4359 matches found
Bookly < 20.3.1 - Staff Member Stored Cross-Site Scripting
The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue As a Staff Member, put the following payload in your Full Name Booklyn -- Profile -- Edit -- Full Name: alert/XSS/ The XSS will be triggered when an...
LiteSpeed Cache < 3.6.1 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise invalid IPs given in its Toolbox page before displaying them in an error message. Submit a payload such as in the Admin IPs section of the Toolbox /wp-admin/admin.php?page=litespeed-toolbox...
WooHoo Newspaper Magazine Theme <= 2.5.3 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make an admin open an HTML page with the following HTML: document.forms0.submit; See that the plugin's "Header Options Toolbar...
GetResponse for WordPress <= 5.5.31 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. grwebform center='on'...
PDF Generator for WordPress < 1.1.2 - Reflected XSS
The plugin includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin Make a logged in admin open the following URL:...
Tutor LMS < 2.0.10 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the resetkey and userid parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Cloak Front End Email < 1.9.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks email name='" onmouseover="alert1"...
Quizlord <= 2.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Quizlord » Add a quiz 2. In the input...
Zoho CRM Lead Magnet < 1.7.6.2 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF in some AJAX actions, and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary blog options such as defaultrole and userscanregister. v response.text...
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files 1 Create 'poc.zip' with 2 files like below 1-1 'exploit.php.txt' is as follows...
Envira Gallery Lite < 1.8.4.7 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers https://example.com/wp-admin/edit.php?posttype=envira&page=envira-gallery-lite-addons&"alert1...
Multiple Plugins from Puvox.software - Reflected Cross-Site Scripting
The plugins do not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wp-phpmyadmin-extension&tab=errors-logreset&a"alert/XSS/...
Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title
The plugin does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfilteredhtml capability is disabled. An incomplete fix was introduced ...
Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF
The plugin does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
Browser and Operating System Finder <= 1.2 - Unauthenticated Settings Reset
The plugin does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them https://example.com/?type=reset-all...
Static Page eXtended <= 2.1 - Arbitrary Settings Update via CSRF to Stored XSS
Due to missing checks the plugin is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings...
Newsletter < 7.4.5 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below...
WordPress Forms by Pie Forms < 1.4.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Create/edit a form, go to the Form Settings - General Settings and put the following payload in the "Form...
amtyThumb <= 4.2.0 - Subscriber+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user and not just Author+ like the original advisory mention due to the fact that they can execute shortcodes via an AJAX...
Amazon Link <= 3.2.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in settings such as the "AWS Public Key": "...
BMI BMR Calculator <= 1.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape arbitrary POST data before outputting it back in the response, leading to a Reflected Cross-Site Scripting " document.form1.submit;...
Personal Dictionary < 1.3.4 - Unauthenticated SQLi
The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability. 1. Create a new page with the plugin's shortcode shortcode can be copied from...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via post_types
The plugin does not sanitise and escape the posttypes parameter before outputting it back in the response of the postgridupdatetaxonomiestermsbyposttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting " name="posttypes"...
Mark Posts < 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the 'Add new markers' settings of the plugin: "autofocus onfocus=alert/XSS/ b=...
MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
The plugin allows a high privileged user to bypass the DISALLOWFILEEDIT and DISALLOWFILEMODS settings and upload arbitrary files to the site through the "ajaxsave" function. The file is written relative to the current theme's stylesheet directory, and a .php file extension is added. No validation...
BulletProof Security < 5.8 - Admin+ Stored Cross-Site Scripting (XSS)
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following payloads: - in the htaccess File Options htaccess File Editor...
WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability. POST /"/onmouseover=alert1;// HTTP/1.1 Host: 127.0.0.1 Content-Type:...
WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/?wahi=JzthbGVydCgxKTsvLw==...
Float Menu < 4.3.1 - Arbitrary Menu Deletion via CSRF
The plugin does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=float-menu&info=delete&did=1...
Popular Brand SVG Icons - Simple Icons < 2.7.8 - Contributor+ Stored XSS
The plugin does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in...
myStickymenu < 2.5.2 - Authenticated Stored XSS
The plugin does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog when the Welcome bar is active Put...
Goto - Tour & Travel < 2.0 - Unauthenticated Reflected XSS
The theme does not sanitise the keywords and startdate GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue. Payload:...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget
In the plugin, the heading widget includes/widgets/heading.php accepts a ‘headersize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request with this parameter set t...
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
The REST API endpoint getusers in the plugin returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. Usage: php poc.php author...
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Description The plugin does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF As a subscriber, open...
Watu Quiz < 3.3.9.1 - Reflected XSS
The plugin does not sanitise and escape some parameters such as email, dn, date and points before outputting then back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
i2 Pros & Cons <= 1.3.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. i2prosandcons showbutton='true'...
MashShare < 3.8.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit:...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin https://example.com/wp-admin/admin.php?page=wsysadminrules&action=delete&id=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Plugin Logic < 1.0.8 - Admin+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/network/plugins.php?page=plugin-logic&tabid=options%20union%20SELECT%20SLEEP16%3b%23 HTTP/1.1 Content-Type:...
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. 1 Download 'poc.zip' via...
OAuth 2.0 client for SSO < 1.11.4 - Authenticated Bypass
The plugin allows attackers to login as any user by just knowing their email address POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded option=mooauth&[email protected]...
WP Event Manager < 3.1.28 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting Against any authenticated user: https://example.com/event-dashboard/?searchkeywords=aaaa"...
Easy Testimonials < 3.9 - Reflected Cross-Site Scripting
The plugin, when used along the Pro version, does not escape an URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting With the pro version installed and when consent hasn't been given yet:...
Print, PDF, Email by PrintFriendly < 5.2.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed In the plugin's settings, tick 'Custom Button' and put the following payload ...
postTabs <= 2.10.6 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping ' document.getElementById"test".submit;...
GD Mylist <= 1.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the text field settings of the plugin such as Add to Mylist...
The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
The "WP Search Filters" widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection The request requires a nonce created with wpcreatenonce"theplus-searchfilter” which can be retrieved from a page where the widget is...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export
The exportdata function of the plugin had no capability or nonce checks making it possible for unauthenticated users to export a site's redirects. curl -X POST --url "URL/wp-admin/admin-post.php?page=301options&export=true"...
Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to Reflected Cross-Site Scripting XSS issues via the galleryid, tag, albumid and themeid GET parameters passed to the bwgfrontenddata AJAX action available to both unauthenticated and authenticated users...