4359 matches found
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the addCountS POST parameter before concatenating it to an SQL query in 4activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080...
WooSwipe WooCommerce Gallery <= 2.0.1 - Subscriber+ Settings Update
The plugin does not have any authorisation when updating its settings, which could allow any authenticated users, such as subscriber to update them POST /wp-admin/admin.php?page=wooswipe-options HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. - Submit an order using =5+5 as "first name" and empty "last name" the plugin allows that. - Export the data as CSV from Reports Export. - Open the CSV with a spreadsheet application Excel, Libre...
Simple Banner < 2.12.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payloads in the "Simple Banner Text" settings of the plugin: Firefox...
User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed An an admin - Create/edit ...
Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues function submitRequest var xhr = new XMLHttpRequest...
Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS
The plugin does not have any authorisation and has a flawed CSRF check in the wpdevartduplicatepostparametrssaveindb AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of...
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.25 - Reflected XSS
The plugin does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
Translate WordPress - Google Language Translator < 6.0.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Floating Widget Settings Custom text fo...
Display users <= 2.0.0 - Authenticated SQL Injection
The Edit Role functionality in the plugin had an id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=display-users&tab=manage-role&action=edit&id=-4476+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL--+-...
Forms < 1.12.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the Forms "Add new" field. Step 1: Install and activate the plugin. Step 2: Go to the Forms-- Add New. St...
Yada Wiki < 3.4.1 - Contributor+ Stored XSS
The plugin did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue - Create a wiki page. If there is already a page, you can skip. The page can be a draft. - Add this shortcode to a post/page, view it and move the mouse over the...
404 SEO Redirection <= 1.3 - Reflected Cross-Site Scripting (XSS)
Description The tab parameter of the settings page of the plugin is vulnerable to a reflected Cross-Site Scripting XSS issue as user input is not properly sanitised or escaped before being output in an attribute. The PoC will be displayed once the issue has been remediated...
Store Locator Plus <= 5.5.15 - Unauthenticated Stored Cross-Site Scripting (XSS)
There are several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. The PoC will be displayed once the issue has been remediated...
Business Directory Plugin < 5.11.2 - Arbitrary Payment History Update
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status from pending to completed to example Add a listing, don't complete payment status will be pending paymentcreatedatdate...
Larsens Calender <= 1.2 - Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or encode the Title of the calendar entries when outputting them in the admin dashboard, leading to Stored XSS issue. Due to the lack of CSRF check, this can be exploited by a CSRF attack, making logged in administrators create malicious entries The PoC will be...
XCloner Backup and Restore 4.2.1 - 4.2.12 - Unprotected AJAX Action
"This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server. Alternatively, an attacker could create an exploit cha...
Real Estate 7 < 2.9.5 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'Real Estate 7 WordPress', tested version — v2.9.4: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - Authenticated Persistent Self-XSS - IDOR - Information Exposure Edit WPScanTeam: January 12th - Report Received & Envato Contacted...
WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
Description The function wptargetedlinkrel can be used in a particular way to result in a Stored Cross-Site Scripting XSS vulnerability. This is a PoC for a Stored XSS...
Socialdriver <= 2021 - Prototype Pollution to XSS
Description The theme has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting XSS attack. Access the URL:...
TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update
The plugin does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the...
Naver Map <= 1.1.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. naver-map y='" onmouseover="alert1"...
Contest Gallery Pro < 19.1.5 - Admin+ SQL Injection
The plugin does not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. POST...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgrow POST parameter before concatenating it to an SQL query in 3row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080 User-Agen...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgdeactivate and cgactivate POST parameters before concatenating it to an SQL query in 2deactivate.php and 4activate.php, respectively. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. Exploit...
Donation Button <= 4.0.0 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. Put the following shortcode in a blog post: paypaldonationbutton align='center" onmouseover="alert1'...
Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
The plugin does not properly check for privileges and nonce tokens in its "donationbuttontwiliosendtestsms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers. While logged...
Change Uploaded File Permissions <= 4.0.0 - File Permission Update via CSRF
Due to missing checks the plugin is vulnerable to CSRF attacks. This can be used to change the file and folder permissions of any folder. This could be problematic when specific files like ini files are made readable for everyone due to this. document.getElementById"test".submit;...
5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi
Description The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using...
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files such as PHP even when FILEMODS and FILEEDIT are disallowed Access Tools Import One Click Demo Import Run Importer and import dummy XML file can be empty Intercept the request made...
Store Toolkit for WooCommerce < 2.3.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=woost&tab=%3Cimg+src+onerror%3Dalert%281%29%3E...
Cluevo < 1.8.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed On the Learning Management page /wp-admin/admin.php?page=cluevo-lms, click Add Course, then put the followi...
Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting via AJAX Action
The plugin does not sanitise and escape POSted parameters sent to the wpassetcleanupfetchactivepluginsicons AJAX action available to admin users, leading to a Reflected Cross-Site Scripting issue alert/XSS/" / var form1 = document.getElementById'hack'; form1.submit;...
TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update
The plugin does not have any CSRF and authorisation checks in the savecheckbox AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update arbitrary...
Insight Core <= 1.0 - Subscriber+ PHP Object Injection & Stored XSS
The plugin does not have any authorisation and CSRF checks in the insightcustomizeroptionsimport available to any authenticated user, does not validate user input before passing it to unserialize, nor sanitise and escape it before outputting it in the response. As a result, it could allow users...
Profile Extra Fields < 1.2.4 - Reflected Cross-Site Scripting
The plugin does not escape the role parameter when outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=profile-extra-fields.php&tab-action=userdata&role="alert/XSS/...
Stock in & out <= 1.0.4 - Reflected Cross-Site Scripting (XSS)
The plugin has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue POST /wp-admin/admin.php?page=stockin HTTP/1.1 Content-Length: 66...
Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the...
Easy Digital Downloads < 2.10.3 - Unauthorised Stripe Disconnect via CSRF
The plugin did not property check for CSRF when disconnecting Stripe, allowing attackers to make logged in users with the manageoptions capability disconnect the Stripe gateway via a CSRF attack. https://example.com/wp-admin/admin-post.php?page=edd-settings&edds-stripe-disconnect=1...
Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Reflected Cross-Site Scripting (XSS)
The includes/mc-getlists.php file decoded JSON data fetched from the URL provided and then displayed the HTML from the response without any HTML escaping, leading to a reflected cross-site scripting issue where the payload is on a different server controlled by the attacker for example. The issue...
menu shortcode <= 1.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit shortcode: redirect duration="1"...
HT Event < 1.4.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WP Show Posts < 1.1.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Add a new...
AAWP < 3.12.3 - Unsafe URL Handling
The plugin can be used to abuse trusted domains to load malware or other files through it Reflected File Download to bypass firewall rules in companies. wp-content/aawp/public/image.php?url=base64-url will load and download the file from the base64-decoded URL...
Qubely < 1.8.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Add the following Additional CSS classes to the "Post...
WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection curl -isk -X 'POST' -H "Content-Type: application/json" --data '"sku":"a" AND SELECT 42 FROM SELECTSLEEP5wlHd-- pOeU"'...
Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
The plugin does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. curl -X POST -F "sizelimit=10485760" -F...
Comment License < 1.4.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the plugin's settings such as "Consumer Key": "...
Easy Social Icons < 3.2.1 - Unauthenticated Arbitrary Icon Deletion
The plugin does not have authorisation and CSRF checks when deleting icons, allowing unauthenticated user to delete arbitrary icons https://example.com/?cnss-delete=&id=1...