4359 matches found
Futurio Extra < 1.6.3 - Authenticated SQL Injection
The plugin is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting XSS against logged in admins by making send open a malicious link Using SQLi to extract database variables:...
Inline Related Posts < 3.0.5 - Admin+ Cross-Site Scripting
Multiple parameters are vulnerable to stored Cross-site Scripting. The vulnerabilities require admin privileges to exploit. In each case the script will execute for every user viewing a post that contains one of the inline references. POST /wp-admin/options-general.php?page=intelly-related-posts...
G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection
The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.phpL271 Open the...
GSEOR <= 1.3 - Authenticated SQL Injection
A pageid GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=gseor.php&search=1&pageid=1%20AND%20SELECT%206449%20FROM%20SELECTSLEEP5wwdQ HTTP/1.1 Cache-Control: max-age=0...
WP Chat App < 3.6.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=ntawhatsappfloatingwidg...
AZAN Plugin <= 0.6 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert999,2,2,3' / If the widget is...
Persian Fonts <= 1.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate to:...
Newsletter Popup <= 1.2 - Record Deletion via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wpnewslettershowlocalrecord page is not protected with a nonce...
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' /...
Pricing Tables For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: The plugin requires WPBakery Page...
WP Education < 1.2.7 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Beautiful Cookie Consent Banner < 2.9.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. The PoC will be displayed once the issue has been...
Cache Images < 3.2.1 - Image Upload / Import via CSRF
The plugin does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. Allows import of any images with any user level. document.getElementById"test".submit; document.getElementById"test".submit; document.getElementById"test".submit;...
Note Press <= 0.1.10 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections https://example.com/wp-admin/admin.php?page=NotePress-Main-Menu&action=view&id=17+AND+SELECT+3630+FROM+SELECTSLEEP5KdTt...
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection 1. Install the vulnerable plugin...
Petfinder Listings < 1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the text field settings of the plugin such as 'Your Petfinder API Key v1.0': "...
Gallery Blocks with Lightbox < 2.2.1- Authenticated Stored Cross-Site Scripting
A stored cross-site scripting vulnerability has been discovered in : Simply Gallery Blocks with Lightbox Version – 2.2.0 & below . The vulnerability exists in the Lightbox functionality where a user with low privileges is allowed to execute arbitrary script code within the context of the...
MC4WP: Mailchimp for WordPress < 4.8.5 - Authenticated Arbitrary Redirect
The plugin did not properly check for CSRF in some of its actions handled by the listenforactions method hooked as admininit, allowing attackers to make logged in users with the manageoptions capability do unwanted actions and redirect them to an arbitrary website after...
SuperStoreFinder & SuperInteractiveMaps - Unauthenticated SQL Injections
The ssf-social-action.php and sim-wp-data.php files from the respective superstorefinder-wp = 5.0.12 AND time-based blind query SLEEP Payload: action=select&ssfwpid=1 AND SELECT 7900 FROM SELECTSLEEP5gxXh Type: UNION query Title: Generic UNION query NULL - 7 columns Payload: action=select&ssfwpid...
Simple AL Slider <= 1.2.10 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a new project 2. As an admin, access the URL:...
Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF
Description The plugin does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack This PoC disables the User Registration widget. To do so, make a logged in admin open an HTML file containing:...
CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Pray For Me <= 1.0.4 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin 1. Configure the plugin to add the first name and last name fields to the form:...
HL Twitter <= 2014.1.18 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have a logged in admin open an HTML page containing:...
Ultimate Blocks < 3.1.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below code in a...
Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators. - Log in as an administrator, and visit /wp-admin/. - Add a Catalog Product in /wp-admin/admin.php?page=fancyproductdesigner - Sear...
Community by PeepSo < 6.3.1.2 - Reflected XSS
Description The plugin does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open When the register your copy noti...
Restrict Usernames Emails Characters Plugin < 3.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Access the "Restrict Usernames Emails Characters" settings 2. For the field "The name of...
WP Discord Invite < 2.5.1 - Arbitrary Settings Update via CSRF
Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request. alert1;'/...
Serial Codes Generator and Validator with WooCommerce Support < 2.4.15 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup There are two fields affected by a...
Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection
The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection Use a Contact Form 7 form and submit an Excel formula in the message field, such as "=5+5" without quotes. Export the entry as CSV using the plugin and import it into Excel...
WP Edit Menu < 1.5.0 - Unauthenticated Arbitrary Post Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog https://example.com/wp-admin/admin-ajax.php?action=filtermenu&val=post-id...
underConstruction < 1.20 - Construction Mode Deactivation via CSRF
The plugin does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack...
Slideshow <= 2.3.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Slideshow settings, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks As author and above, create/edit a slideshow and put the following payload in the "Number of seconds the slide takes to slide in",...
Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF
The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash https://example.com/wp-admin/edit.php?posttype=easy-pricing-table&page=ept3-list&action=trash&post=1...
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting
The plugin does not escape the data parameter of the ppgetformsbybuildertype AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Unauthenticated Arbitrary Admin Account Creation
The tcpregisterandloginajax AJAX action of the plugin allows unauthenticated users to create accounts with an arbitrary role such as admin POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5...
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in Image Uploader Component
The cover photo and profile photo upload functionalities of the plugin were vulnerable to arbitrary file uploads due to the use of exifimagetype for filetype checking. 'Hax0r2', 'regemail' = '[email protected]', 'regpassword' = 'password', 'regpasswordpresent' = 'true', 'regfirstname' = 'Hax0r2',...
Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=moove-redirect-settings&tab=" onMouseOver="alert1;...
WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS
The plugin, used by the WorkScout Theme did not sanitise the chat messages sent via the workscoutsendmessagechat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues Payloads: " " POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencode...
WP GDPR Compliance < 1.5.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
The GDPR Compliance action=wpgdprcprocessaction&security=cccf5a60ec&data="type":"accessrequest","email":"[email protected]","consent":true...
Himer - Social Questions and Answers < 2.1.1 - Bypass Poll Voting Restrictions via CSRF
Description The theme does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack The PoC will be displayed on June 26, 2024, to give users the time to update...
WP Logs Book <= 1.0.1 - Disable Logging via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make an admin open an HTML file containing:...
Amen <= 3.3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
PostX < 4.0.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Create a new Post and add "Ultimate post...
Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset
Description The plugin does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action Log in as a subscriber, access the Diagnostic tab of the plugin /wp-admin/admin.php?page=enjoyinstagrampluginoptions&tab=diagnostic and click...
illi Link Party! <= 1.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks. 1. Go to "Settings Link Party!". 2. Under "Add a New Party", enter the payload for either the "Party Name" or "Party Description":...
Ultimate Noindex Nofollow Tool <= 1.1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing the following: document.forms0.submit;...
illi Link Party! <= 1.0 - Unauthenticated Arbitrary Link Deletion
Description The plugin lacks proper access controls, allowing unauthenticated visitors to delete links. http://example.com/?page=illi3/includes/functions.php&action=deletesubmission&id=INSERTID Replace "INSERTID" with an ID of a link and hit enter. The link will be deleted...
WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS
Description The plugin does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. v3.8.15 partially fixed the issue as the wrong capability chec...