4359 matches found
CDI < 5.1.9 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting...
MailPress <= 7.2.1 - Arbitrary Settings Update & Log Files Purge via CSRF
The plugin does not have CSRF checks in various places, which could allow attackers to make a logged in admin change the settings, purge log files and more via CSRF attacks document.getElementById"test".submit; input type="text" name="connectionsmtppasswo...
Minimal Coming Soon – Coming Soon Page < 2.35 - Multiple Authenticated Stored XSS
The plugin does not sanitize or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them, which will be triggered in the backend. A As admin, put the following in the Custom CSS setting...
Database Backup for WordPress < 2.5.2 - Arbitrary Schedule Settings Update via CSRF
The plugin does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. O...
StaffList < 3.1.6 - Arbitrary Staff Deletion via CSRF
The plugin does not have CSRF check in place when deleting staff members, which could allow attacker to make a logged in admin perform such action and delete arbitrary staff via a CSRF attack https://example.com/wp-admin/admin.php?page=stafflist&s=last&remove=1&p=1...
LearnPress < 4.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the lp-dismiss-notice before outputting it back via the lpbackgroundsingleemail AJAX action, leading to a Reflected Cross-Site Scripting...
Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion
The plugins do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example Execute the below command in the web developer console of the web browser when being logged in as...
Contact Form 7 Skins < 2.5.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=cf7skins&tab=%27%3E%3Cimg+src+onerror%3Dalert%281%29%3E requires the Contact Form 7 plugin to be installed...
Backup and Restore <= 1.0.3 - Admin+ Arbitrary File Deletion
The plugin does not sanitise and validate the foldername parameter when deleting a report, which could allow high privilege users to delete arbitrary files on the web server, including those outside of the WordPress folder POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language:...
Fontsampler < 0.4.13 - CSRF to Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not properly check for CSRF and authorisation in its ajaxgetmockfontsampler AJAX action, which could lead to an authenticated reflected XSS issue as user input was then output without being sanitised first. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language:...
Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection
The hndtstactioninstancecallback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtstpreviewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. curl -i -s -k -X $'POST' \ -H...
Woocommerce Stock Manager < 2.6.0 - CSRF to Arbitrary File Upload
The plugin is vulnerable to CSRF leading to Arbitrary File Upload due to missing nonce and file validation in the /admin/views/import-export.php file. File will upload to: /wp-content/plugins/woocommerce-stock-manager/admin/views/upload/PoC.php history.pushState'', '', '/' function submitRequest...
AcyMailing < 7.5.0 - Open Redirect
When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. When using acymailing to subscribe to a newsletter, you make a POST...
Goto < 2.1 - Unauthenticated Blind SQL Injection
The theme did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue sqlmap --url="https://example.com/tour-list/?keywords=13&startdate=13" --random-agent -dbs --level=3 --threads=4...
Event Banner <= 1.3 - Arbitrary File Upload to RCE
The plugin does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation chec...
WordPress 4.7 - User Information Disclosure via REST API
http://www.example.com/wp-json/wp/v2/users...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in the...
WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion
Description The plugin does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them Run the below command in the developer console of the web browser while being on the blog as a Contributor user. This will put the post...
WP Discord Invite < 2.5.2 - Admin+ Stored Cross Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the WP Discord Invite plugin...
Ditty < 3.1.25 - Reflected XSS
Description The plugin does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP Statistics < 14.0 - Authenticated SQLi
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. Log...
WC Sales Notification < 1.2.3 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Download Manager < 3.2.62 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. 1. “Enable modal login form” option in the...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopystart POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. document.getElementById"test".submit;...
Simple Membership < 4.1.3 - Membership Privilege Escalation
The plugin does not properly validate the membershiplevel parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request. Note: This only affects membership from the plugin, not the WordPress role To increase the level, the attacker nee...
W-DALIL <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Add/edit a Dali Item and put the following payload in one...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL
The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the "Link...
Easy Pricing Tables < 3.2.1 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape parameter before outputting it back in a page available to any user both authenticated and unauthenticated when a specific setting is enabled, leading to a Reflected Cross-Site Scripting With the "Compatibility Mode"...
Google Places Review < 2.0.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their...
LiveSync for WordPress <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit; input...
Documentor <= 1.5.3 - Unauthenticated SQLi
The plugin fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users. curl https://example.com/wp-admin/admin-ajax.php --data 'action=docsearchresults&term=&docid=1 AND SELECT 628...
Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a...
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. 1. Create a booking with user01 2. Create...
WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG
The plugin allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks 1. As a contributor or above add the following shortcode to a post: wordpressfileupload...
NewsPlugin < 1.1.0 - CSRF to Stored Cross-Site Scripting
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handlesavestyle function found in the /news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18. Note: v1.1.0 Added CSRF to the affected function, but see...
Goto < 2.1 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the formvalue JSON POST parameter in its tlfilter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate...
Ivory Search < 4.6.1 - Reflected Cross Site Scripting (XSS)
The Search Forms page of the plugin did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack...
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting
Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfilteredhtml capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be maliciou...
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation
Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for...
CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF
Description The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks Codes:...
WP Stacker <= 1.8.5 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make an admin open an HTML document containing: alert888' / alert2' /...
Checkout Field Editor < 1.7.5 - Checkout Fields Update via CSRF
Description The plugin does not have CSRF check in place when updating checkout fields, which could allow attackers to make logged in users update them via a CSRF attack input type="hidden" name="fieldvalidation1" value="req...
Ajax Search Lite Pro < 4.26.2 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. 1. Create a contact form and add a "multiple file upload" field. 2. Add the...
WoodMart < 7.1.2 - License Update/Deactivation via CSRF
The theme does not have CSRF checks when updating and deactivating the license, which could allow attackers to make logged in admins perform such actions via CSRF attacks To deactivate the license...
Broken Link Checker < 1.11.20 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Youtube API Key...
Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any text field settings of...
WooCommerce - Product Importer <= 1.5.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting POST /wp-admin/admin.php?page=woopi&tab=import HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...