4359 matches found
Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection
The requestlistrequest AJAX call of the plugin, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the orderid POST parameter before using it in a SQL statement, leading to a SQL Injection issue. curl 'https://example.com/wp-admin/admin-ajax.php' ...
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User
Low privileged users could use the AJAX action "cppluginsdobuttonjoblatercallback" from multiple plugins of the WP-Buy vendor, to install any plugin including a specific version from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical...
N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE
The plugin suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5uniqidrand, however, in the case of misconfigured servers with Directory listing enabled,...
FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Go to settings and change the "Specif...
FS Product Inquiry <= 1.1.1 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users Have any user admin or unauthenticated open an HTML page with...
IDonate <= 1.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to...
Newsletter Popup <= 1.2 - List Deletion via CSRF
Description The plugin does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack Make an admin open a URL where is a valid id: http://example.com4/wp-admin/admin.php?page=wpnewslettershowitems&action=trash&id=...
Backup Bolt < 1.4.0 - Sensitive Data Exposure
Description The plugin is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information. Access the error log at...
Product Enquiry for WooCommerce < 3.2 - Reflected XSS
Description The plugin does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below alert/XSS/'...
Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
Description The plugin does not ensure that users accessing posts via an AJAX action and REST endpoint, currently disabled in the plugin have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content WooCommerce needs to be...
BestWebSoft's Like & Share < 2.74 - Unauthenticated Password Protected Post Read
Description The plugin discloses the content of password protected posts to unauthenticated users via a meta tag In the web browser, view the source of any password protected post and check the og:description meta tag...
Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF
Description The plugin does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks Make a logged in admin open an HTML page with the form below Deletion This will delete the form...
Article Analytics <= 1.0 - Unauthenticated SQL injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability. On a Wordpress blog using MySQL the following PoC allows to extract the hash of the...
Fattura24 < 6.2.8 - Reflected Cross-Site Scripting
Description The plugin does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability. wp-admin/options-general.php?page=fatt-24-tax&id=12alert1%3B...
PageLayer < 1.7.7 - Unauthenticated Stored XSS
Description The plugin doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts. Unauthenticated attacker Proof of Concept 1 As a legitimate administrator, schedule a post to be published in a few minutes. 2 Close every window to that site to preve...
Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. msalert...
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks 1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious scri...
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Description The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. On a multisite instance, log in as an admin. Click on File Organizer in the sidebar. The UI gives full control to the files on the server, despite not being a...
Leyka < 3.30.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Note: The issue was reported to the...
URL Shortify < 1.7.0 - Admin+ Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to "URL Shortify Settings Links" 2. Ad...
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitize and escape the businessid parameter of an unprotected REST route endpoint before rendering it back in pages on the website, allowing an unauthenticated attacker to inject arbitrary web scripts, which could target authenticated users such as administrators. curl...
QueryWall: Plug'n Play Firewall <= 1.1.1 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. 1. Send GET /wp-admin/admin.php?page=querywall&orderby=datetimegmt&order=desc%2cselectfromselectsleep20a 2. See SQL execut...
Multiple Plugins from Wow-Company - Reflected XSS
The plugins do not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' / The XSS will be triggered when pressing...
Photo Gallery by Ays < 5.1.7 - Reflected XSS
The plugin does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs below v 5.1.7 -...
10WebSocial < 1.2.9 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below The XSS will be triggered when pressing...
WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update
The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example Run the bel...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.3 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. 1. Create a contact form and add a "multiple file upload" field. 2. Add the...
Responsive Lightbox2 < 1.0.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put, the following shortcode in a page/post lightbox2 url='"...
VR Calendar < 2.3.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/plugins.php?vrcmsg=&vrcmsgtype="...
Page Generator Plugin < 1.6.6 - Arbitrary Keywords Deletion/Duplication via CSRF
The plugin does not have CSRF check in place when deleting and duplicating keywords, which could allow attackers to make a logged in admin delete and duplicate arbitrary keywords via CSRF attacks https://example.com/wp-admin/admin.php?page=page-generator-keywords&cmd=delete&id=3...
Seamless Donations < 5.1.9 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; Some link: https://google.com input type="text" name="dgxdonateemailanon" value="You have requested th...
Mail Subscribe List < 2.1.4 - Arbitrary Subscribed User Deletion via CSRF
The plugin does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list document.getElementById"test".submit;...
Easily Generate Rest API Url <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Post Per Page" or "Enter Search Text": settings of the plugin: "autofocus...
Animate It! < 2.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin has flawed validations and does not escape its shortcode argument, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks via a malicious shortcode v 2.3.8 edsanimate animation="attacker" delay='1"...
Bank Mellat <= 1.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=bank-mellat&orderId="...
Multisite Content Copier/Updater < 2.1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the s parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in the network dashboard...
WP Limits <= 1.0 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values...
Himer - Social Questions and Answers < 2.1.1 - Contributor+ Stored XSS
Description The theme does not sanitise and escape some of its Post settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks The PoC will be displayed on June 26, 2024, to give users the time to update...
KKProgressbar2 Free <= 1.1.4.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert/XSS/' csrf" XSS will trigger on...
Advance Search <= 1.1.6 - Shortcode Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open the following HTML replace FORMID with a valid ID: The security field isn't validated and the shortcode is...
Woomotiv < 3.5.0 - Review Count Reset via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'ajaxcancelreview' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrato...
Gutenberg Blocks by Kadence Blocks < 3.2.26 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor or above, edit a post in...
EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
Description The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in...
AMP+ Plus <= 3.0 - Reflected Cross Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin https://example.com/?p=1&yolo=%22%3E%3CScRiPt%3Ealert%28%27XSS%27%29%3C%2FsCrIpT%3E...
Templately < 2.2.6 - Unauthenticated Arbitrary Post Deletion
Description The plugin does not properly authorize the saved-templates/delete REST API call, allowing unauthenticated users to delete arbitrary posts. Ensure the Elementor plugin is installed so that the Elementor Template functionality is enabled. curl -X POST...
Testimonial Slider Shortcode < 1.1.9 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Herd Effects < 5.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup In the plugin settings, add a new item...
User Access Manager < 2.2.18 - IP Spoofing
Description The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible for attackers to access restricted content in certain situations. Set HTTPXREALIP which is used in checkUserGroupAccess to use an IP from the allowlist...
Companion Sitemap Generator < 4.5.3 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged-in admin open: https://example.com/wp-admin/tools.php?page=csg-sitemap&tabbed=...
Feather Login Page < 1.1.2 - Missing Authorization to Non-Arbitrary User Deletion
The plugin does not check authorization when processing the ftlpp-ext-expirable-delete-user ajax action, which could allow users with roles as low as subscriber to delete temporary users generated by the plugin, furthermore it does not protect the action against CSRF attacks, allowing an...