4359 matches found
Popup-Maker < 1.8.12 - Multiple Vulnerabilities
An attacker can partially control the arguments of the doaction, during the initialization of the PUMSite . Because of this, an attacker can call any method which contains an action starting from popmake or pum . This will lead to successful execution of functions which do not require arguments...
Multiple Plugins - Unauthenticated RCE via PHPUnit
There was an Unauthenticated Remote Code Execution RCE vulnerability in PHPUnit, a widely used testing framework for PHP. This vulnerability has been seen exploited in the wild. curl -X POST --data ""...
MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "MF Gig Calendar Settings" 2...
Salon booking system < 9.6.6 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Salon Services Add New...
Booking Calendar < 1.3.83 - CSRF appointment scheduling
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying. input type="s...
Profile Box Shortcode And Widget < 1.2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup When creating a new widget, insert the...
Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...
wp-dashboard-notes < 1.0.11 - Contributor+ Arbitrary Private Notes Update via IDOR
Description The plugin does not validate that the user has access to the postid parameter in its wpdnupdatenote AJAX action. This allows users with a role of contributor and above to update notes created by other users. 1. Create a note as an admin. View the source of the page to get the Note ID...
Popup box < 3.7.2 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. 1. Create a new PopUp Box within the plugi...
Login screen manager <= 3.5.2 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the "Hov...
Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
Description The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators As an unauthenticated user, submit a booking form such form can be added via the Booking Calendar Block on a...
qubotchat < 1.1.6 - Unauthenticated Stored XSS
The plugin doesn't filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard. 1. Enter " as the malicious payload into the chatbot input. 2. See XSS vulnerability...
WP EasyPay < 4.1 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin When there is no account connected, make a logged in admin open...
Image Over Image For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. imageoverimagevc...
WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Navigate to Settings -Duplicate Page - Duplicate Page Settings and enter the XSS payload into the...
Cimy Header Image Rotator <= 6.1.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; input ty...
WP Admin Style <= 0.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the CSS settings of the plugin:...
WP Athletics <= 1.1.7 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability. - Log on to the site using a subscriber account. - On the page the shortcode is...
Photo Gallery < 1.6.3 - Unauthenticated SQL Injection
The plugin does not properly escape the $POST'filtertag' parameter, which is appended to an SQL query, making SQL Injection attacks possible. POST /wp-admin/admin-ajax.php?imageid=123 HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh,en;q=0.5 Accept-Encoding: gzip,...
Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure
The plugin requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability. When a guest make a booking via sending "action:...
Multilist Subscribe for Sendy <= 1.6.1 - Subscriber+ Arbitrary Options Update
The plugin is using an outdated version of the Freemius library 1.2.2.9, which is known to be affected by a security issue allowing any authenticated users, such as subscriber to set arbitrary blog options As any authenticated user: Enable new user registrations:...
Conversios.io < 4.6.2 - Subscriber+ SQL Injection
The plugin does not sanitise, validate and escape the syncprogressivedata parameter for the tvcajaxproductsyncbantchwise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. Note: The vendor was notified multiple times since November 6t...
Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add/edit a new button, set its Button action to "Website URL"...
Mediamatic < 2.8.1 - Subscriber+ SQL Injection
The mediamaticAjaxRenameCategory AJAX action of the plugin, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes As a contributor, put the following shortcod...
Flex Local Fonts <= 1.0.0 - Admin+ Stored Cross-Site-Scripting
The plugin does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add a new font Tools -- Local Fonts -- Add Font, need to have at least one font for the 'Add...
Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access
The plugin allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. customfield field="fieldname" postid="ID" e.g customfield field="ctctverifykey" postid="23"...
Contact Form by Supsystic < 1.7.20 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape fields label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create/edit a field in a form, and put the following payload in the label:...
Wappointment < 2.2.5 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise the name parameter when booking an appointment, leading to a Stored Cross-Site Scripting issue which is triggered when an admin view the Calendar. POST /wp-json/wappointment/v1/services/booking HTTP/1.1 Content-Length: 205 Accept: application/json, text/plain, /...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value
In the plugin, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/getwildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects. $wpuser, 'pwd' = $wppass,...
Sitetweet <= 0.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack The PoC will be displayed on June 25, 2024, to give users the time to update...
Arforms < 6.4.1 - Reflected XSS
Description The plugin does not properly escape user-controlled input when it is reflected in some of its AJAX actions. https://www.example.com/wp-admin/admin-ajax.php?action=currentmodal&positionmodal=alertdocument.domain...
Side Menu Lite < 4.2.1 - Menu Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks Make a logged in admin open an HTML file where ID is a valid ID: action...
MM-email2image <= 0.2.5 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open a file containing the HTML: alert2' /...
404 Solution < 2.35.8 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins. 1. navigate to logs "https://example.com/wp-admin/options-general.php?page=abj404solution&subpage=abj404logs"...
Popup box < 3.8.6 - Admin+ Stored XSS in Categories
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Popup Box Categories" 2. Add...
EventON < 2.2 - Admin + Stored HTML Injection
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfilteredhtml capability is disallowed. 1. Go to the Virtual Event - This is a virtual online event. 2. Configure...
WordPress Backup & Migration < 1.4.4 - Subscriber+ Plugin Settings Update
Description The plugin does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded; charset=UTF-8", , "body":...
User Activity Log Pro < 2.3.4 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. 1. In User Activity Log Settings, enable the setting "Allow Ip Address of users to log." and save...
AN_GradeBook <= 5.0.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber Access the following URL to demonstrate SQLi:...
Product Slider For WooCommerce Lite <= 1.1.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks psfwlgutenblock headingtag='h2"...
Responsive WordPress Slideshows 3.29.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below '/...
WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution. 1. Use a WordPress instance...
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
The plugins do not escape the upload POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Student Result or Employee Database < 1.7.5 - Stored Cross Site Scripting via CSRF
The plugin does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting alert/XSS/'...
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid coupon...
Advanced Database Cleaner < 3.1.1 - Reflected Cross-Site Scripting
The plugin does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=advanceddbcleaner&aDBctab=cron&aDBccat=all&"alert/XSS/ Other pages are affected...
Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltredhtml is disallowed Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text"...
The School Management < 9.9.7 - Unauthenticated RCE via REST api
The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. curl -d 'blowfish=1' -d "blowf=system'id';" 'https://examples.com/wp-json/am-member/license'...
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update
The plugin does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector curl --url...