4359 matches found
EventPrime < 3.3.6 - Booking Pricing Bypass
Description The plugin specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. Create an Event, noting its ID. Add a ticket type to the Event, ensuring that the price is not zero. As a logged-in user, go through the process of paying for ...
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure
Description The plugin does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post such as draft and private via an IDOR vector Run the below command in the developer console of t...
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE On a page where there is a form with a Signature field, run the following code in the web developer console while...
WooCommerce Subscriptions < 4.6.0 - Subscription Suspension/Activation via CSRF
Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...
User Activity Log < 1.6.6 - Subscriber+ Log Export
Description The plugin lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses. As a subscriber, open the following URL...
Custom Field For WP Job Manager < 1.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup To test, you also need to have WP Job...
Google Map Shortcode <= 3.1.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Note: The plugi...
Icegram Engage < 3.1.12 - Reflected XSS
The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Stop Spammers Security < 2023 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the payload below in any of the "Challenge &...
MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
The plugin does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics. 1. Open a WP page with the plugin and Google analytics installed and search for somethi...
WP ALL Export Pro < 1.7.9 - Authenticated Code Injection
The plugin does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be...
Better Find and Replace < 1.3.6 - Admin+ SQLi
The plugin does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection...
WP Subscribe < 1.2.13 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its widgets settings, which could allow high privilege users such as admin to perform Cross-Site Scripting even when unfilteredhtml is disallowed Add the widget of the plugin to a page, and put the following payload in settings such as "Title",...
Gwolle Guestbook < 4.2.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the gwollegbuseremail parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in an admin page alert/XSS/;' / var form1 = document.getElementById'hack'; form1.submit;...
Logo Carousel < 3.4.2 - Unauthorised Private Post Access
The plugin allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature 1 Go to Logo Carousel - Shortcode Generator. 2 If there is no carousel, create one. 3 Copy URL of the "Duplicate" link under the carouse...
Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the currentmonthdivider parameter of its meclistloadmore AJAX call available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue...
Duplicate Post < 1.2.0 - Authenticated SQL Injection
The plugin does not properly sanitise and escape the id parameter passed to the cdpactionhandling AJAX action, which could allow user having access to the plugin by default admins to perform SQL Injection attacks POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 229 Accept: / X-Requested-Wit...
Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to a missing capability check in the importconfig function found in the /admin/class-sassy-social-share-admin.php file along with the implementation...
Support Board < 3.3.5 - Agent+ Stored Cross-Site Scripting
The plugin allows Authenticated Agent+ users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed. POST /supportboard/include/ajax.php HTTP/1.1 Cookie: Agent+ Accept: ...
Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure
The plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the...
WP Map Block < 1.2.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some attributes of the WP Map Block, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks - As a contributor, add a WP Map Block to a post/page - Click "Show more settings" - Scroll the sidebar and click "Map Marker" -...
Create WooCommerce Product Feeds For 40+ Merchants < 3.3.1.0 - Authenticated SQL Injection
The fetchproductajax functionality in the plugin uses a productid POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 162 Accept: / X-Requested-With: XMLHttpReque...
Post Index <= 0.7.5 - CSRF to Stored XSS
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the /php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5. CSRF PoC alert1;" / iframe src="x" width="1" height="1"...
Himer - Social Questions and Answers < 2.1.1 - Multiple CSRF on the Group Section
Description The theme does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group The PoC will be displayed on June 26, 2024, to give users the...
Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF
Description The theme does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack The PoC will be displayed on June 26, 2024, to give users the time to update...
Shortcodes Ultimate < 7.1.2 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Add the following shortcode to a post: sulightbox src='123"onmouseover="alert1"'Click...
Float menu < 6.0.1 - Menu Deletion via CSRF
Description The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. Make a logged in admin open one a page with the code below, this will make them delete the menu with ID 1:...
Theme My Login 2FA < 1.2 - Lack of Rate Limiting
Description The plugin does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits. https://packetstormsecurity.com/2309-exploits/wpmylogin-bruteforce.txt...
Bookly < 22.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. As an admin user, visit the Bookly...
Appointment booking addon for Gravity Forms <= 1.9.5.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The "Translations" settings of the...
Track The Click < 0.3.12 - Author+ Time-Based Blind SQL Injection
Description The plugin does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database. Version 0.3.11 changes the API endpoint to only be...
Simple Posts Ticker < 1.1.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Add a post with the shortcode:...
Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending
Description The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action. Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog: Current...
Easy Forms for Mailchimp < 6.8.9 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. When the debug settings is enabled ie...
File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. fileup class='" onmouseover="alert1"'...
Quiz Maker < 6.4.2.7 - Reflected XSS
The plugin does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below other URL are also affected...
Slimstat Analytics < 4.9.4 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering certain shortcodes that concatenate attributes directly into an SQL query...
BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access
The plugin is affected by a Directory Traversal attack, allowing unauthenticated attackers to access arbitrary files on the web server, starting in version 8.5.8.0. Install BackupBuddy v8.5.8.0 through v8.7.4.1. curl...
WP Comments Fields < 4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a Comment Fields Comments Comment Fields and put the following payload in the Error Message setting: "autofocus...
Co-Authors-Plus 3.5/3.5.1 - Guest Authors Email Address Disclosure
The plugin introduced an information disclosure vulnerability specifically, the e-mails of guest authors via a public REST endpoint accessible without any authentication https://example.com/wp-json/wp/v2/coauthors...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via orderby
The plugin does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection https://example.com/wp-admin/admin.php?page=fmwesproducts&orderby=id+AND+SELECT+7394+FROM+SELECTSLEEP5UrUZ...
Check & Log email < 1.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=check-email-settings&tab="...
Easy Social Icons < 3.1.4 - Admin+ SQL Injection
The plugin does not sanitize the selectedicons attribute to the cnsswidget before using it in an SQL statement, leading to a SQL injection vulnerability. Author : Qerogram import requests from bs4 import BeautifulSoup BASEURL = "http://localhost:8000" id = "wordpress" pw = "wordpress" def loginid...
Folders Disclosure via Outdated jQueryFileTree Library
The plugins are using the admin-page-framework framework which is shipped with the outdated and no longer maintained library jQueryFileTree known to be affected by a path traversal issue, allowing unauthenticated attackers to disclose the folder structure of the web server curl...
Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wmussourceblog and wmusrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-sourceblog/' / alert/XSS-record/' /...
Post Grid < 2.1.8 - Reflected Cross-Site Scripting (XSS)
The slider import search feature and tab parameter of the plugin settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/edit.php?posttype=postgrid&page=post-grid-settings&tab="alert1...
Save as PDF < 3.2.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. On the "Settings Save as PDF Basic...
coreActivity < 2.1 - Unauthenticated IP Spoofing
Description The plugin retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value As unauthenticated: curl 'https://example.com/attacker' -H 'X-FORWARDED: 127.0.0.1' Then view the logs and note that the plugin display...
Smart Forms < 2.6.94 - Edit Entries via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk. CSRF PoC CSRF PoC input type="hidden" name="elementOptions"...
Inline Related Posts < 3.6.0 - Subscriber+ Password Protected Post Read
Description The plugin does not ensure that post content displayed via an AJAX action are accessible to the user, allowing any authenticated user, such as subscriber to retrieve the content of password protected posts When logged in as a subscriber, open the following URL and note that the conten...