4359 matches found
SP Project & Document Manager < 4.58 - Sensitive File Disclosure
The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. 1. Upload a file using the plugin. 2. On another browser, access the newly uploaded file via:...
WP-CRM <= 1.2.1 - CSV Injection
The plugin does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. 1. Add new person and put the following CSV calculator payload into the Display Name, Phone Number and Description field and save the entry. payload : =cmd|' /C calc'!'A...
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users curl 'https://example.com/index.php?restroute=/xs-donate-form/payment-redirect/3' \ --data '"id": "SELECT 1 FROM...
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise from data, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a form and put the following payload in the Form Code textarea: The XSS will be triggered whe...
AP Custom Testimonial < 1.4.8 - Admin+ SQL Injection
The plugin does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection https://example.com/wp-admin/admin.php?page=apcttestimonialedit&id=1+AND+SELECT+42+FROM+SELECTSLEEP5b...
Unlimited PopUps <= 4.5.3 - Author+ SQL Injection
The plugin does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection https://plugins.trac.wordpress.org/browser/unlimited-popups/trunk/popuplist.phpL16...
WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Authenticated Directory Traversal in WordPress Download Manager Add New. Name the post, and intercept the request when you Submit for Review no file needs to be uploaded. In the filepagetemplate parameter, swap out page-template-1col-flat.php for “\../../../../../wp-config.php” Then preview the...
Mimetic Books <= 0.2.13 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Authenticated Stored Cross-Site Scripting XSS in the "Default Publisher ID" field on the plugin's settings page. 1. Install WordPress 5.7.2 2. Install and activate Mimetic Books 3. Navigate to Settings Mimetic Books API and enter the XSS payload into the Default...
Bello < 1.6.0 - Authenticated Cross-Site Scripting (XSS) and XFS
The theme did not properly sanitise its postexcerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue -- Payloads: $ $ -- PoC | Authenticated XFS | My Listings: ! POST...
Alemha Watermarker <= 1.3.1 - Author+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. As an "author" level user, add a ne...
Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload
Description The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup 1. Go to the plugin setting and in the "Restore" section upload...
Hubbub Lite < 1.33.1 - Unauthenticated Password Protected Posts Access
Description The plugin does not ensure that user have access to password protected post before displaying its content in a meta tag. When the "Disable Open Graph Meta Tags" settings of the plugin is disabled, view the source of a password protected post and note its content being disclosed in the...
Shariff Wrapper < 4.6.10 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the...
Allow SVG < 1.2.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
illi Link Party! <= 1.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Make an admin open the following HTML: See that the support the plugin option is toggled on/off...
TJ Shortcodes <= 0.1.3 - Contributor+ Stored XSS via Shortcodes
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. junkie-button...
URL Shortify < 1.7.9.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Multiple parameters in the plugin's...
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Description The plugin does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment Login as a subscriber an open https://example.com/wp-admin/admin-post.php?action=multiparcelsdeleteshipping&id=1 to delete the shipment with...
AN_GradeBook <= 5.0.1 - Admin+ XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. When adding a new course in the plugin setting...
Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In Aajoda » Optional Aajoda Style, insert the...
WP Fatest Cache < 1.1.5 - Blind SSRF via CSRF
The plugin does not have CSRF check in an AJAX action, and does not validate user input before using it in the wpremoteget function, leading to a Blind SSRF issue Note: CSRF was fixed in 1.1.4, the SSRF in 1.1.5 Make a logged in admin open...
Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
GN Publisher < 1.5.6 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a page/post wpstripecheckout...
Create Block Theme < 1.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not have authorisation and CSRF checks, as well as does not validate the file to be uploaded, which could allow unauthenticated attackers to upload arbitrary files to the server As unauthenticated user, open The file will be uploaded at...
Duplicate Page and Post Plugin < 2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Duplicate Post Suffix" or "Duplicate Link Text" settings: "alert/XSS/...
Easy Student Results <= 2.2.8 - Sensitive Information Disclosure via REST API
The plugin lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc When the "Enable API for Mobile Apps" settings...
Best Contact Management Software <= 3.7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "No Access Message" settings...
Contact Form by Supsystic < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)
The label field Form name was vulnerable to stored Cross-Site Scripting issue. When creating or editing a form, use the following payload as a Form name label field: "alert1!--', which will be executed when viewing the "Show All Forms" section, as well as when opening the Contact Details of a use...
EazyDocs < 2.5.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The PoC will be displayed on June 25,...
WebP & SVG Support <= 1.4.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following markup: alert"XSS"; Load the SVG and see the XSS. Code reference:...
WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting 1. On the login page, enter any username and for the password enter alert1 2. As an admin, view the logs at:...
Business Card <= 1.0.0 - Arbitrary Card Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks Make a logged in admin open an HTML document containing where is a valid ID: "...
Crelly Slider <= 1.4.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Crelly Slider" 2. Add a slid...
CM Download and File Manager < 2.9.0 - Download Unpublish via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack Make an admin open the URL below https://example.com/cmdownload/unpublish/id/...
DoLogin Security < 3.7 - IP Spoofing
Description The plugin uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. 1. Send login request with x-forwarded-for: REDACTEDIP 2. See spoofed IP address in the "Login Attempts Log"...
FTP Access <= 1.0 - Subscriber+ Stored XSS
Description The plugin does not have authorisation and CSRF checks when updating its settings and is missing sanitisation as well as escaping in them, allowing any authenticated users, such as subscriber to update them with XSS payloads, which will be triggered when an admin will view the setting...
Supsystic Popup < 1.10.19 - Prototype Pollution
The plugin has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype. 1 Create a pop-up that is set to load on any page 2 Go to http://example.com/?protopoc=polluted 3 Open browser console 4 Type poc and see polluted as the result...
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.0 - Subscriber+ Denial of Service by account logout
The plugin does not validate authorization in the vcitalogout ajax action, allowing any logged in user with roles as low as subscriber to log the site out from the cvita account, causing a denial of service for the appointment scheduling functionality...
Yellow Yard < 2.8.12 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks yyfilter field='" style=background-color:red...
Jetpack CRM < 5.4.3 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. In the settings of the plugin, in the three input boxes are named "Second Address Label", "Login Logo...
Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure
The plugin is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address https://example.com/wp-json/ssa/v1/users...
Advanced WordPress Reset < 1.6 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting - Completely reset the site using the plugin - Visit https://example.com/wp-admin/tools.php?page=advancedwpreset&"alert1...
Bestbooks <= 2.6.3 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users Affected parameters: credit and debit curl https://example.com/wp-admin/admin-ajax.php \ --data...
Slide Anything < 2.3.44 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create/edit a Slider with the plugin and put the following payload in a Slide Descriptio...
Simple Membership < 4.1.0 - Arbitrary Transaction Deletion via CSRF
The plugin does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack https://example.com/wp-admin/admin.php?page=simplewpmembershippayments&action=deletetxn&id=1 will delete the transaction...
Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to. include-page allowtype="post" allowstatus="draft" id="131" include-page...
Easy Social Icons < 3.0.9 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'PHPSELF' input before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/alert/XSS//?page=cnsssocialiconpage...
WP Fusion Lite < 3.37.30 - Reflected Cross-Site Scripting (XSS)
The plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the /includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts WPScanTeam: The issue was reported as fixed, but the fix was insufficient and a separate...
Alipay <= 3.7.2 - Authenticated SQL Injection
A proid GET parameter of the plugin is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. GET /wp-admin/options-general.php?page=wsalipay&action=edit&proid=-5818%20UNION%20ALL%20SELECT...