4359 matches found
Simple Membership < 4.1.1 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin-ajax.php?action=swpmvalidateemail&fieldId=%22%3Cscript%3Ealert%22XSS%22;%3C/script%3E...
Tabs Responsive < 2.2.8 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a Tab via the plugin, and put the following payload in a Tab...
Import and export users and customers < 1.19.2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues As admin, import the below CSV file via Tools Import and export users and customers /wp-admin/tools.php?page=acui...
Wbcom Designs Plugins - Subscriber+ Arbitrary Plugin Installation, Activation and Deactivation
Multiple Plugins from Wbcom Designs have an AJAX action without authorisation and CSRF checks, allowing any logged in user to install, activate or deactivate a plugin on the site. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "body":...
Modern Events Calendar Lite < 6.4.7 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting On a page where the Total Booking widget is displayed, append the following payload: &a"alert/XSS/...
Safe SVG < 1.9.10 - SVG Sanitisation Bypass
The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending on further use of uploaded SVG...
Interactive Medical Drawing of Human Body < 2.6 - Admin+ Stored XSS
The plugin does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Link settings of a body party and save the change: "alert/XSS-link/...
Title Experiments Free < 9.0.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpextitles&id=1 AND SELECT 3...
Conference Scheduler < 2.4.3 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/edit.php?posttype=confworkshop&page=confscheduleroptions&tab="...
WP Home Page Menu < 3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of text field settings of the plugin such as 'Home Page Menu Label': "...
Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin POST /wp-json/contact-form-7/v1/contact-forms/1337/feedback HTTP/2 Content-Type: multipart/form-data;...
Dynamic Widgets <= 1.5.16 - Reflected Cross-Site Scripting
The plugin does not escape the prefix parameter before outputting it back in an attribute when using the termtree AJAX action available to any authenticated users, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
SEO Wizard <= 4.0.2 - Unauthorised AJAX Calls
The plugin does not properly check for CSRF in its ajaxsaveglobalsettings and ajaxsavepostsettings AJAX actions, as well as other AJAX actions. Furthermore, capability checks were also missing, resulting in any authenticated users as low as subscriber being able to call those actions and modify t...
Super Progressive Web Apps < 2.1.13 - Authenticated (High Privileged) Arbitrary File Upload to RCE
When the Apple Touch Icons & Splash Screen add-on is active, its superpwasplashscreenuploader AJAX action, did not properly check for authorisation and the content of the uploaded archive file. This allows high privilege users admin+ to upload an archive with a PHP file, leading to RCE. v2.1.12...
Mapplic and Mapplic Lite - SSRF to Stored Cross-Site Scripting (XSS)
The Mapplic Lite alert/XSS/...
Digital Climate Strike WP <= 1.0.0 - Redirect to Malicious Website due to Compromised JS Asset
The plugin loads a JavaScript asset from a remote website which seems to have been compromised. The widget.js file, loaded from https://assets.digitalclimatestrike.net/widget.js, redirects users to gladdiatordotio and is being flagged as malicious. I've reported this to the plugin authors but hav...
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Description The plugin does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF As a subscriber, open...
Wp-Adv-Quiz <= 1.0.4 - Admin+ Stored XSS in Quiz Overview
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Under "WP Adv Quiz - WP Adv Quiz"...
Wp-D3 <= 2.4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. d3-source canvas='" onmouseover="alert1"...
ChatBot < 4.5.1 - Admin+ Stored XSS
The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Your Company ...
WP Recipe Maker < 8.6.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Exploit...
Easy WP SMTP < 1.5.0 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...
Anti-Malware Security and Brute-Force Firewall < 4.21.83 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLSdebug=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E Also possible with th...
Core Plugin for Kitestudio Themes < 2.3.1 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting. Install and active the...
WooCommerce PDF Invoices & Packing Slips < 2.15.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wpowcpdfoptionspage&tab=documents§ion=invoice&"alert/XSS/...
Ubigeo de Peru < 3.6.4 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections curl https://example.com/wp-admin/admin-ajax.php \ --data...
IgniteUp <= 3.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some fields when high privilege users don't have the unfilteredhtml capability, which could lead to Stored Cross-Site Scripting issues Customise a template from the plugin /wp-admin/admin.php?page=cscstemplates and put the following payload in the Paragraph...
Import WP < 2.4.6 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files such as PHP, leading to RCE Import a PHP file via an URL Tools Import WP Add Importer put any name, and post template Create Importer Remote File select any file typ...
LifterLMS PayPal < 1.4.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/purchase/confirm-payment/?order=order-xxxxxxx&PayerID=aa"...
Wow Countdowns <= 3.1.2 - Admin+ SQLi
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. https://example.com/wp-admin/admin.php?page=mwp-countdown&info=del&did=1+AND+SELECT+5382+FROM+SELECTSLEEP5PpNt...
UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download
The plugins do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database backup. from io import StringIO import requests import gzip import js...
Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access
The field shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved With the...
Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users
The plugin does not have authorisation and CSRF checks in its comingsoonsendmail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
Document Embedder < 1.7.9 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure
The plugin contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts. As any authenticated user 1764 being the ID of a private/draft post...
Smart SEO Tool < 3.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting With the "TDK optimization" setting enabled 7th page, first one: https://example.com/?s=123456"alert/XSS...
Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue Add the following payload in the "Paypal email address" setting of the plugin /wp-admin/admin.php?page=bookshelf-settings:...
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
In the plugin, any authenticated user, such as a subscriber, could use the deleteactionpost AJAX action to delete any post on a target site. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Set redirect url $ch = curlinit;...
Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage event. Use the following code on another website var popup = window.open'https://VULNERABLE.PAGE/'; var msg = ; msg.method = "alertdocument.domain"; function postpopup.postMessagemsg,'' setIntervalpost,1000;...
Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect
The plugin does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain. ap-form-message redirect="https://wpscan.com"...
WP FEvents Book <= 0.46 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks 1. Create an event page using the plugin. 2. Access the page using an account with Subscriber role. 3. In the 'User notes' section, inject...
Cookie Notice & Compliance for GDPR / CCPA < 2.4.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below shortcode in...
Pie Register < 3.8.2.3 - Open Redirect
The plugin does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability Log In: 1. Visit /login?redirectto=//example.com 2. Log in as a user with lower privileges than Administrator. 3. See that the browser is redirected to example.com Lo...
eCommerce Product Catalog Plugin for WordPress < 3.0.71 - Reflected XSS
The plugin does not sanitise and escape an URL before outputting it back in an attribute of product category pages, leading to a Reflected Cross-Site Scripting https://example.com/products-category/cat/?productcategory=1&a%2522%253e%253cscript%253ealert%2528/XSS/%2529%253c%252fscript%253e=1...
Qubely < 1.8.1 - Authenticated Arbitrary Settings Update
The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber in versions 1.7.9 or contributor in v 1.8.1 to update them As a subscriber Nonce can be taken from the qubelylocalscript-js-extra script on the homepage...
Like Button Rating < 2.6.45 - Arbitrary e-mail Sending
The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body As a subscriber, run the below command in the web developer console of the browser fetch"/wp-admin/admin-ajax.php?action=likebtntestvotenotification", "headers":...
HC Custom WP-Admin URL <= 1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL document.getElementById"test".submit;...
WP 2FA < 2.2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wp-2fa-settings&settingserror=...
Poll Maker < 4.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfilteredhtml is disallowed Put the following payload in any of the Mailchimp integration settings...
Nimble Page Builder < 3.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting v ' v...
Good & Bad Comments <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the plugin's settings: "...