4359 matches found
Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS
The plugin does not have any authorisation and CSRF in its bpfwpwelcomeaddcontactpage and bpfwpwelcomesetcontactinformation AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting...
Coming Soon & Maintenance Plugin by NiteoThemes < 4.0.19 - Unauthenticated Arbitrary CSS Update
The plugin allows any user, even not logged in, to arbitrarily change the coming soon page layout. wget 127.0.0.1:8001...
Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure
The plugin allows any logged in user, such as subscriber, to extract any other user's email address. fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded" , "body": new URLSearchParams"action": "dilazmbqueryselect", "q": "@gma",...
WP Guppy < 1.3 - Sensitive Information Disclosure
The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user !/bin/bash Exploit Title: Wordpress...
WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks...
Inspirational Quote Rotator <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfilteredhtml capability is disallowed Add/edit a quote...
Schreikasten <= 0.14.18 - Author+ SQL Injections
The plugin does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author...
Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue GET /wp-admin/admin.php?page=wppaytmdonation&action=delete&id=1%20AND%20SELECT%205581%20FROM%20SELECTSLEEP5Pjwy HTTP/1....
Xllentech English Islamic Calendar < 2.6.8 - Authenticated SQL Injection
When deleting a date in the plugin, the yearnumber and monthnumber POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection. POST /wp-admin/options-general.php?page=xllentechoptionstab4 HTTP/1.1 Content-Length: 220 Cache-Control:...
Frontend Checklist <= 2.3.2 - Admin+ Stored XSS via Items
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a checklist and for an item,...
Mime Types Extended <= 0.11 - Author+ Stored XSS via SVG Upload
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. 1. As an admin, enable SVG uploads at https://example.com/wp-admin/options-general.php?page=mime-types-extended 2. As an author,...
LiveJournal Shortcode <= 1.1.1 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add this shortcode to a page: lj...
Better Comments < 1.5.6 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks. 1. From the menu on the left, go into "Users" and edit Subscriber user. 2. Upload a new avatar image and click "Updat...
illi Link Party! <= 1.0 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated vistors to perform Cross-Site Scripting attacks. 1. Add a new link party and add its shortcode to a new post. 2. In a new private window, navigate to the post where you added the shortcode. 3...
Easy Newsletter Signups <= 1.0.4 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 1. From the "Easy Newsletter Signups", select an email address and then click "Export to CSV" 2. Intercept the...
Frontend File Manager < 22.7 - Editor+ Arbitrary File Download
Description The plugin has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as wp-config.php 1 Create new post with this shortcode - ffmwp 2 Go to new post and upload any file 3 After that go to main page of plugin for users...
Martins Free & Easy SEO Link buildings < 1.2.30 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in amin open...
Front End PM < 11.4.3 - Sensitive Data Exposure via Directory Listing
Description The plugin does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled...
User Activity Tracking and Log < 4.0.9 - License Update/Deactivation via CSRF
Description The plugin does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks Make a logged in admin open a page with the code below To make them deactivate the license To make th...
MultiParcels Shipping For WooCommerce < 1.15.2 - Arbitrary Shipment Deletion via CSRF
Description The plugin does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack Make any logged in user open https://example.com/wp-admin/admin-post.php?action=multiparcelsdeleteshipping&id=1 to make them delete...
AI ChatBot < 4.5.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Go to plugin settings under "WPBot Lite Simple Text Responses" 2. Enter the payload Test Query"...
Thumbnail carousel slider < 1.1.10 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting vulnerability which could be used against high privilege users such as admin. Make a logged in admin open: GET...
Video List Manager <= 1.7 - Admin+ SQL Injection
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin SELECT query: 1. Log in as admin. 2. Visit the following path on the site:...
Easy Forms for MailChimp < 6.8.8 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the following code this requires the attacker to...
OAuth Single Sign On - SSO (OAuth Client) Enterprise < 48.4.9 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=delete&app=wordpress...
VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers Make a logged in admin open the below URL using web browser which does not encode characters...
Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options To set the default role for new users to administrator, run the below command in t...
Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the Account Name settings and click on the 'Change App name' button: " autofocus onfocus=alert/XSS//...
Nested Pages < 3.1.21 - Admin+ Stored Cross Site Scripting
The plugin does not escape and sanitize the some of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed Put the following payload on the "Menu Name" settings of the plugin: "onmouseover=alert"XSS"//...
Image Gallery - Grid Gallery < 1.1.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create a gallery with the "Gallery Theme" set to "Gallery Image 2", add an image and put the...
Icegram < 2.1.8 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks Create/edit a campaign such as a Black Friday one, check the "Use Opt-in / Subscription / Lead capture form" settings and put...
Plausible Analytics < 1.2.4 - Subscriber+ Arbitrary Settings Update
The plugin has a flawed logic when checking for authorisation and CSRF before updating its settings, allowing any authenticated users, such as subscriber, to update the plugin's settings. The attack is also possible via CSRF against any authenticated user. POST /wp-admin/admin-ajax.php HTTP/1.1...
WooCommerce Green Wallet Gateway < 1.0.2 - Reflected Cross Site Scripting in checkout page
The plugin does not escape the errorenvision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability. 1. Enable greenwallet-gateway as a woocommerce payment gateway 2. add something in your cart and visit the checkout page 3. visit...
WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
The plugin does not escape the dataraw parameter in the weuselectedusers1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks. As any authenticated user such as subscriber, the request below will display all users email addresses...
SEO Booster < 3.8 - Admin+ SQL Injection
The plugin allows for authenticated SQL injection via the "fnmyajaxifieddataloaderajax" AJAX request as the $REQUEST'order'0'dir' parameter is not properly escaped leading to blind and error-based SQL injections. Install SEO Booster, then click on the "Incoming Keywords" link in the Wordpress...
WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header
The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. curl --referer "something" -sIXGET https://example.com/wp-admin/options.php HTTP/2 302 ... location:...
WP Fusion Lite < 3.37.31 - Reflected Cross-Site Scripting (XSS)
The plugin does not escape the startdate and enddate parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting issue. This is due to an incorrect fix of CVE-2021-34660 https://wpscan.com/vulnerability/4a4934d6-282d-4e8c-922a-6b1f12884191...
WPQA < 6.1.1 - Arbitrary Category and Tag Follow/Unfollow via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks The PoC will be displayed on June 26, 2024, to give users the time to update...
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins 1. Make sure there is a newsletter configured with the setting "Email Service Save to local database" 2. When not logged in, use a...
SP Project & Document Manager <= 4.71 - Data Update via IDOR
Description The plugin is missing validation in its upload function, allowing a user to manipulate the userid to make it appear that a file was uploaded by another user 1. Select to upload a file through the plugin 2. Intercept the request: Example: ------WebKitFormBoundaryX4YnPgSA4oPHlNjv...
WP Customer Reviews < 3.7.1 - Malicious Redirect via HTTP-EQUIV Injection
Description The plugin does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL 1 Create a new post 2 In the "Bussness Name" field enter the payload: 0;http://smth.me/" HTTP-EQUIV="refresh" a="a 3 Save the post and view it. You will see that you are...
Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access
Description The plugin does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts Open one of the below URL as an unauthenticated user and note that password protected posts are disclosed in ...
Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure
Description The plugin does not prevent user with at least the contributor role from leaking other users' sensitive metadata. As a contributor, - Add shortcode to any post and specify/guess any user ID and meta key and save - Preview the post and see custom field value outputs from any user Examp...
Popup Box Pro < 20.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a new popup and add the following payload in the Custom Content: alert1; Save,...
E2Pdf < 1.20.20 - Admin+ Stored Cross-Site Scriping
Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed 1 Create a new template on...
Upload Media By URL < 1.0.8 - Stored XSS via CSRF
Description The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files including HTML containing JS code for users with the unfilteredhtml capability on their behalf. Have a logged in user with the unfilteredhtml capability open an...
Pretty Url <= 1.5.4 - Admin+ Stored XSS in plugin settings
Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the "Enter the URL: field, add the XSS payloa...
SiteGround Security < 1.3.1 - Admin+ SQLi
The plugin does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue. 1: POST /wordpress/index.php/wp-json/sg-security/v1/activity-registered HTTP/1.1 Host: YOUR HOST X-WP-Nonce: YOUR NONCE Cookie: Admin+ Content-Length: 155...
Essential Real Estate < 3.9.6 - Reflected Cross-Site-Scripting
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks. https://example.com/wp-admin/admin-ajax.php?action=erepropertygalleryfillterajax&columnsgap=%22%3E%3Cscript%3Ealert%22xss%22;%3C/script%3E%3C!--...
Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in various pages, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=grid-kit&action=edit&id=...