SP Project & Document Manager < 4.22 - Authenticated Shell Upload

The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for...

8.8CVSS8.7AI score0.52007EPSS
Exploits8References2
wpexploit
wpexploit
added 2021/07/12 12:0 a.m.722 views

Advanced Menu Manager <= 3.0 - Unauthorised Menu Creation/Deletion

The plugin is lacking any capability and CSRF checks in its myactiondeletemenu and myactioncreatemenuajax AJAX actions, allowing any authenticated users such as subscriber to call them. Such attack could also be performed via a CSRF vector against any logged in user. - To delete a menu: POST...

0.8AI score
Exploits0
wpexploit
wpexploit
added 2021/05/05 12:0 a.m.722 views

Simple Admin Language Change < 2.0.2 - Arbitrary User Locale Change

The plugin did not have proper capability and CSRF checks in its changeuserlocale AJAX action, and was also affected by an IDOR issue, allowing any authenticated user to change the locale of another user. v2.0.1 fixed the authorisation and IDOR but still had an incorrect CSRF logic which was fixe...

2.7AI score
Exploits0
wpexploit
wpexploit
added 2021/08/23 12:0 a.m.720 views

Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update

The plugin does not have proper access control when updating a timeslot, allowing any user with the editposts capability contributor+ to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with...

5.4CVSS5.4AI score0.00489EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/19 12:0 a.m.720 views

RestroPress < 2.8.3.1 - Unauthorised AJAX Calls

The plugin did not check for CSRF as well as capability in some of its AJAX calls which should only be accessible by admin. As a result, any authenticated user can change arbitrary order status, as well as access arbitrary order details including PII such as phone number and address Change the...

0.7AI score
Exploits0
wpexploit
wpexploit
added 2022/09/14 12:0 a.m.719 views

Enable Media Replace < 4.0.0 - Admin+ Path Traversal

The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example When replacing the file, select "Replace the file, use new file name and update...

4.9CVSS0.9AI score0.00781EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/29 12:0 a.m.719 views

Poll Maker < 3.2.1 - Authenticated Blind SQL Injections

The getpollcategories, getpolls and getreports functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby...

6.5CVSS0.7AI score0.01409EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/20 12:0 a.m.718 views

Scroll Baner <= 1.0 - CSRF to RCE

The plugin does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE via a file upload as well as XSS function submitRequest var xhr = new...

6.5CVSS0.00553EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/29 12:0 a.m.717 views

Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections

The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard When we WPScanTeam confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not...

6.5CVSS0.7AI score0.01292EPSS
Exploits1
wpexploit
wpexploit
added 2021/09/28 12:0 a.m.716 views

AutomatorWP < 1.7.6 - Missing Authorization and Privilege Escalation

The plugin does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. Attack Procedures 1 Run this in Dashboard while logged in as Subscribe...

8.8CVSS0.9AI score0.01294EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/29 12:0 a.m.716 views

Popup Like box - Page Plugin < 3.5.3 - Authenticated Blind SQL Injections

The getfblikeboxes function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQ...

6.5CVSS0.6AI score0.01362EPSS
Exploits2
wpexploit
wpexploit
added 2021/03/19 12:0 a.m.716 views

WordPress Related Posts <= 3.6.4 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin contains an authenticated admin+ stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. Put the following payload in the "Related Posts Title" settings of the plugin...

3.5CVSS0.3AI score0.00628EPSS
Exploits2
wpexploit
wpexploit
added 2021/03/10 12:0 a.m.716 views

Database Backups <= 1.2.2.6 - CSRF to Backup Download

The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. When generating a backup, the file is created in the /wp-content/uploads/database-backups directory, with ...

5.8CVSS0.3AI score0.03218EPSS
Exploits5
wpexploit
wpexploit
added 2020/11/25 12:0 a.m.715 views

WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection

The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+. Edit WPScanTeam: September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates,...

0.2AI score0.01416EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/28 12:0 a.m.713 views

NotificationX < 2.3.12 - Unauthenticated SQLi

The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks. The apikey is the md5 of the homeurl either with http or https protocol...

2.4AI score
Exploits0References1
wpexploit
wpexploit
added 2021/10/06 12:0 a.m.713 views

Visitor Traffic Real Time Statistics < 3.9 - Subscriber+ SQL Injection

The plugin does not validate and escape user input passed to the todaytrafficindex AJAX action available to any authenticated users before using it in a SQL statement, leading to an SQL injection issue POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...

8.8CVSS0.7AI score0.01318EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/27 12:0 a.m.713 views

Side Menu Lite < 2.2.6 - Authenticated SQL Injection

The plugin does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to an SQL Injection issue POST /wp-admin/admin.php?page=side-menu-lite&tab=list HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...

6.5CVSS1.3AI score0.01362EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/06/28 12:0 a.m.713 views

Side Menu Lite < 2.2.1 - Authenticated SQL Injection

The plugin does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack...

6.5CVSS0.6AI score0.01587EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/10/11 12:0 a.m.712 views

WP SEO Redirect 301 < 2.3.2 - Redirect Deletion via CSRF

The plugin does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=wp-seo-redirect-301/seoredirectlist.php&deleteid=12&deleteurl=https://example.com/yolo deleteid is the po...

4.3CVSS0.9AI score0.00435EPSS
Exploits2
wpexploit
wpexploit
added 2021/07/26 12:0 a.m.711 views

Paid Member Subscriptions < 2.4.2 - Reflected Cross-Site Scripting (XSS)

The plugin was vulnerable to a Reflected Cross-Site Scripting XSS on the edit member page. No CSRF nonce was required. http://www.example.com/wp-admin/admin.php?page=pms-members-page&subpage=editmember&memberid=1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...

1.7AI score
Exploits0References1
wpexploit
wpexploit
added 2021/09/13 12:0 a.m.710 views

Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF

The delreistereddomains AJAX action of the plugin does not have any CSRF checks, and is vulnerable to a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=delreistereddomain&id=1...

8.8CVSS3.5AI score0.00667EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/08/05 12:0 a.m.710 views

User Rights Access Manager <= 1.0.5 - Access Restriction Bypass

The plugin does not properly restrict access to pages, allowing admin users with restricted access done by the plugin to still access the related pages. The issue is the same technique than https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-controlled-admin-access-plugin/ The PoC will...

1.5AI score
Exploits0
wpexploit
wpexploit
added 2021/07/20 12:0 a.m.710 views

Giveaway <= 1.2.2 - Authenticated SQL Injection

The plugin is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $postid on the options.php page. 1. Navigate in Wordpress panel to Settings - Giveaway 2. Intercept the request in Burp Suite 3. Click on "Select" button at the very to...

6.5CVSS1.4AI score0.01344EPSS
Exploits2
wpexploit
wpexploit
added 2020/11/02 12:0 a.m.710 views

AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection

The plugin does not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. https://drive.google.com/file/d/1UBTpW3RcPR7iqTi94ueyXLwWH8aFHuoe/view?usp=sharing Payload: aps-social id="1 and sleep3"...

2.7AI score0.01255EPSS
Exploits1References2
wpexploit
wpexploit
added 2021/09/21 12:0 a.m.709 views

jQuery Reply to Comment <= 1.31 - CSRF to Stored Cross-Site Scripting

The plugin does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. Put the following payload in the 'Quote String' or 'Reply String' settings of...

6.1CVSS0.00399EPSS
Exploits2
wpexploit
wpexploit
added 2023/01/17 12:0 a.m.708 views

Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload

The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. 1 As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php 2 Press on the new picture's thumbnail to see the attachment's details 3...

8.8CVSS8.9AI score0.01096EPSS
Exploits2
wpexploit
wpexploit
added 2021/08/11 12:0 a.m.708 views

Per Page Add to Head < 1.4.4 - CSRF to Stored XSS

The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this could lead to Stored XSS issue which will b...

4.3CVSS4.5AI score0.00467EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/13 12:0 a.m.707 views

Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection

The plugin allows unauthenticated users to perform SQL injection via the aysfinishpoll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. This requires a valid nonce, which can be obtained by going to a...

7.5CVSS0.9AI score0.01587EPSS
Exploits2
wpexploit
wpexploit
added 2021/09/06 12:0 a.m.707 views

uListing < 2.0.9 - Arbitrary Blog Option Update via CSRF

The plugin does not have CSRF check in the uListingimportlayout function, nor perform any validation on the option/post meta key to update to ensure it belongs to the plugin. As a result, attackers could make a logged in admin change any of the blog option such as siteurl, blogname etc as well as...

0.4AI score
Exploits0
wpexploit
wpexploit
added 2021/08/23 12:0 a.m.707 views

Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion

The plugin does not have proper access control when deleting a timeslot, allowing any user with the editposts capability contributor+ to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in wit...

4.3CVSS0.2AI score0.01568EPSS
Exploits2
wpexploit
wpexploit
added 2021/08/18 12:0 a.m.707 views

Print My Blog < 3.4.2 - Plugin Deactivation via CSRF

The plugin does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link...

8.1CVSS3.3AI score0.00519EPSS
Exploits2
wpexploit
wpexploit
added 2021/06/29 12:0 a.m.705 views

Photo Gallery by Ays - Responsive Image Gallery < 4.4.4 - Authenticated Blind SQL Injections

The getgallerycategories and getgalleries functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --leve...

6.5CVSS0.5AI score0.01362EPSS
Exploits2
wpexploit
wpexploit
added 2022/08/17 12:0 a.m.704 views

Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing

The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. The function wantispampgetip is vulnerable to IP spoofing because of the general usage of $SERVER'HTTPXFORWARDEDFOR' curl -i -H...

5.3CVSS0.7AI score0.00615EPSS
Exploits2
wpexploit
wpexploit
added 2021/10/04 12:0 a.m.704 views

Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion

The plugin provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts...

4.3CVSS1.6AI score0.00453EPSS
Exploits2
Total number of security vulnerabilities4359