4359 matches found
Checkout Fields Manager for WooCommerce < 5.5.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wc-settings&tab=wooccm§ion=advanced&"--alert/XSS/...
Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting POST /wp-admin/admin.php?page=simple-woocommerce-csv-loader%2Fadmin%2FCSVLoader.php HTTP/1.1 Accept:...
WP Born Babies <= 1.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor, create a new Baby item and put the following payload in any of the settings such as Birth Date, Time of Birth etc:...
Easy FAQ with Expanding Text <= 3.2.8.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload in any of the plugin's settings such as Font size, Font Color and save: "...
SearchIQ < 3.9 - Unauthenticated Stored XSS
The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siqajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter Once the plugin is configur...
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
The plugin does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack...
Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks in the ivesavegeneralsettings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. Note: v1.1.4.7 added CSRF check, authorisation...
WPFront User Role Editor < 3.2.1.11184 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting...
Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure
The plugin does not have any authorisation and CSRF checks in the likebtnexportvotes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. fetch"http://example.com/wp-admin/admin-ajax.php",...
Edit Comments <= 0.3 - Reflected Cross-Site Scripting
The plugin does not sanitise, validate or escape the jaleditcomments GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue Post a comment on a page, then open https://example.com//?jaleditcomments=?jaleditcomments="alert/XSS/...
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
The user registration functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during registration which made it possible for users to register as an administrator. 'Hax0r', 'regemail' = '[email protected]', 'regpassword' = 'password', 'regpasswordpresent' =...
Any Hostname <= 1.0.6 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it As admin, put the following payload in the "Allowed host" setting of the plugin /wp-admin/options-general.phpany-hostname:...
ProfilePress < 3.1.8 - Authenticated Stored XSS
The plugin did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site...
Steam Group Viewer <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue Enter the following payload in the "Steam Group Adrdess" setting of the plugin: "alert/XSS/...
Advanced AJAX Product Filters < 1.5.4.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The braapfgetchild AJAX action of the plugin, available to both unauthenticated and authenticated users does not sanitise the 'termid' POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue. "' / POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF
The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings including the email settings for example. v1.6.6 fixed most of CSRF checks, but the one in model.emailsettings.php was improperly fixed bypass still...
Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation
Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions. Only one PoC provided for privilege escalation. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output =...
Widget4Call <= 1.0.7 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make an admin open the URL:...
Pet Manager <= 1.4 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Pet settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks. 1. Go to "Pets Add Pet" 2. In the "Address" field add the payload " style=animation-name:rotation...
Button Generator < 3.0 - Button Deletion via CSRF
Description The plugin does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack Make a logged in admin open an HTML file containing: action...
Fancy Product Designer < 6.1.8 - Reflected Cross Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against unauthenticated and admin-level users Note: This requires WooCommerce to be installed. 1. Go to "Fancy Product Designer...
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure
Description The plugin contains a vulnerability that allows you to read and download PHP logs without authorization 1 Admin should click on "Save as TXT file" in http://yoursite/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php 2 Then someone else can go to...
Contact Form 7 Connector < 1.2.3 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. http://vulnerable-site.tld/wp-admin/admin.php?page=ari-cf7connector-log&format=html&log=...
Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Store the script in non-sanitized...
WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. Make sure to have both WooCommerce and NinjaForms 3.4.34.2 NF's latest version on the 3.4 branch installed, then follow those instructions:...
MultiParcels Shipping For WooCommerce 1.15.2-1.15.3 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Random Text <= 0.3.0 - Subscriber+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers. fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Weaver Xtreme Theme Support < 6.2.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Required theme:...
Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
- The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector. - Path Traversal Vulnerabillity also allows listing the entire folder & image file in the system. - The below...
HT Portfolio < 1.1.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Gallery Factory Lite <= 2.0.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: First, you need to add an Album...
Multimedial Images <= 1.0b - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. https://example.com/wp-admin/options-general.php?page=mmi&a=delbg&id=33+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
reSmush.it Image Optimizer < 0.4.7 - Multiple CSRF
The plugin does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. input type="hidden" name="action" value="resmushit&...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Title
The plugin does not sanitise and escape post/page Title, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks Create a post using the plugin editor and add the following payload in the Title: " The XSS will be triggered when editing the post again...
Stop Spam Comments <= 0.2.1.2 - Access Token Bypass
The plugin does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request. Collect the name and value of ssckey for the target post and use it on the request. curl...
HTML2WP <= 1.0.0 - Unauthenticated Arbitrary File Upload
The plugin does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files such as PHP on the remote server await fetch"https://example.com/wp-admin/admin.php?page=html2wp-settings", "headers":...
Social Share Buttons by Supsystic < 2.2.4 - Multiple CSRF
The plugin does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. document.getElementById"test".submit;...
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
The plugin does not validate the filepath parameter of its umshowuploadedfile AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads As a subscriber, submit a dummy image on a page/post with a File Upload...
Logo Slider <= 1.4.8 - Admin+ SQLi
The plugin does not sanitise and escape the lspsliderid parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection https://example.com/wp-admin/admin.php?page=manageimages&lspsliderid=1+AND+SELECT+7741+FROM+SELECTSLEEP5hlAf...
Fast Flow < 1.2.11 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting ' document.form1.submit;...
Delete Old Orders <= 0.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=woo-delete-old-orders&step=3&date="...
Database Peek <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=ab-database-peek&table=wpusers&match="...
WP Statistics < 13.1.5 - Unauthenticated Blind SQL Injection
The plugin is vulnerable to unauthenticated SQL Injection via the exclusionreason parameter due to missing parameterization and escaping in the SQL query found on line 88 of the /includes/class-wp-statistics-exclusion.php file when the Record Exclusions feature is enabled. Step 1: Insert "aaaa"...
AP Custom Testimonial < 1.4.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the id parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting https://example.com/wp-admin/admin.php?page=apcttestimonialedit&id=1"alert/XSS/...
uListing < 2.0.6 - Authenticated IDOR
An Authenticated User IDOR vulnerability was discovered in the plugin. Important: userid and listingid values are dependent on each other, that is, if the author ID == 4, the data can only be modified for those ADs and pages that relate to this particular ID. You can find out the author of the...
Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection
The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...
Marmoset Viewer < 1.9.3 - Reflected Cross Site Scripting
The plugin does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://%3C/script%3E%3Csvg/onload=alert1%3E WPScanTeam Reporter...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget
In the plugin, the accordion widget includes/widgets/accordion.php accepts a ‘titlehtmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScri...
Popup Builder < 3.74 - Authenticated Reflected Cross-Site Scripting (XSS)
The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. http://example.com/wp-admin/edit.php?posttype=popupbuilder&page=sgpbSubscribers&sgpb-subscribers-date=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E Video:...