4359 matches found
History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it. 1 Navigate to Instagram Feed Settings Manage Sources, then click o...
Limit Login Attempts < 1.7.2 - Unauthenticated Stored XSS
The plugin does not sanitize and escape the IP address retrieved from headers such as X-Forwarded-For when the "Site Connection" settings is set to "From behind a reversy proxy", which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks Setup: As admin, set the...
Video Central for WordPress <= 1.3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks video-central-subtitle src="'...
Easy Forms for MailChimp < 6.8.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its from parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Edit a form and put the following payload i...
Print Invoice & Delivery Notes for WooCommerce < 4.7.2 - Reflected XSS
The plugin is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the editothersshoporders capability. WooCommerce must be installed and active. This vulnerability is caused by a...
Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE 1. Install and activate woocommerce dependency, no setup required 2. Install and activate the vulnerable...
reSmush.it Image Optimizer < 0.4.6 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfilteredhtml is disallowed. POST /wp-admin/options.php HTTP/1.1 Accept:...
TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
The plugin does not validate and sanitise task's attachments, which could allow any authenticated user such as subscriber creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file Create a SVG with the following content: alertdocument.cookie; As any authenticated...
WordPress Popular Posts < 6.0.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the plugin displays a performance notice: https://example.com/wp-admin/plugins.php?"alert/XSS/...
Genki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings. document.getElementById"test".submit;...
Master Elements <= 8.0 - Unauthenticated SQLi
The plugin does not validate and escape the metaids parameter of its removepostmetacondition AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL Injection As unauthenticated:...
Countdown & Clock < 2.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the post parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/post-new.php?posttype=ycdcountdown&post="...
WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Go to "Field Editor" page. Put the following XSS payload into the "Placeholder / Options"...
Ultimate FAQ < 2.1.2 - Subscriber+ Arbitrary FAQ Creation
The plugin does not have capability and CSRF checks in the ewdufaqwelcomeaddfaq and ewdufaqwelcomeaddfaqpage AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions...
WOWRestro < 1.1 - CSRF Bypass
The plugin does not properly check for CSRF in numerous of its AJAX actions, allowing attacker to make logged in users call them and perform unwanted actions, such as add/remove an item from their basket and empty it as well. To empty a user basket:...
Strong Testimonials < 2.51.3 - Unauthorised AJAX Call
The plugin did not propely check for CSRF and authorisation in all the wpmtstaddfieldfunction functions, allowing unauthorised call of the associated AJAX actions either via low privilege users or CSRF attack https://example.com/wp-admin/admin-ajax.php?action=wpmtstgetcatcount...
Migrate Users <= 1.0.1 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack. Add the following paylo...
Async JavaScript < 2.21.06.29 - Authenticated (admin+) Stored XSS
The plugin does not validate or escape its Username and API Key from the Wizard tab of its settings, allowing high privilege users such as admin to set JavaScript payload in them, even when the unfilteredhtml capability is disallowed, leading to Stored Cross-Site Scripting issues Set the payload...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Installation
A lack of capability checks and insufficient nonce check on the AJAX action in the plugin, made it possible for authenticated users to install arbitrary plugins on vulnerable sites. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch;...
Cookie Law Bar <= 1.2.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise its Bar Message setting, allowing high privilege users to set an XSS payload in it, which will be triggered in all frontend page of the blog. As admin, go the plugin settings /wp-admin/options-general.php?page=clb and set a payload such as alert/XSS/ in the B...
Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question
The tutorquizbuildergetanswersbyquestion AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. python3 sqlmap.py -r /tutorunion.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...
Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export
The sbelemcfddownloadcsv function, registered as an admininit hook does not have capability and CSRF checks, allowing unauthenticated attackers to download arbitrary form submissions as a CSV. The data will include PII such as email addresses. A CSRF check was added, but no capability one, so the...
Contact Form Submissions <= 1.6.4 - Authenticated Double Query SQL injection
The plugin is affected by a double query SQL injection, which could allow high privileged users to access data from the DBMS. Edit WPScanTeam October 26th, 2020 - Confirmed & Escalated to WP October 27th, 2020 - WP Investigating January 3rd, 2021 - No updates, disclosing The PoC will be displayed...
Elegant Themes (Divi 3.0 - 4.5.2, Extra 2.0 - 4.5.2, Divi Builder 2.0 - 4.5.2) - Authenticated Arbitrary File Upload
Description This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. Usage: php poc.php url username password filetoupload Once the file is...
Active Directory Integration < 4.1.10 - Unauthenticated Log Disclosure
Description The plugin stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so. This requires the plugin's Log Authentication Requests setting to be set...
WP Inventory Manager < 2.1.0.14 - Inventory Items Deletion via CSRF
The plugin does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack Send a payload to logged-in admins with a request to http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpimmanageinventoryitems&action=delete&deleteid=2...
Japanized For WooCommerce < 2.5.5 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin https://example.com/wp-admin/admin.php?page=wc4jp-options&tab=a...
Video Background < 2.7.5 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 2.7.5 vidbg loop="1;alert/XSS-loop/;...
WP Tabs < 2.1.17 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. trtabs id='"; alert1; "' trtabs id='"...
News & Blog Designer Pack < 3.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: bdpmasonry grid='1" onmouseover="alert1" style="background:red;"'...
Request a Quote <= 2.3.7 - CSV Injection
The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it On a page with a Quote Request form, upload the following CSV as an attachment: "First Name","Last...
WP Post Styling < 1.3.1 - Multiple CSRF
The plugin does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks HTMLFormElement.prototype.submit.call document.getElementById"test" ;...
Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion
The plugin does not have authorisation and CSRF checks in the removeasset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. v1.0.1 added...
FormCraft Basic < 1.2.6 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload into a Field Label and save: The XSS will be triggered when accessing the form...
Anti-Malware Security and Brute-Force Firewall < 4.20.96 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the QUERYSTRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters GET /wp-admin/admin.php?page=GOTMLSViewQuarantine&a=" HTTP/1.1 Cache-Control: max-age=0...
WP Google Map < 1.8.4 - Arbitrary Post Deletion and Plugin's Settings Update via CSRF
The plugin does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack Removing post: fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
Database Backup for WordPress < 2.5.1 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue https://example.com/wp-admin/?fragment=select%20updatexml1,concat0x7e,select%20user,0::2.txt&wpnonce=7347278aca The nonce can be...
FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting XSS within the "visibility" parameter. https://example.com/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28origin%29%3E...
GTranslate < 2.9.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the body parameter in the urladdon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCESALT and NONCEKEY alert/XSS/" / var form1 =...
WP Cloudy < 4.4.9 - Admin+ SQL Injection
The plugin does not escape the postid parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue The first digits of the post parameter must be a valid Post ID Weather post or not...
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
In the plugin, any authenticated user, such as a subscriber, could use the importfromdebug AJAX action to inject PHP objects. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // OBJI $ch = curlinit; curlsetopt$ch, CURLOPTURL, $wpur...
Biometric Login for WooCommerce < 1.0.4 - Unauthenticated Privilege Escalation
Description The plugin does not validate that a user's WebAuthn authentication request succeeded before sending them authentication cookies, making it possible for unauthenticated attackers to take over any accounts having WebAuthn credentials set up on affected sites. While on the site not logge...
POEditor < 0.9.8 - Settings Reset via CSRF
Description The plugin does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. document.forms0.submit;...
Ocean Extra < 2.1.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: This requires the OceanWP theme to be...
VK All in One Expansion Unit < 9.86.0.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Setup: The CTA Expansion...
WP Private Message < 1.0.6 - Private Message Disclosure via IDOR
The plugin bundled with the Superio theme as a required plugin does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID. - Install the Superio theme an...
Flexible Captcha <= 4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks FCcaptchafields width='" onmouseover="alert1...
WCK < 2.3.3 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Create/edit a Post Type via the plugin...
Web Invoice <= 2.1.3 - Authenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well When...