4359 matches found
Popup Box Pro < 7.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a new popup and add the following payload in the Custom Content: alert1; Save,...
WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint
Description The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files. Run the following within any page on the site, ensuring that the id parameter is set to a valid...
10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
Description The plugin does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service. fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php", "headers": "content-type":...
BackupBuddy < 8.8.3 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting Make a logged in admin/SA open one of the URL below: v " "...
iPages Flipbook For WordPress < 1.4.7 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Create a new book item with whatever role, even if it's an Administrator. 2. Connect ...
Menu Item Visibility Control <= 0.5 - Admin+ Arbitrary PHP Code Execution
The plugin doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment. 1. As an admin, go to "Appearance - Menus" and create a menu with some items of your choice. 2. ...
Digital Publications by Supsystic < 1.7.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Create new publication, name it whatever 2. Click the "Custom Page" tab to add a new page: - name it...
WP DS Blog Map <= 3.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the settings...
Invitation Based Registrations <= 2.2.84 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "After Register Redire...
Analytify < 4.2.1 - Reflected Cross-Site Scripting
The plugin does not escape the current URL before outputting it back in a 404 page when the 404 tracking feature is enabled, leading to Reflected Cross-Site Scripting When 404 tracking is enabled: https://example.com/aa404bb?aalert/XSS/...
Pagebar < 2.70 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues ' input type="text" name="postaftloop...
Site Offline or Coming Soon <= 1.6.6 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack "...
Tiny Contact Form <= 0.7 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack '' document.getElementById"test".submit;...
Core Control <= 1.2.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit;...
WP Subtitle < 3.4.1 - Contributor+ Stored Cross-Site Scripting
The plugin adds a subtitle field and provides a shortcode to display it via wpsubtitle. The subtitle is stored as a custom post meta with the key: "wpssubtitle", which is sanitized upon post save/update, however is not sanitized when updating it directly from the post meta update button via AJAX ...
Responsive Tabs < 4.0.6 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks As author or above, create/edit a new Tab and put the following payload as its content:...
Adrotate < 5.8.23 - Admin+ XSS via Group Name
The plugin does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a group and put the following payload in the Name field: " style=animation-name:rotation...
iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process,...
WordPress Real Cookie Banner < 2.14.2 - Settings Reset via CSRF
The plugin does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack https://example.com/wp-admin/admin.php?page=real-cookie-banner-component&rcb-reset-all=1...
Title Field Validation <= 1.1 - Unauthorised AJAX Calls
The plugin does not properly check for CSRF in its findposttype, savevalidation, editvalidation, updatevalidation and deletevalidation AJAX actions. Additionally, the actions were also missing any capability checks. As a result, any authenticated user such as subscriber could call them to create,...
RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues As admin, Navigate to Setting Яндекс.Турбо Счетчики and enter a payload such as " onmouseover="alert1 into all t...
Vertical News Scroller < 1.17 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin attempted to fix a reflected Cross-Site Scripting in v1.10, however the changes were insufficient, as sanitizetextfield was used, but output in an attribute without being escaped. For versions 1.17:...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget
In the plugin, the icon box widget includes/widgets/icon-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in...
Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit
The plugin uses an outdated PHPUnit library, which is known to be affected by an unauthenticated RCE issue. February 28th, 2020 - Ticket sent to vendor via https://support.cedcommerce.com/open.php March 6th, 2020 - Update requested to vendor also realised that the ticket was closed w/o reason giv...
SVGator <= 1.2.6 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. 1. Create a SVG file with the malicious payload within it; Example SVG file:...
Popup Box < 3.7.9 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1 Create a new popup via /wp-admin/admin.php?page=ays-pb&action=add 2 Set its "Custom...
WooCommerce Ship to Multiple Addresses < 3.8.4 - Subscriber+ Shipping Address Disclosure via IDOR
The plugin does not ensure that the order to display the shipping address from belong to the user making the request, allowing any authenticated users, such as subscriber to view other shipping addresses via an IDOR https://example.com/checkout/shipping-addresses/?orderid=106...
Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in Admin open a page containing the HTML code below '...
Stagtools < 2.3.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 1. Create a Post and add a Shortcode. 2...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS
The plugin does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user admin+ to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. Just create a test.pdf...
WH Testimonials <= 3.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the whhomepage, whtextshort and whtextfull parameters of submitted Testimonials, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks curl -X POST 'http://example.com/add/' \ -H 'Content-Type: multipart/form-data;...
Smart Logo Showcase Lite <= 1.1.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. smlsgutenblock heading='XSS' headingtag='h2...
Ibtana – WordPress Website Builder < 1.1.8.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack Exploit shortcode: ive t='2100-01-01' id='" onmouseover="alert1" style="background:red;"'...
Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access
The plugin does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server This is a different issue than CVE-2022-41840...
WP Edit Menu <= 1.5.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack...
Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when adding/editing names, and is also lacking sanitisation as well as escaping in some of the fields, which could allow attackers to make a logged in admin edit arbitrary names and put XSS payloads in them. ' / " / ' /...
miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=mo2fatwofa&a"alert/XSS/...
Clean-Contact <= 1.6 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well ' document.getElementById"test".submit;...
Files Download Delay < 1.0.7 - Subscriber+ Settings Reset
The plugin does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. https://example.com/wp-admin/admin-ajax.php?action=ddlayrestoredefaults...
Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting
The plugin does not properly sanitize the $GET'imageurl' variable, which is reflected back to the users when executing the editimagebwg AJAX action. var form1 = document.getElementById'hack'; form1.submit;...
Better WordPress Google XML Sitemaps <= 1.4.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape its logs when outputting them in the admin dashboard, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins With the permalinks settings set to plain, as an unauthenticated user, open...
Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import
The mepimportajaxtemplate AJAX action of the plugin, available to both unauthenticated and authenticated users, is lacking any authorisation and CSRF checks. As a result, unauthenticated user can import arbitrary Elementor template to the blog Legit template:...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import
The importdata function of the plugin had no capability or nonce checks making it possible for unauthenticated users to import a set of site redirects. curl -i -s -k -X $'POST' \ -H $'Host: URLHERE' -H $'Content-Length: 379' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H...
SVGMagic <= 1.1 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. 1. Create a SVG file with the malicious payload within it; Example SVG file:...
Community by PeepSo < 6.3.1.2 - User Post Creation via CSRF
Description The plugin does not have CSRF check when creating a user post visible on their wall in their profile page, which could allow attackers to make logged in users perform such action via a CSRF attack 1. Log in as a normal user. 2. Save the content below as an HTML file...
Scheduled Announcements Widget < 1.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: First you need to add an Announcement...
Revive Old Posts – Social Media Auto Post and Scheduling Plugin < 9.0.11 - PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Meks Easy Social Share < 1.2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Intercept the request made when saving the setting...
Gallery for Social Photo < 1.0.0.29 - Arbitrary Post Duplication via CSRF
The plugin does not have CSRF check in place when duplicating a post or page, which could allow attackers to make a logged in a admin duplicate them via a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=gifeedduplicatefeed&post=12...
Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Go to Settings - Loading Page, in the "Display loading screen in" settings, select either "specific pages" or "specif...