4359 matches found
Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
The plugin allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. 1. Craft a custom zip file...
Website File Changes Monitor < 1.8.3 - Admin+ SQLi
The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manageoptions capability by default admins, leading to an SQL injection A user with manageoptions permission can exploit the vulnerability with the following request :...
Google XML Sitemaps < 4.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Try to...
Very Simple Contact Form < 11.6 - Captcha bypass
The plugin exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots. import requests from requestshtml import HTMLSession...
Pixel Cat Lite < 2.6.2 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks alertdocument.domain;" / var form1 = document.getElementById'hack';...
Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtnl capability is disallowed. https://drive.google.com/file/d/1ZXIS-q2fzZhRhTyHpHEzxcZ2Shl4Up2/view?usp=sharing Put the...
Cognitive Content Analyzer < 2.3 - Unauthorised AJAX call via CSRF
The plugin did not properly check for CSRF in its blobinatoranalyze AJAX action, allowing attacker to make a logged in administrator call the blobinatorprocesstext method with arbitrary parameters and update the related post with the results. POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accep...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation
In the plugin, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activateplugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit...
Sailthru Triggermail <= 1.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Base64 Encoder/Decoder <= 0.9.2 - Settings Reset via CSRF
Description The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack Make a logged in admin open an HTML file containing the following:...
MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack Make a contributor or higher user open a link where is a valid event:...
Event Tickets Plus < 5.9.1 - Contributor+ Attendees Lists Disclosure
Description The plugin does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. e.g. draft, private, pending review, password-protected, and trashed posts. 1. ADMIN: Install Event Tickets 2. ADMIN: Install Event Tickets Plus ...
Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion
Description The plugin does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server To download /etc/passwd: curl...
Staff / Employee Business Directory for Active Directory < 1.2.3 - Improper escaping of LDAP entries
Description The plugin does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. Add a...
My Account Page Editor < 1.3.2 - Subscriber+ Arbitrary File Upload
Description The plugin does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE Prerequisite: This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't the...
Lock User Account < 1.0.4- Arbitrary Account Lock/Unlock via CSRF
Description The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5...
Image Protector <= 1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to...
WooCommerce Box Office < 1.1.51 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks tickets columns='111"...
Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: The plugin requires WPBakery Page...
BizLibrary <= 1.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Login as Admin. 2. Go to...
Clock In Portal <= 2.1 - Holidays Deletion via CSRF
The plugin does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Holiday with ID 1...
Mega Addons For WPBakery Page Builder < 4.3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. vctestimonial link='target:"...
WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. 1. Go to the plugin settings and insert all the settings, then save. 2. Insert the following shortcode in a post/page: wpic speed='""; alert1...
Smart Slider 3 < 3.5.1.14 - Contributor+ Stored XSS
The plugin does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks smartslider3 slider="'-alert/XSS/-'...
iPanorama 360 WordPress Virtual Tour Builder < 1.6.30 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Create a new panorama item with whatever role, even if it's an Administrator. 2...
ImageInject <= 1.17 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. POST...
Duplicator < 1.4.7 - Unauthenticated Backup Download
The plugin discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. Find the URL of the actual installer scrip...
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "method": "POST", "body":...
Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...
Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them ok' document.getElementById"test".submit;...
Ninja Forms < 3.6.8 - Unauthenticated Email Address Disclosure
The plugin does not delete the temporary files created when exporting submissions, which could allow unauthenticated attackers to download them and get sensitive information such as the email address of users who submitted a form given that the file is publicly accessible, and with a guessable na...
CommonsBooking < 2.6.8 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the location parameter of the calendardata AJAX action available to unauthenticated users before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection Create an "item" and a "location" via the newly added...
Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting
The plugin does not escape custom fields before outputting them, which could allow Contributor+ v Preferences Panels and enable the Custom Fields, such as testxss with a value of alert/XSS/ Then add the following shortcode to the post field testxss and view/preview it to trigger the XSS...
Moova for WooCommerce < 3.8 - Reflected Cross-Site Scripting
The plugin does not escape the lat parameter of the moovacustomfields AJAA action available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue alert/XSS/" /...
WPQA < 6.1.1 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Slider settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks The PoC will be displayed on June 26, 2024, to give users the time to update...
Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR
Description The plugin allows any authenticated user to join a private group due to a missing authorization check on a function The PoC will be displayed on June 26, 2024, to give users the time to update...
Logo Manager For Enamad <= 0.7.0 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert/XSS: enamad-code/" alert/XSS:...
SEOPress < 7.8 - Contributor+ Open Redirect
Description The plugin does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post As a contributor, create a new Post, at the bottom of the page put the following payload in the...
LetterPress <= 1.2.2 - Subscriber Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as delete arbitrary subscribers Make a logged in admin open an HTML file containing:...
Popup Box < 2.2.7 - Popup Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks Make a logged in admin open an HTML file where ID is a valid ID: action...
ENL Newsletter <= 1.0.1 - Campaign Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary Campaigns via a CSRF attack Make an admin open a URL like where is a valid ID: http://example.com/wp-admin/admin.php?page=enl-campaigns&action=campaign-delete&id=...
coreActivity < 1.8.1 - Unauthenticated Stored XSS
Description The plugin does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin As unauthenticated: curl 'https://example.com/alertXSS' The XSS will be triggered when an...
Locatoraid Store Locator < 3.9.24 - Reflected XSS
Description The plugin does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Setup as admin: - Locatoraid Configuration Google Maps Enter "none" at...
Tablesome < 1.0.9 - Reflected XSS
The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting Make a logged in admin open one of the URL below when the feature/tracking notice has not been dismissed yet...
WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion
The plugin does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation. As a...
Real Estate 7 < 3.3.5 - Reflected XSS
The theme does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Metform Elementor Contact Form Builder < 3.2.0 - Unauthenticated Stored XSS
The plugin does not sanitize and escape some of its submitted entry data when outputting them back in the admin dashboard, which could allow unauthenticated attackers to perform Stored XSS attacks against an admin viewing the malicious entry Setup as admin: Create a new form using MetForm Element...
Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description. Steps to reproduce: 1 As a Contributor, go to portfolio on the dashboard and add new item. 2 on the editing page that comes up, scroll dow...
Yellow Yard Searchbar <= 2.7.27 - Reflected Cross-Site Scripting
The plugin does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting /?searchjob="...
Log WP_Mail <= 0.1 - Email Logs Publicly Accessible
The plugin saves sent email in a publicly accessible directory using predictable filenames, allowing any unauthenticated visitor to obtain potentially sensitive information like generated passwords. curl https://example.com/wp-content/plugins/logwpmail/log/LWPMAIL-20220330-success.log...