4359 matches found
WP Custom Cursors < 3.2 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. 1. Add a new "WP Custom Cursor". 2. Return to the "WP Custom Cursors" page and click edit Cursor. 3.The WP Custom Cursors...
ConvertKit < 2.2.1 - Reflected XSS
The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Shortcodes Ultimate < 5.12.8 - Subscriber+ User Meta Disclosure
The plugin does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta except the userpass, such as the user email and activation key by default. Run one of the below commands in the developer console ...
Namaste! LMS < 2.6 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. One XSS issue was fixed in version 2.5.9.9. The...
Post Category Image With Grid and Slider < 1.4.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Fontsy <= 1.8.6 - Multiple Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. curl -i 'http://example.com/wp-admin/admin-ajax.php?action=getfonts' \ --data 'id=1 AND SELECT 1 FROM SELECTSLEEP5hewu...
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and studen...
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary Feed Deletion
The plugin does not have authorisation and CSRF check in place when deleting feeds, allowing ay authenticated users, such as subscriber to delete arbitrary feeds As any authenticated user, such as subscriber. Or via CSRF against them...
Translatepress Multilinugal < 2.3.3 - Admin+ SQLi
The plugin is vulnerable to an authenticated SQL injection. By adding a new language via the settings page containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected. To exploit the vulnerability, someone must send a...
Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
The plugin allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Note: This only affects membership from the plugin, not the WordPress role The request contains the levelidentifier parameter with the md52 value, where 2 is the...
Request a Quote <= 2.3.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Misc No Access Message setting of the plugin: alert/XSS/; The X...
Simple Page Transition <= 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Ignored Download Link...
WP OAuth Server ( Login with WordPress ) < 4.0.1 - Authentication Bypass
The plugin is affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the client’s...
miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks v ' / v...
Admin Menu Editor <= 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/options-general.php?page=admin-menu-restriction&role="...
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to...
WordPress Membership SwiftCloud.io <= 1.0 - Authenticated SQL Injection
An id GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=swiftbookaddemailtemplate&id=0%20UNION%20ALL%20SELECT%20NULL,NULL,user,NULL,NULL-- HTTP/1.1 Cache-Control: max-age=0...
Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation
An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. Even with the maximu...
WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue. curl -k --silent "http://example.com/index.php?restroute=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=fields=3D+from+wpusers+--+-"...
Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update
Description The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them history.pushState'', '', '/'; document.forms0.submit; the response of the request above is 403, but the settings update still happens...
ENL Newsletter <= 1.0.1 - Admin+ SQL Injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admin+ to perform SQL injection attacks As an admin open a link like:...
Save as PDF by Pdfcrowd < 3.2.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Save as Image" 2...
Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open a page with the code below where is an existing button:...
Simply Excerpts <= 1.4 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. Put the following payload...
Awesome Support < 6.1.5 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Visit the following URL as an admin user, with any valid ticket ID. Press the access k...
Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. Using malicious SVG files: Go to a product page that features the file upload form, and paste the following in your browser...
WooCommerce Pre-Orders < 2.0.3 - Arbitrary Pre-Order Canceling via CSRF
The plugin has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack Make a logged in admin open the URL below 42 being a pre-order to be canceled...
Hostel < 1.1.5.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Manage Rooms and click on "Click here to...
UserPlus <= 2.0 - Stored XSS via CSRF
The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. Open the .html file where the admin user is logged in history.pushState'', '', '/' input type="hi...
Gift Voucher < 4.3.3 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the template parameter before using it in a SQL statement via the wpgvdoajaxvoucherpdfsavefunc AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber curl "http://$TARGETHOST/wp-admin/admin-ajax.php" --da...
UpQode Google Maps <= 1.0.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit: vcugmmap mapheight='100px;...
Google Apps Login < 3.4.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to the setting page of this plugin. 2. In...
Peter’s Collaboration E-mails <= 2.2.0 - Arbitrary Settings Update via CSRF
The plugin is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more. input type="text" name="pceemailstosend...
Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection curl https://example.com/wp-admin/admin-ajax.php --data...
Simple Theme Options < 1.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of textarea field settings of the plugin such as 'Google Analytics': " T...
WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode
The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks wordpressfileupload widths='title:1;animation-nametwentytwentyone-close-button-transition" onanimationend="alert/XSS-widths/'...
WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting
The plugin does not escape the googlefontajaxname and googlefontajaxfamily parameter of the googlefontaction AJAx action available to any authenticated user before outputing them in attributes, leading Reflected Cross-Site Scripting issues var form1 = document.getElementById'hack'; //form1.submit...
Photo Gallery < 1.5.75 - File Upload Path Traversal
The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than...
Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
The plugin did not validate its cachingexcludeurls and cachingincludequerystrings settings before outputting them in a PHP file, which could lead to RCE PoC | Authenticated RCE | Caching Exclude URLs / Cached query strings: POST /wp-admin/admin.php?page=sbp-settings HTTP/2 Host: example.com Cooki...
Video Widget <= 1.2.3 - Admin+ Stored XSS via Widget
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a "Video Widget" to a widget ar...
WP Backpack <= 2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Sticky Buttons < 3.2.4 - Button Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks Make a logged in admin open an HTML file where ID is a valid ID: action...
Herd Effects < 5.2.7 - Effect Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks Make a logged in admin open an HTML file where ID is a valid ID: action...
MapPress < 2.88.17 - Contributor+ Stored XSS via Map Settings
Description The plugin is vulnerable to Stored Cross-Site Scripting via the width and height parameters, allowing with contributor access and above to perform Stored XSS attacks - Go to Plugin’s page /wp-admin/admin.php?page=mappressmaps - Add New Map and search any location you want. - Add XSS...
Advanced Schedule Posts <= 2.1.8 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins...
Colibri Page Builder < 1.0.240 - Contributor+ Stored XSS
Description The plugin does not validate and escape some its extendbuilderrenderjs shortcode content before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WP Crowdfunding < 2.1.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a campaign and for the reward...
Mmm Simple File List <= 2.3 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...
WPB Show Core <= 2.2 - Unauthenticated Server Side Request Forgery
Description This plugin is vulnerable to server-side request forgery SSRF via the path parameter. Send a GET request to wpb-show-core/download-file.php with the path parameter set to an arbitrary URL http://example.com/latest/meta-data/iam/security-credentials/wpb-apps-prod-role the website will...
EventPrime < 3.3.6 - Booking Pricing Bypass
Description The plugin specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. Create an Event, noting its ID. Add a ticket type to the Event, ensuring that the price is not zero. As a logged-in user, go through the process of paying for ...