4359 matches found
Team Circle Image Slider With Lightbox < 1.0.16 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the orderpos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=circlethumbnailsliderwithlightboximagemanagement&orderpos=...
Filter Portfolio Gallery <= 1.5 - Arbitrary Gallery Deletion via CSRF
The plugin is lacking Cross-Site Request Forgery CSRF check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. https://example.com/wp-admin/admin.php?page=phoenfiltergallery&deleteid=1...
Newspaper < 11 - Reflected Cross-Site Scripting (XSS)
Description The theme does not sanitise the tdatts.modulescategory parameter in its tdajaxsearch AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type...
WordPress Jitsi Shortcode <= 0.1 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, add a shortcod...
Social Pixel <= 2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
month name translation benaceur < 2.3.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
reCAPTCHA Jetpack <= 0.2.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML page containing:...
ENL Newsletter <= 1.0.1 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make an admin open an HTML file containing: Name: alert1' / alert2' /...
AGCA – Custom Dashboard & Login Page < 7.2.2 - Admin+ Stored XSS via Image URL
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate AGCA, and select the "Adm...
Enhanced Text Widget < 1.6.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...
Travelpayouts < 1.1.14 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below:...
ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks As a contributor, create or edit a post with the payload below while in code editor mode xyz The XSS will be triggered when...
ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS
Description The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks As a contributor, put the following payload in a post the payload will have to be updated accordingly to watch the...
URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header
Description The plugin does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link. 1. Add a new shortened link in the interface...
Change WP Admin < 1.1.4 - Secret Login Page Disclosure
Description The plugin discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered. - Set custom Login URL under "Settings Permalinks". For example, login - As an unauthenticated visitor, open https://example.com/wp-admin/customize.php in a different...
BookIt < 2.3.8 - Authentication Bypass
The plugin does not perform any authorisation check when a user book an appointment using an email from an existing account, allowing unauthenticated attackers to login as any user from the blog by providing their email address On a page where the bookit is embed, book an appointment using an ema...
Active Directory Integration / LDAP Integration < 4.1.1 - Unauthenticated Data Disclosure
The plugin does not have proper authorization or nonce values for some POST requests, leading to unauthenticated data disclosure. In version 4.1.0 a nonce check was added to the request, but it still lacked authorization. The admininit hook calls MoLdapLocalLogin class loginwidgetsaveoptions meth...
Stream < 3.9.2 - Subscriber+ Alert Creation
The plugin does not prevent users with little privileges on the site like subscribers from using its alert creation functionality, which may enable them to leak sensitive information. Step 1: Log in as a subscriber Step 2: Get a nonce from...
WP-ShowHide < 1.05 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Link Library < 7.4.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Install the plugin and go to:...
Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF
The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. The following PoC codes are f...
underConstruction < 1.21 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletredhtml capability is disallowed. In the plugin's settings, active Under Contraction...
WP-chgFontSize <= 1.8 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping ' document.getElementById"test".submit;...
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed As administrator, put the following payload in any of the plugin's settings and save: "alert/XSS/;...
Realty Workstation < 1.0.15 - Agent SQLi
The plugin does not sanitise and escape the transedit parameter before using it in a SQL statement when an agent edit a transaction, leading to an SQL injection As a logged in agent:...
ScrollReveal.js Effects <= 1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in any of the plugin's settings such as Opacity: "...
SiteSuperCharger < 5.2.0 - Unauthenticated SQLi
The plugin does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions available to both unauthenticated and authenticated users, leading to Unauthenticated SQL Injections curl https://example.com/wp-admin/admin-ajax.php --data...
Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection
The plugin does not escape the artID parameter before using it in a SQL statement in the apvcresetcountart AJAX action, available to any authenticated user, leading to a SQL injection v = 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvcresetcountart&artID=sleep10 v 6.1.6 -...
Popup | Custom Popup Builder < 1.3.1 - Unauthenticated Denial of Service
The plugin autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog 1 Create a popup as admin and access the popup page as unauthenticated 2 Send data on the form and intercept t...
Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
The plugin does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue https://example.ocm/wp-admin/options-general.php?page=acfe-options&orderby=1%20and%20sleep0.02%23...
WP DSGVO Tools (GDPR) < 3.1.24 - Unauthenticated Plugin's Settings Update to Stored Cross-Site Scripting
The plugin is lacking proper authorisation and CSRF checks, makes some functions available to unauthenticated as well as any authenticated users via AJAX hooks. As a result, unauthenticated users could update some of the plugin's settings, and set a Cross-Site Scripting payload in the Matomo Code...
Special Text Boxes <= 5.9.109 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payload in any of the field in the 'Basic Settings' section of the plugin's setting...
DrawBlog <= 0.90 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue As admin, put the following payload in the "Checkbox reminder" setting of the plugin: "alert/XSS/...
WP YouTube Lyte < 1.7.16 - Authenticated Stored XSS
The plugin did not sanitise or escape its lyteytapikey and lytenotification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues. PoC 1 | Authenticated Persistent XSS | Your YouTube API key: PO...
NPS computy < 2.7.6 - Results Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open the following: The result is that all existing poll responses are deleted...
CM Download and File Manager < 2.9.1 - Download Edit via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack Make an admin open an HTML file containing the following:...
WooCommerce Pre-Orders < 2.0.2 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin When there is at least one pre-order, make a logged in admin open the URL below...
Feather Login Page < 1.1.2 - Cross-Site Request Forgery to Privilege Escalation
The plugin does not protect its ftlpp-ext-expirable-login-link action against CSRF attacks, allowing an unauthenticated attacker to add users of any role on their behalf by tricking a logged in administrator to submit a crafted request. POST...
Qubotchat < 1.1.6 – Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Add a "button" to the chatbot 2. In the "Text...
Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection
The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin https://wordpress.org/plugins/slider-bws/ must also be installed for this vulnerability to b...
Buddybadges <= 1.0.0 - Admin+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users https://example.com/wp-admin/options-general.php?page=buddybadge&wpedit=b2f9b59706&edit=1+AND+SELECT+7741+FROM+SELECTSLEEP10hlAf...
OAuth Client by DigitialPixies <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Put the following payload in any of the plugin'...
Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds
The plugin does not have authorisation and CSRF check in place when adding and editing a Feed, and does not sanitise as well as escape user input. As a result, users with a role as low as subscriber could add arbitrary feeds, with Stored Cross-Site Scripting payloads in them. As any authenticated...
WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
The plugin does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form. alert'boo!'" document.getElementById"test".submit;...
BannerMan <= 0.2.4 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfilteredhtml is disallowed such as in multisite As administrator, put the following payloads in the mentioned settings of the plugin...
Tipsacarrier <= 1.4.4.2 - Unauthenticated Orders Disclosure
The plugin does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL Vendor was notified on November 26th, 2021, did not reply nor fix the...
Sermon Browser <= 0.45.22 - Arbitrary File Upload via CSRF
The plugin does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST",...
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
The plugin does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion attacks as PHP files will be executed. Please note...
Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending
The plugin does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues...
NewStatPress < 1.3.6 - Reflected Cross-Site Scripting
The plugin does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=nspsearch&what1=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x...