4359 matches found
aBitGone CommentSafe <= 1.0.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. Make an admin open an HTML file containing the following: '...
Contact Form Email < 1.3.44 - Editor+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a form and navigate to 'Edit...
Medialist < 1.4.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks medialist style='"...
PageLayer < 1.7.8 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code. - As a user with Author+ capabilities, create a new post draft - Save it, then edit it using the PageLayer page builder - Navigate to the...
All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF
Description The plugin does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks. This CSRF attack will reject a Quote in the database. 1. Go to All In One Quote Quotes 2. Click "Add quote", fill in the title, and save. 3. Find the Quote ID, convert it ...
Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR
Description The plugin does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. 1. Create a new Post as a Contributor user. 2. Add the "Simple Author Box" block. 3. Intercept the request t...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Denial of Service via CSRF
The plugin does not protect its vcitalogout ajax action against CSRF attacks, allowing an unauthenticated attacker to log the site out from it's vcita account by tricking a logged in user to send a crafted request, causing a denial of service for the appointment scheduling functionality...
Feather Login Page < 1.1.2 - Missing Authorization to Authentication Bypass and Privilege Escalation
The plugin lacks authorization checks in the ftlpp-ext-expirable-get-users ajax action, allowing logged in users with roles as low as subscriber to access the login links for the temporary users created by the plugin, which can be used for privilege escalation. GET...
AI-Engine < 1.6.83 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Go to Meow Apps » AI Engine » Chatbot tab » Visu...
WooCommerce Warranty Requests < 2.1.7 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below v = 2.1.6...
WP Multi Store Locator <= 2.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks storelocatorshow location="'; alert1;...
AP Pricing Tables Lite <= 1.1.6 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 115 Accept: / Content-Type:...
HollerBox < 2.1.4 - Admin+ SQL Injection
The plugin concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database. 1. Login as admin 2. Make sure HollerBox is installed and...
WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure
The plugin does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post. Run the below command in the...
Easy Bootstrap Shortcode <= 4.5.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert thi...
Table of Contents Plus < 2212 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. toc...
Easy Form Builder < 3.4.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate to New Form » go to the Settings of t...
NEX-Forms < 7.9.7 - Authenticated SQLi
The plugin does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin setting...
Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. function submitRequest var xhr = new XMLHttpRequest;...
Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the 'Insert URL' field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient As a contributor, create/edit a download and pu...
miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup Enable 2FA + Website Security and put...
Flower Delivery by Florist One <= 3.5.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setups As admin, go to the plugin's settings, create a new...
Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
The plugin does not have authorisation nor CSRF checks in the acf7dbeditscrfiledelete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPre...
NEX-Forms <= 7.9.4 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In Global Setting Preferences Validation, put the following...
Age Gate < 2.16.4 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape the 'Additional content' setting of its 'Messaging' page, which could allow users having access to such setting by default admin, but the plugin has a feature to change this and allow access to lower privileged users to perform Cross-Site Scripting attacks...
Comment Highlighter <= 0.13 - Authenticated SQL Injection
A c GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET...
Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS)
The plugin does not sanitize the id parameter of its awesomeweatherrefresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting XSS Vulnerability. Note WPScanTeam: The issue was reported to the WP plugins team on May 4th, 2021, then June 7th, 2021 due to lack of update...
Jetpack < 13.4 - Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode
Description The plugin did not properly escape some of its shortcode attributes, allowing users with at least the contributor role to conduct Stored XSS attacks. wpvideo OcobLTqC freedom=true preloadContent='"src=x onerror=alertdocument.cookie xss'...
Newsletter Popup <= 1.2 - List Deletion via CSRF
Description The plugin does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack Make an admin open a URL where is a valid id: http://example.com4/wp-admin/admin.php?page=wpnewslettershowitems&action=trash&id=...
Backup and Restore WordPress < 1.50 - Unauthenticated Sensitive Data Exposure
Description The plugin does not protect some log files containing sensitive information such as site configuration etc, allowing unauthenticated users to access such data. 1 There is a lot of sensitive data and most importantly, you can download this logs to your machine and read it. These files...
Payment Gateway for Telcell < 2.0.4 - Unauthenticated Open Redirect
Description The plugin does not validate the apiurl parameter before redirecting the user to its value, leading to an Open Redirect issue https://localhost/wp-admin/admin.php?page=wc-settings&action=redirecttelcellform&apiurl=https://www.google.com...
Event Tickets and Registration < 5.8.1 - Contributor+ Arbitrary Events Access
Description The plugin does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. e.g. draft, private, pending review, pw-protected, and trashed events. 1. ADMIN: Install Event Tickets 2. ADMIN: Install Event Tickets Plus...
Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect
Description The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...
Email Subscription Popup < 1.2.20 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open " /...
WP Crowdfunding < 2.1.9 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a "Campaign Search" widget to your site via Appearance Customise Widgets for...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the HTML code below " / " /...
Responsive Pricing Table < 5.1.8 - Admin+ Stored Cross-Site Scriping
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a New Pricing Table and Add ...
EventON < 2.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a new events. 2. In the "Eve...
Simple Blog Card < 1.32 - Subscriber+ Arbitrary Post Access
Description The plugin does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones Run the below command in the developer console ...
Front Editor <= 4.3.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new form. 2. For the "Post Title", add...
EventON < 2.1.2 - Unauthenticated Event Access
The plugin lacks authentication and authorization in its eventonicsdownload ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. https://example.com/wp-admin/admin-ajax.php?action=eventonicsdownload&eventid=value...
CRM and Lead Management by vcita <= 2.7.1 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a user with the contributor role or higher to click a link. The plugin does not protect its settings page against CSRF attacks, allowing an...
File Renaming on Upload < 2.5.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Multiple inputs in the plugin's settings -- for...
Contact Form Email < 1.3.38 - Unauthenticated Stored Cross-Site Scripting
The plugin does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability. 1. Publish the default form to a page by clicking on "Contact Form to Email" in the sidebar, and the "Publish" button beside the form name. 2. Visit the form on the frontend. Fil...
WooCommerce Brands < 1.6.46 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add a Brand with an image, and assign it to ...
Directorist < 7.5.4 - Admin+ LFI
The plugin is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files. This PoC will work on Linux systems. 1. Navigate to the URL path: /wp-admin/edit.php?posttype=atbizdir&page=tools&step=2&file=/etc/passwd&delimiter=; 2.. You will be presented wit...
Shortcodes Ultimate < 5.12.8 - Subscriber+ Arbitrary Post Access
The plugin does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of...
WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. 1. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Sliderby10Web < 1.2.53 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "Slider » Sliders" and edit one of the...
Advanced Comment Form < 1.2.1 - Admin+ Authenticated Stored XSS
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In the settings of the plugin, add the following payload to the text before the form:...