4359 matches found
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbotsgravafingerprint AJAX action, available to unauthenticated users, leading to a SQL injection curl -i 'https://example.com/wp-admin/admin-ajax.php' --data...
Bulk Creator <= 1.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the posttype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=bulk-creator&posttype="...
Image Photo Gallery Final Tiles Grid < 3.5.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard As a contributor, create/edit a gallery and add the following...
Simple Download Monitor < 3.9.9 - Multiple CSRF
The plugin does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1 make admins export logs to exploit a separate log disclosure vulnerability fixed in 3.9.6, 2 delete logs fixed in 3.9.9, 3 remove thumbnail image from downloads To export logs which could then be...
WP iCommerce <= 1.1.1 - Authenticated (contributor+) SQL Injection
The Orders functionality in the plugin has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors GET...
WP Domain Redirect <= 1.0 - Authenticated SQL Injection
The Edit domain functionality in the plugin has an editid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. POST /wp-admin/admin.php?page=add&action=edit&id=1 HTTP/1.1 Content-Length: 102 Cache-Control: max-age=0...
Welcart e-Commerce < 2.2.8 - Authenticated System Information Disclosure
The uscesdownloadsysteminformation AJAX action of the plugin did not have capability check in place, allowing any authenticated user such as subscriber to can export data including WordPress settings, theme and plugins active/inactive along with their version, Welcart general settings and payment...
Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities
The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector. -- PoC 1 | Authenticated IDOR | Permanent post/page deletion: !...
GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)
The plugin was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page...
Splashscreen <= 0.20 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.forms0.submit;...
WP Inventory Manager < 2.1.0.13 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. 1. Go to WP Inventory Inventory Items and create a new Inventory Item. 2. Create a page and add the wpinventory shortcode. 3. View the new page on the frontend,...
Clock In Portal <= 2.1 - Designation Deletion via CSRF
The plugin does not have CSRF check when deleting designations, which could allow attackers to make logged in admins delete arbitrary designations via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Designation with ID 2...
Easy Forms for MailChimp < 6.8.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below shortcodes i...
Juicer < 1.11 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks juicer name='" onmouseover=alert/XSS/...
Advanced Import < 1.3.8 - Arbitrary Plugin Installation & Activation via CSRF
The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks Make a logged in admin open a page containing the HTML code be...
Social Rocket < 1.3.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Logged in the backend of Wordpress as Administrato...
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following payload in a field label: The XSS will be triggered when editing the form, as well as in...
Age Gate < 2.20.4 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting With the "Age Gate User Registration" addon installed: https://example.com/wp-admin/admin.php?page=age-gate&a"alert/XSS/ With any addon installed:...
WP-Email < 2.69.0 - Log Deletion via CSRF
The plugin does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack document.getElementById"test".submit;...
RB Internal Links <= 2.0.16 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping ' document.getElementById"test".submit;...
Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF
The plugin does not have CSRF checks in place when deleting comments either all, spam, or pending, allowing attackers to make a logged in admin delete comments via a CSRF attack To delete all comments document.getElementById"test".submit; document.getElementById"test".submit;...
Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads As an author or above, upload the below SVG file via the Media library: alert/XSS/; The XSS will be triggered when accessing the file directly, e...
Country Selector < 1.6.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the country and lang parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting " / " /...
GridKit Portfolio < 2.1.0 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages...
Akismet Privacy Policies <= 2.0.1- Reflected Cross-Site Scripting
The plugin does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...
Zero Spam < 5.2.11 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection With at least one IP in the “Blocked IPs” list:...
E2Pdf < 1.16.45 - Admin+ Stored Cross-Site Scripting (XSS)
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Refer to https://mikadmin.fr/tech/XSS-Stored-E2Pdf-798ef69b0e13c36acf5446358d57c965Dx90666bNvCw98.pdf...
WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert1%3E...
Advanced Database Cleaner < 3.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape $GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=advanceddbcleaner&aDBctab=options&aDBccat=all&'alert/XSS-key/=alert/XSS-value/...
AF Companion 1.1.0 - 1.1.2 - Arbitrary Plugin Installation & Activation via CSRF
The plugin has a flawed CSRF check, allowing attackers to make logged in admin installs and activate arbitrary plugins from the WP repository...
Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes
The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1 "color" or "cssclass" argument of sdmdownload shortcode, 2 "class" or "placeholder" argument of sdmsearchform shortcode. // all spaces must be replaced with a slash sdmdownload...
LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the rulloginurl and rullogouturl parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
Embed Youtube Video <= 1.0 - Authenticated SQL Injection
The editid GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=embed-youtube-video-add&editid=-6425+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL%2CNULL%2CNULL-- HTTP/1.1 Cache-Control: max-age=...
Custom Global Variables <= 1.0.5 - Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also used the lack of CSRF nonce and check to make a logged in administrator add the payload and make them perform further unwanted actions. The PoC...
WP Postratings < 1.86.1 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise the postratingsimage parameter from its options page wp-admin/admin.php?page=wp-postratings/postratings-options.php. Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfilteredhtml...
Simple Social Buttons < 3.2.0 - Reflected Cross-Site Scripting
Simple Social Buttons version 3.1.1 has a reflected Cross-Site Scripting vulnerability in the POST parameter "sharecounts". Both unauthenticated and authenticated attacks are possible Edit WPScanTeam The original report stated the issue as being fixed in 3.2.0, however a CSRF nonce has been added...
Bonus for Woo < 5.8.3 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open one of the URL below...
Media from FTP < 11.17 - Author+ Arbitrary File Access
Description The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases. In 11.16, the manageoptions capability was used, however is still insufficient in case of MultiSite...
3D FlipBook < 1.13.3 - Contributor+ Stored XSS
The plugin does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators. 1. As an administrator, creat...
Multi Step Form < 1.7.8 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Create/edit a Form via the plugin. 2. Put t...
Showing URL in QR Code <= 0.0.1 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin or editor add Stored XSS payloads via a CSRF attack Make a logged in editor or admin open a page with the below payload...
Best Payments Plugin for WP < 4.2.1 - Reflected Cross-Site Scripting
The plugin does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting Append the following payload on a page where the is a form from the plugin: a"alert/XSS/ e.g: https://example.com/contact-form/?a"alert/XSS/...
Slideshow CK < 1.4.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Create/edit a Slideshow, add a Slide and put the following payload in the Description The XSS will be...
Discy < 5.2 - Settings Update via CSRF
The theme lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary plugin's settings including payment methods via a CSRF attack...
Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed In a form settings, put the following payload in the Actions after submission Action Type Custom Tex...
Ad Invalid Click Protector (AICP) < 1.2.7 - Arbitrary Ban Deletion via CSRF
The plugin does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans https://example.com/wp-admin/admin.php?page=aicpbanneduserdetails&action=delete&id=1...
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. 1. Make a booking to become customer ...
dTabs <= 1.4 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/options-general.php?page=dtabs.php&action=edit&tab="...
Mapping Multiple URLs Redirect Same Page <= 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the mmurspid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=mmursp-list&view=edit&mmurspid="...
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue Note: the ticket-creation page is the one with the wpsccreateticket shortcode embed...