4359 matches found
Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access
The plugin does not have proper authorisation check in the sfimageid AJAX action, which could allow any authenticated, such as subscriber, to view the content and title of arbitrary posts, for example private, draft and password protected ones. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: /...
Far Future Expiry Header < 1.5 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. csrf.submit...
Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting
The plugin does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload triggered either in the frontend or backend depending on the payload The CSRF was...
Advanced Menu Manager < 3.0 - Unauthorised Menu Edition via CSRF
The plugin does not properly check for CSRF in its ammsaveexistingmenu function, allowing attackers to make logged in high privilege users edit menus via a CSRF attack...
BuddyPress Customer.io Analytics Integration <= 1.1.6 - Arbitrary Plugin Settings Update via CSRF
The plugin does not properly perform the CSRF check when saving its settings, allowing attackers to make logged in admin change them to arbitrary values...
Woocommerce Customers Manager < 26.6 - Arbitrary Account Creation/Update via CSRF
The fixes for https://wpscan.com/vulnerability/126143e0-b0cc-4517-862e-3ac557db744f still allowed the issue to be performed via a CSRF attack. The uploadcsv AJAX action, available to authenticated users, did not have proper CRSF check, allowing attacker to make a logged in user with the...
Post SMTP < 2.1.7 - Admin+ Blind SSRF
The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. Navigate to https://example.com/wp-admin/admin.php?page=postman%2Fporttest Inside "Outgoing Mail Server Hostname"...
Image Slider by Ays - Responsive Slider and Carousel < 2.5.0 - Authenticated Blind SQL Injection
The getsliders function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
Coupon Affiliates for WooCommerce < 4.11.3.4 - Arbitrary Referral Visits Deletion via CSRF
The plugin does not have any CSRF in place when deleting Referral Visits, which could allow attackers to make a logged in admin delete them via a CSRF attack...
Complianz (Free < 6.3.4, Premium < 6.3.6) - Translator SQLi
The plugins allow a translators to inject arbitrary SQL through an unsanitized translation. SQL can be injected through an infected translation file, or by a user with a translator role through translation plugins such as Loco Translate or WPML. 1. Install Complianz and set the following options ...
Helpful < 4.5.26 - Information Disclosure
The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings After an admin export logs via...
Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection
The plugin contains a 'Social & Donations' module not activated by default, which adds the rest route '/services/contributor/?P\d+, takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi. With the 'Social & Donations' module of the plugin activated. Permali...
WP SMS < 5.4.13 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise the "wpgroupname" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue WPScanTeam: During the verification of the fixes with the vendor, other payloads and injection points were identified, reported an...
GiveWP < 2.24.1 - Unauthenticated SQLi
The plugin does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks 1 Create a post/page that contains the "Donor Wall" block. 2 Using the default donation form, send a test donation 3 In a terminal, edit and run th...
WP Survey Plus <= 1.0 - Subscriber+ AJAX Calls
The plugin does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues To create a survey wi...
Image Source Control < 2.3.1 - Contributor+ Arbitrary Post Meta Value Change
The plugin allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts even those they should not be able to edit Run while in the Post/Page editor as a contributor jQuery.postajaxurl, action: "iscsavemeta", nonce: iscData.nonce, id:781, key:...
SMTP Mail < 1.2.2 - Authenticated SQL Injections
The plugin does not properly validate or escape the order and orderby parameters before using them in SQL statements, leading to SQL Injections in the admin dashboard...
BadgeOS < 3.7.1.3 - Subscriber+ SQLi
The plugin does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections Open the following URL as any authenticated user such as subscriber:...
Download Manager < 3.2.53 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute of the modal login page only available when users are not logged in, which could lead to Reflected Cross-Site Scripting in old web browsers. On the modal login page from the plugin and using an...
OAuth Single Sign On < 6.22.6 - Authentication Bypass
The plugin doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. POST / HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection
The bulkaction, exportfull and savesliderdb functionalities of the plugin were vulnerable, allowing a high privileged user Admin, or medium one such as Contributor+ if "Role Options" is turn on for other users to perform a SQL Injection attacks. Vulnerable param: check Vulnerable function:...
RestroPress < 2.8.3 - Cart Manipulation via CSRF
The plugin does not properly check for CSRF in some of its AJAX calls, allowing attackers to make users do unwanted actions, such as add arbitrary products to their cart, or empty it completely To clear the cart of the current user authenticated or not:...
ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
Some AJAX actions did not have proper CSRF and authorisation checks, allowing unauthorised call either via unauthenticated/low privilege users or CSRF, which could allow attackers to reset or change the settings of the plugin for example Reset arbitrary option in the plugin v 1.0.5 POST...
ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings
The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed...
Logo Showcase with Slick Slider < 2.0.1 - Arbitrary Media Title/Description/Alt Text/URL Update via CSRF
The plugin does not have CSRF check in the lswsssaveattachmentdata AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media. jQuery.postajaxurl, action: "lswsssaveattachmentdata", attachmentid: 564, formdata:...
404 to 301 < 3.0.9 - Logs Deletion via CSRF
Description The plugin does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack https://example.com/wp-admin/admin.php?page=jj4t3-logs&action=bulkclean...
Wonder Video Embed < 1.8 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. wonderpluginvideo iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert1' videocss='animation-name:twentytwentyone-close-button-transition"...
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=cff-top&cffaccesstoken=xox%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3E&cfffinalresponse=true...
WP Performance Score Booster < 2.1 - Settings Change via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. csrf.submit...
Better Notifications for WP < 1.8.7 - Email Address Disclosure
The plugin does not have authorisation and CSRF check in its bnfwsearchusers AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes finding the first letter, then the second one, then the third one etc.. import sys import string import urllib.parse import...
Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection
The plugin does not escape the discountcode in one of its REST route available to unauthenticated users before using it in a SQL statement, leading to a SQL injection https://example.com/?restroute=/pmpro/v1/checkoutlevel&levelid=3&discountcode=%27%20%20union%20select%20sleep1%20--%20g...
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise
The plugin does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password to an arbitrary value of any user knowing only their ID, and gain access to their account. User registration must be enabled or you mu...
Redirect 404 Error Page to Homepage or Custom Page with Logs < 1.7.9 - Log Deletion via CSRF
The plugin does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack csrf.submit...
qTranslate X <= 3.4.6.8 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Affected POST Parameters: - Settings Languages Languages:...
VDZ Google Analytics or Google Tag Manager / GTM < 1.6.0 - Authenticated Stored XSS
The plugin does not escape its Google Analytics ID settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed. The issue was introduced in v1.5.0, fixed in 1.5.4, then re-introduced in 1.5.5 and fixed in 1.6.0 Put the followi...
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles Go to WooCommerce - Settings - Payments tab, enable BAC Bank Account Transfers and edit the title in the setup dialog. HTML can be injected there, and will be rendered both for...
WCFM - Frontend Manager for WooCommerce < 6.5.12 - Customer/Subscriber+ SQL Injection
The plugin, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawalvendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection...
SEO Redirection < 8.2 - Subscriber+ SQL Injection
The importFromRedirection AJAX action of the plugin, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
The plugin does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. POST /wp-json/pie/v1/login HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding:...
PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE
The plugin did not verify some of the uploaded feed images such as the ones from Podcast Artwork section, allowing high privilege accounts admin+ being able to upload arbitrary files, such as php, leading to RCE. https://drive.google.com/file/d/1fyf6blzeG3VX22BQX7hc1QJ20rCY5p43/view?usp=sharing -...
QR Redirector < 1.6 - Subscriber+ Arbitrary QR Redirect Response Status Update
The plugin does not have capability and CSRF checks when saving bulk QR Redirector settings via the qrsavebulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects jQuery.postajaxurl, qrredirectresponse: 30...
Media File Renamer - Auto & Manual Rename < 5.2.7 - Media Title/Filename/Locking State Update via CSRF
The plugin does not have CSRF in place, which could allow attacker to make a logged in admin change arbitrary uploaded media title, filename, as well as locking state via a CSRF attack Notes: - We were unable to reproduce the issue from an attacker point of view, the endpoints are expecting JSON...
Bulk Datetime Change < 1.12 - Missing Authorisation
The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. Run on "Bulk Datetime Change" page: jQuery.post"https://example.com/wp-admin/admin.php?page=bulkdatetimechange",...
Secure Copy Content Protection and Content Locking < 2.6.7 - Authenticated Blind SQL Injections
The getreports function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
JiangQie Official Website Mini Program < 1.1.1 - Authenticated SQL Injection
The plugin does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues https://example.com/wp-admin/admin.php?page=jiangqieowfreefeedback&action=detail&id=1+AND+%28SELECT+%2A+FROM+%28SELECT%28SLEEP%285%29%29%29a%29 Could also make a logged i...
Logo Showcase with Slick Slider < 1.2.4 - Author+ Stored Cross Site Scripting
The plugin does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. 1 Create a Logo Showcase 2 Set display type to Logo Grid 3 Set number of grid to 1"...
Clean Login 1.12.6.3 - Reflected Cross-Site Scripting
The plugin does not escape the url parameter in its login form page, leading to a Reflected Cross-Site Scripting issue Append the following payload on a page where the clean-login shortcode is embed: ?url="alert/XSS/ Example: https://example.com/clean-login/?url="alert/XSS/...
Multiple Plugins from miniorange - Reflected Cross-Site Scripting via appId
The plugins do not escape the appId parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&appId="alert/XSS/...
CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. Activate PHP extension: - Log in and go to "CM Downloads" "Settings" "General". -...
St Daily Tip <= 4.7 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to ...