4359 matches found
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ppressccdata parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue alert/XSS/' / var form1 = document.getElementById'hack'; form1.submit;...
Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection
The plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...
SP Project & Document Manager < 4.26 - Reflected Cross-Site Scripting
The plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the /functions.php file which allows attackers to inject arbitrary web scripts https://example.com/wp-admin/admin.php?page=sp-client-document-manager&from=" style=animation-name:rotation...
CRM: Contact Management Simplified – UkuuPeople <= 1.6.3 - Unauthorised Favourite Addition/Deletion
The plugin does not properly check for CSRF in its ukuuaddtofav AJAX action, allowing attacker to make logged in users call them them and add or delete arbitrary favourite post. To delete a favourite To Add a favourite...
FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)
The plugin, used in the theme did not properly sanitize the foodbakeryradius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting XSS vulnerability...
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF
The "cppluginsdobuttonjoblatercallback" AJAX action, from multiple plugins of the WP-Buy vendor, was lacking CSRF check, allowing attackers to make a logged in administrator install and active arbitrary plugins including specific version from the WordPress repository which could lead to more...
Spotify Play Button <= 1.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. spotify-play...
Gianism <= 5.1.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Carousel Slider < 2.2.11 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks 1. Create a new slider and inset: 1212"onmouseover='alert1' to "URL View" field...
Modal Window < 5.3.10 - Modal Deletion via CSRF
Description The plugin does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack Have a logged in admin open an HTML file containing where ID is an existing modal: action...
Gutenberg Blocks by Kadence Blocks < 3.2.26 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor or above, edit a post in...
WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored XSS
Description The plugin does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins wget --header="X-Forwarded-For: " https://example.com -q -O- The XSS will be triggered wh...
WooCommerce Payments < 4.9.0 - Subscription Suspension/Activation via CSRF
Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...
Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection
Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored HTML injection. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however t...
Loginizer 1.7.8 - Reflected XSS
The plugin does not escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
URL Params < 2.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. urlparam htmltag='h1' attr='a'...
Help Desk WP <= 1.2.0 - Editor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks. 1. Using a user with Editor Role privileges, go to the support page assigned for the Help Desk WP Plugin. 2. Click on "Add New Ticket", and fill t...
WP Login Box <= 2.0.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Set “Greeting Text” option to: alert1 Set “Enable...
WP SMTP Mailing Queue < 2.0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to "Settings SMTP Mailing Queue Tools"...
WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR
The plugin does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. Run t...
React Webcam <= 1.2.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. reactwebcam dir='" onmouseover="alert1"...
PPWP – WordPress Password Protect Page < 1.8.6 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Memberpress Downloads < 1.2.6 - Subscriber+ Arbitrary File Upload
The plugin does not properly check user capabilities in its file uploading AJAX endpoint, relying on WordPress nonces to do so. Unfortunately, the nonce can be leaked by any logged-in users, like subscribers. Since the Uploader library they use does not check file extensions at all, this may lead...
Insights from Google PageSpeed < 4.0.7 - Multiple CSRF
The plugin does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks...
Very Simple Breadcrumb <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Breadcrumb css class name" settings of the plugin: "alert/XSS/...
LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Client ID" settings: "/...
Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
CP Image Store with Slideshow < 1.0.68 - Unauthenticated SQLi
The plugin does not sanitise and escape the orderingby query parameter before using it in a SQL statement in pages where the codepeople-image-store is embed, allowing unauthenticated users to perform an SQL injection attack On a page where the codepeople-image-store is embed, append the following...
WPC Smart Wishlist for WooCommerce < 2.9.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue. Against any authenticated user: ' /...
Content Egg < 5.3.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting alert/XSS/;'...
WP-Matomo Integration (WP-Piwik) < 1.0.27 - Plugin Settings Reset via CSRF
The plugin does not have CSRF when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack https://example.com/wp-admin/options-general.php?page=wp-piwik%2Fclasses%2FWPPiwik.php&clear=2...
LoginPress < 1.5.12 - Reflected Cross-Site Scripting
The plugin does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...
Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
The plugin does not escape the sccpid parameter of the ayssccpresultsexportfile AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an SQL injection...
Haxcan <= 1.0.0 - CSRF Bypass
The plugin does not properly check for CSRF in its getajaxresponse AJAX action, allowing attacker to make logged in admin call them it via CSRF attack and add arbitrary files in quarantine for example. Add an arbitrary file to quarantine...
Bello < 1.6.0 - Unauthenticated Blind SQL Injection
The theme did not sanitise the btbblistingfieldpricerangeto, btbblistingfieldnowopen, btbblistingfieldmylng, listinglistview and btbblistingfieldmylat parameters before using them in a SQL statement, leading to SQL Injection issues -- Payload: $ -4034 OR 4877=4877 AND 2369=2369 -- PoC 1 |...
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
In the plugin, low level users, such as subscribers, could use the importfromdebug AJAX action to install any plugin from the WordPress repository. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Install some plugins $ch =...
wpDataTables < 3.4.1 - Unauthenticated SQL Injection
In the default configuration, a simple table can be published in a page that does not require authentication. The table can be searched, and is vulnerable to SQL Injection via the order parameter. An unauthenticated user visiting the page where the table is published can perform a SQL injection...
Notification Bar for WordPress <= 1.1.8 – Unauthenticated Subscriber Data Disclosure
Description The plugin exposes an unauthenticated CSV export script that discloses all stored subscriber emails. https://example.com/wp-content/plugins/8-degree-notification-bar/inc/backend/blocks/export-csv.php...
WP Prayer II <= 2.4.7 - Email Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing:...
Smart Forms < 2.6.96 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new form or edit an existing...
Jobs for WordPress < 2.7.4 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks 1. As a Contributor, navigate to "Add new position" 2. On the page to create a post, in the "Working Hours" add: 3. When a...
Meris <= 1.1.2 - Reflected XSS
Description The theme does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin alert/XSS-areaname/" / alert/XSS-num/' /...
Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export
Description The plugin does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens. curl --url 'http://vulnerable-site.tld/wp-admin/admin-post.php?luv-action=export'...
Add to Feedly <= 1.2.11 - Admin+ Stored XSS
The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Install the plugin and insert the following payload in the field "Feed URL http://...": 1"alert1 Save th...
ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS
The plugin does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS Run the below command in...
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated Stored XSS
The plugin does not sanitise and escape a parameter before outputting it back in the Shoutbox, leading to Stored Cross-Site Scripting which could be used against high privilege users such as admins. On a clean Wordpress on localhost: 1. Modify the Shoutboxalias cookie with a value such as 2. Send...
OoohBoi Steroids for Elementor < 2.1.5 - Subscriber+ Attachment Deletion
The plugin has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment. Exploit 1 attachment id delete: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded', , body:...
Client Logo Carousel <= 3.0.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: 1. First, you need to add a Carousel...
Page Scroll To ID < 1.7.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Put the...
Import CSV Files <= 1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting history.pushState'', '', '/' function submitRequest var xhr = new XMLHttpRequest;...