4359 matches found
Responsive Image Slider, Photo Gallery And Carousel < 1.3.2 - Slider Clone/Save/Delete via CSRF
The plugin has a logic flaw in its CSRF checks in the sfcloneslider, sfsaveslider and sfremoveslider AJAX actions, which could allow an attacker to make a logged in user call them via a CSRF attack. To delete a slider: To create a slider /bod...
MAZ Loader < 1.4.1 - Arbitrary Loader Deletion via CSRF
The plugin does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack The vendor has been notified on August 24th, 2021, as well as escalated to the WP plugins team 3 times, no fix was made despite two new versions being released...
WP Hardening < 1.2.2 - Reflected XSS via historyvalue
The plugin did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/admin.php?page=wphwpharden&historyvalue=alertdocument.domain//...
Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update
The plugin does not have CSRF and authorisation checks in the lswsssaveattachmentdata AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. jQuery.postajaxurl, action: "lswsssaveattachmentdata", attachmentid...
Bold Page Builder < 3.1.6 - PHP Object Injection
The btbbgetgrid AJAX action of the plugin passes user input into the unserialize function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog...
Pie Register < 3.7.2.4 - Open Redirect
The plugin passes unvalidated user input to the wpredirect function, without validating it, leading to an Open redirect issue https://example.com/?piereglogouturl=true&redirectto=https://wpscan.com...
WP Statistic < 13.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape various user input before outputting it back in pages, which could lead to Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wpsreferrerspage&referr="alert/XSS/...
WordPress Advanced Ticket System < 1.0.64 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Navigate to Tickets Add New add all information on the title, post,...
MainWP Child < 4.1.8 - Admin+ SQL Injection
The plugin does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed POST / HTTP/1.1 Accept:...
NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. With the Form Builder "Dev Mode” setting enabled, create a form and a fiel...
WP RSS Aggregator < 4.20 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the id parameter in the wprssfetchitemsrowaction AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting Save the HTML below to a file with the .html extension, then open it in Firefox, while being authenticated in...
SEO Redirection < 7.9 - Arbitrary Redirect Deletion via CSRF
The plugin does have CSRF in place, allowing attackers to make logged in admin delete arbitrary Custom and Post Redirects via a CSRF attack. v...
WP Shieldon 1.6.3 - Unauthenticated Cross-Site Scripting (XSS)
The WP Shieldon WordPress plugin, versions 1.6.3 and below, were vulnerable to Unauthenticated Reflected Cross-Site Scripting XSS when the CAPTCHA page is shown. This was due to $SERVER'REQUESTURI' being echoed to a page without any encoding. http://www.example.com/?alert1...
Find My Blocks < 3.4.0 - Private Post Titles Disclosure
The plugin does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. Create a private post with at least one Gutenburg paragraph block and go to https://example.com/wp-json/find-my-blocks/blocks/?name=core/paragraph...
Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
Multiple authenticated SQL injections in the Anti-Spam by CleanTalk plugin 5.148 exist, however, it requires high privilege user admin+. Vulnerable functions: removeLogs and removeSpam at: lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php Sleep query: POST...
Site Offline < 1.5.3 - Access Bypass
The plugin prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature. https://example.com/?admin...
Export any WordPress data to XML/CSV < 1.3.5 - Admin+ SQL Injection
The plugin does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability. 1. Go to the All Export New Export screen in the WordPress admin. 2. Now click on Specific Post Type Posts. 3. Click now on Migrate Posts an...
WP SVG Images < 3.4 - Authenticated (author+) Stored XSS via SVG
The plugin did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to...
WP Statistics < 13.2.9 - Authenticated SQLi
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. Log...
Genie WP Favicon <= 0.5.2 - Arbitrary Favicon Change via CSRF
The plugin does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack // 32x32 white png const buf =...
Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update
The plugin allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. - As Editor, go to Logo Showcase - Shortcode Generator - Run...
WP Cookie Choice <= 1.1.0 - CSRF to Stored Cross-Site Scripting
The plugin is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack...
miniOrange's Google Authenticator < 5.4.40 - Reflected Cross-Site Scripting
The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/users.php?page=reset&action=resetedit&user="alert/XSS/...
LiteSpeed Cache < 5.7.0.1 - Unauthenticated Stored XSS
Description The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nameservers' and 'msg' parameters due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user...
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30 As admi...
Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based limitations in certain situations. Set HTTPCFCONNECTINGIP or any of the other headers in getclientipaddress to spoof the IP address...
Multiple Plugins from Avirtum - Reflected Cross-Site Scripting
Most plugins both free and premium from the Avirtum author do not escape a page parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues. The issues were reported to the vendor on August 4th, 2021 Example in ipanorama-360-virtual-tour-builder-lite plugin...
Post Views Counter < 1.3.5 - Authenticated Stored XSS
The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfilteredhtml capability is disallowed Put the following payload in the Post Views Label settings of the plugin...
Tatsu < 3.3.12 - Unauthenticated RCE
The plugin addcustomfont action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover,...
Build App Online < 1.0.19 - Unauthenticated SQL Injection
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection Additional plugins required: https://wordpress.org/plugins/wc-multivendor-marketplace/...
WP Data Access < 5.0.0 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the backupdate parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion POST /wp-admin/admin.php?page=wpdataaccess&tab=repository HTTP/1.1 Accept:...
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
The plugin does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. As an...
eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload
The plugin suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validatio...
TaxoPress < 3.0.7.2 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue. Add or edit a Taximony...
myCred < 2.3 - Subscriber+ SQL Injection
The plugin does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user any authenticated user...
Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting XSS which is executed in the context of a logged administrator. Timeline WPScanTeam: June 28th, 2021 - Details sent to vendor July 9th, 2021 - Escalat...
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
The plugin does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address POST / HTTP/1.1...
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
The plugin did not escape user input when blocking requests such as matching a spam word, outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue. From an IP not in the Allow List...
Contest Gallery < 13.1.0.7 - Subscriber+ Email Address Disclosure
The plugin does not have any proper access controls when exporting users from a gallery, which could allow any authenticated users such as subscriber to list all users from the blog, disclosing their username and email address POST...
Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)
Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker contributor+ to inject arbitrary web script or HTML via the 'Description/biography' of a member. https://drive.google.com/file/d/1w5AmyBEOxAmtQ0T3uGKAB3o9w3ihNRAj/view Add a...
User Verification < 1.0.94 - Authentication Bypass
The plugin was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website...
BSK PDF Manager < 3.1.2 - Admin+ SQL Injection
The plugin does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue With at least one BSK PDF Category: https://example.com/wp-admin/admin.php?page=bsk-pdf-manager&order=and+sleep5...
XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting
The plugin does not escape the selected-name parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=xoevent&page=xo-event-holiday-settings&selected-name="alert/XSS/...
WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection Extract the nonce from the index page search for "wpautosearchconfig", look for the "nonce" field Invoke the following...
Contact Form 7 < 5.3.2 - Unrestricted File Upload
The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload. Append a unicode special character from U+0000 null to U+001F us to a filename and upload it via the ContactForm7 upload feature...
Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF
The plugin does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Make a logged in admin open a page...
Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)
The ZebraForm PHP library v2.9.8 latest and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file. There is currently no patch available and the removal of this library is recommended. Via $GET'form': &control=upload" method="post"...
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing...
The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)
The theplusmorepost AJAX action of the plugin did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting exploitable on both unauthenticated and authenticated users POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in the plugin: class Evil public function wakeup : void...