4359 matches found
Starbox < 3.5.0 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks http://132" onmouseover='alert1'...
WP-Reply Notify <= 1.1 - Settings Update via CSRF
Description The plugin does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Make an admin open an HTML page containing the following: document.forms0.submit;...
WordPress Toolbar <= 2.2.6 - Open Redirect
Description The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...
Backup Migration Staging < 1.3.6 - Sensitive Data Exposure
Description The plugin stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups. 1 Run a backup of the site 2 Notice the following files are all publicly available while the...
Assistant < 1.4.4 - Editor+ SSRF
Description The plugin does not validate a parameter before making a request to it via wpremoteget, which could allow users with a role as low as Editor to perform SSRF attacks As an Editor or above, open http://example.com/index.php?flasstimageproxy&url=https://127.0.0.1...
Memberlite Shortcodes < 1.3.9 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Simple Posts Ticker < 1.1.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Simple Posts Ticker...
Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access
Description The plugin does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server. On a multisite installation, log in as a site admin. Notice that you are able to manage files on the server using this...
Waitlist Woocommerce < 2.5.3 - Settings Reset via CSRF
The plugin does not have CSRF check when reseting its Settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=waitlist-woocommerce-settings&reset=yes...
Contact Form Builder by vcita <= 4.10.2 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions alert1;...
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Submit a message in the chatbox, intercept the request using Burp Suite for example. Edit the request to reflect this request:...
WP Attachments < 5.0.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the "List Head" or...
WooCommerce PDF Invoices & Packing Slips < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting. This is a re-introduction of CVE-2021-24991 in 2.14.0...
Simple Post Notes < 1.7.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Notes placeholder" settings of the plugin: alert/XSS/...
WP Contact Slider < 2.4.7 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the Text to Display settings of sliders, which could allow high privileged users such as editor and above to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create/edit a Slider, select the "text or HTML" for the " What would...
Form - Contact Form <= 1.2.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a form, add a Custom Text field, put the following payload in it: alert/XSS/, save the field...
PDF24 Articles To PDF <= 4.2.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack input t...
CaPa Protect <= 0.5.8.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable the applied protection. HTMLFormElement.prototype.submit.call document.getElementById"test" ;...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword
The plugin does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form Append the following payload on a page containing a Post Grid with a search form:...
Event Manager for WooCommerce < 3.5.8 - Contributor+ SQL Injection
The plugin does not validate and escape the postauthorgutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks Create or edit an event as a contributor, intercept the request and...
Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
The getquery function of the plugin, used by the niwoocosajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber POST...
Ultimate NoFollow <= 1.4.8 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks Affected shortcodes: nf, nofo, nofol, nofollow, relnofollow As a contributor, put the below shortcode in a post/page nf...
Display Post Metadata < 1.5.0 - Contributor+ Stored Cross-Site Scripting
The plugin adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks - Login as contributor+ - Create a custom field containing XSS payload eg. alert1 - Add this...
MicroCopy <= 1.1.0 - Authenticated SQL Injection
The edit functionality in the plugin makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET...
KN Fix Your Title <= 1.0.1 - Authenticated Stored XSS
The plugin was vulnerable to Authenticated Stored XSS in the separator field. 1. Install WordPress 5.7.2 2. Install and activate KN Fix Your Title 3. Navigate to Fix Title under Settings Tab Click on I have done this and enter the XSS payload into the Separator input field. 4. Click Save Changes...
Contact Form by Supsystic < 1.7.11 - Authenticated SQL Injections
The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for Forms in the dashboard, leading to an authenticated SQL Injection issues...
Animated AL List <= 1.0.6 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a new project 2. Access the URL...
Easy Table of Contents < 2.0.66 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed You should create new post with two more heading. Go to the settings of the plugin and...
Sailthru Triggermail <= 1.1 - Reflected XSS
Description The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The PoC will be displayed on May 14, 2024, to give users the time ...
Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add New Survey 2. Choose any...
Nextgen Gallery < 3.59.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Add the "NextGEN Media RSS" Widget to the blog Appearance Widgets 2. Change the "Tooltip...
HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the widget area, add the widget...
Bannerlid <= 1.1.0 - Reflected XSS
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators Have an admin open URLs: -...
WooCommerce Customers Manager < 29.8 - Reflected XSS
Description The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the HTML page/URLs below...
Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure
Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. 1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on...
NPS computy < 2.7.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings NPS Monitoring" 2...
Schema Pro < 2.7.16 - Contributor+ Custom Field Access
Description The plugin does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode As a contributor, add/edit a post and embed aiosrsprocustomfield postid="ANYPOSTID" fieldkey="ANYMETAKEY" and specify/guess any po...
Cookie Information < 2.0.23 - Subscriber+ Arbitrary Options Update
Description The plugin is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler, allowing any authenticated users, such as subscriber to update arbitrary site options Run the below command in the developer console of the web browser while being on th...
NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization
Description The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a Gallery an...
InventoryPress <= 1.7 - Author+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks. 1. Create a "New Inventory Item" 2. In the "Description" field, add the value "alert"xss" 3. Edit the created item and see the XS...
Contact Form and Calls To Action by vcita <= 2.7.1 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions alert1;&uid=a”alert2;...
SlideOnline <= 1.2.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The PoC will be displayed once the issue has...
Amr Ical Events Lists <= 6.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Login as Admin. 2. Go to...
Saan World Clock <= 1.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wclock tz='" onmouseover="alert1"...
HTML Forms < 1.3.25 - Admin+ SQLi
The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms&view=edit&formid=formID&tab=submissions Capture the...
Simple File List < 4.4.13 - Page Creation via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack...
Sideblog <= 6.0 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping " document.getElementById"test".submit; The XSS will be...
Gmedia Photo Gallery < 1.20.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed https://youtu.be/kTMg65teTvU Create ...
Popup Builder < 4.0.7 - LFI to RCE
The plugin does not validate and sanitise the sgpbtype parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR Create a zip archiv...
AnyComment < 0.2.18 - Arbitrary HyperComments Import/Revert via CSRF
The plugin does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack Go to https://example.com/wordpress/wp-admin/admin.php?r=import%2Fhypercomments&url=http://, and you will see a get request in yo...