4359 matches found
wpDataTables < 2.1.66 - Admin+ PHP Object Injection
Description The plugin does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin...
Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) < 3.12.7 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. mapsmarker lot='1' lat='1' mapwidth='" onmouseover="alert1"'...
Easy Testimonials < 3.9.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert the...
ImageLinks Interactive Image Builder for WordPress < 1.5.4 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Create a new vision item with whatever role, even if it's an Administrator. 2. Connec...
Donations via PayPal < 1.9.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click the 'Settings' button of this plugin. 2...
Social Slider Feed < 2.0.7 - Admin+ Stored XSS via Feeds
The plugin does not sanitise as well as escape user input in feeds, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in a Instagram Fee...
Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Navigate to style settings:...
WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion
The plugin contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user...
Easy Student Results <= 2.2.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=rpsresultbatch&edit=%3Cscript%3Ealert/XSS/%3C/script%3E...
OpenBook Book Data <= 3.5.2 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well " " " " " input type="text" name="action"...
Carousel CK <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Create/edit a Carousel, add a Slide and put the following payload in the Description The XSS will be...
Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update
The plugin does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example To add a product: fetch"https://example.com/wp-admin/admin-ajax.php",...
Get Custom Field Values < 4.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor, create a custom field in a post, with the following payload: alert1 Then add the following shortcode to...
PDF.js Viewer < 2.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks pdfjs-viewer searchterm='" onload="alert/XSS/' pdfjs-viewer viewerwidth=0 viewerheight=800 url=undefined...
WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF
The plugin does not properly check for CSRF in its delfield and savealldata AJAX actions, allowing attacker to make logged in user call them via a CSRF attack To delete a field from the Registration Form: To change the whole Registration Form: input type=...
Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
The plugin did not sanitise, escape or validate the dateanswers POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks v 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: /...
ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to ma...
Super Forms < 4.9.703 - Unauthenticated PHP File Upload to RCE
The plugin uses the jQuery File Upload library, but does not properly ensure that PHP files are forbidden. Note: Exploitation of the issue is not as easy as the original advisory in the references states. If a form from the plugin with an upload field is present on the blog, and is used to upload...
Five Star Restaurant Menu and Food Ordering < 2.4.11 - Unauthenticated PHP Object Injection
Description The plugin unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog. Run the below command in the developer console of the web browser while being on the blog...
Herd Effects < 5.2.4 - Effect Deletion via CSRF
Description The plugin does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=mwp-herd-effect&info=delete&did=1, this will make them delete...
FormCraft < 1.2.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. There are two XSS issues: Example A: ...
Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF
The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1...
Pickup | Delivery | Dine-in date time <= 1.0.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go to this page:...
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
The plugin does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks import requests import sys import re if lensys.argv != 4: print'USAGE: python %s ' %...
Send PDF for Contact Form 7 < 0.9.9.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
GetYourGuide Ticketing < 1.0.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate toward the GYG Ticketing and GYG Ticketing...
Sabai Discuss < 1.4.14 - Reflected Cross Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page when number filters are enabled, leading to Reflected Cross-Site Scripting https://example.com/questions?category=77&filter=1&fieldnumbermin="...
Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...
Craw Data <= 1.0.0 - Server Side Request Forgery
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF. When configuring the CrawData addon, the request is as follows GET...
Better Search and Replace < 1.4.1 - Admin+ SQLi
The plugin does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax=processsearchreplace HTTP/1.1 Accept: application/json,...
HTML2WP <= 1.0.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them input type=...
Amazon Einzeltitellinks <= 1.3.3 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping ' document.getElementById"test".submit;...
Multi-page Toolkit <= 2.6 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well ' input typ...
Discy < 5.2 - Restore Default Settings via CSRF
The theme does not check for CSRF tokens in the AJAX action discyresetoptions, allowing an attacker to trick an admin into resetting the site settings back to defaults...
Slideshow <= 2.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed As admin, put the following payload in the "Number of seconds the sli...
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries&action=trash&entry=2 Since entry permanent deletion:...
AP Pricing Tables Lite < 1.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=ap-pricing-tables-lite-add-new&postid=1'...
Product Feed PRO for WooCommerce < 11.2.3 - Reflected Cross-Site Scripting
The plugin does not escape the rowCount parameter before outputting it back in an attribute via the wooseacategoriesdropdown AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting...
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting
The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Go to settings page available under the "Calculato...
SportsPress < 2.7.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its matchday parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=spevent&matchday=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22...
Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles
The theme lacks authentication checks before returning the titles of notifications between the site's users. Any request to the wofficeNotificationGet ajax endpoint will return titles of notifications sent between users. Example:...
Easy Testimonial Manager <= 1.2.0 - Authenticated SQL Injection
An id GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection GET /wp-admin/admin.php?page=easytestimonialupdate&id=page=easytestimonialupdate&id=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,user,NULL,NULL-- HTTP/1.1...
Event Espresso Core < 4.10.7.p - Reflected Cross-Site Scripting (XSS)
The adminpages/messages/templates/eemsgadminoverview.template.php file of the plugin did not escape user input before outputting back in an attribute in the page, leading to a reflected Cross-Site Scripting issue...
e-signature < 1.5.6.8 - Unauthenticated Arbitrary File Upload leading to RCE
The AJAX sifuploadfile allowed the authorised extensions to be provided in the request, which result in unauthenticated arbitrary file upload and lead to RCE /wp-admin/admin-ajax.php?action=sifuploadfile...
WP Logs Book <= 1.0.1 - Log Clearing via CSRF
Description The plugin does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack Make an admin open an HTML file containing: Note: The 404 Error Logs can also be cleared by modifying the PoC...
WP Prayer II <= 2.4.7 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing:...
Pray For Me <= 1.0.4 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make a logged in admin open an HTML file containing:...
Playlist for Youtube <= 1.32 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks otwshortcodetabslayout tabs="2"...