4359 matches found
SEO 301 Meta <= 1.9.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Request and Destination settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Request or Destination settings of the plugin: "...
Patreon WordPress < 1.8.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Custom Patreon Page name" setting of the plugin and...
Advanced Product Labels for WooCommerce < 1.2.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the taxcolorsettype parameter before outputting it back in the berocketaplcolorlistener AJAX action's response, leading to a Reflected Cross-Site Scripting As any authenticated user: ' name="taxcolorsettype"...
Easy PayPal Buy Now Button < 1.7.3 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check in place when saving its settings, and does not sanitise as well as escape them when output in the page. As a result, an attacker could make a logged in admin change them via. CSRF attack and perform Cross-Site Scripting attacks. The plugin also fixed a Reflect...
Woocommerce Tabs Plugin, Add Custom Product Tabs <= 1.0.1 - Arbitrary Tab Deletion/Edition via CSRF
The plugin does not properly check for CSRF in its tabsession, tabsessiondel, tabsessionedit and ptabsubmit AJAX actions, allowing attacker to make logged in user call them via a CSRF attack To delete a tab:...
Store Locator Plus <= 5.5.14 - Authenticated Privilege Escalation
There is functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. Partially unpatched because they added CSRF protection that technically blocks low-level users from using the endpoint, howeve...
WP Super Cache < 1.7.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise its wpcachelocation parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. -- Payloads: $ ";' onmouseover=alertdocument.cookie; style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; $ ";'...
Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id
The tutoransweringquizquestion/getanswerbyid function pair from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. POST /courses/first-class/tutorquiz/test/ HTTP/1.1 Host: URL Content-Length: 413 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin...
Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download
The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before...
User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent
Description The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks. 1 Make sure the plugin's Enable User Agent For Log setting is set at /wp-admin/admin.php?page=ualpsettings 2 If you're...
Post Shortcode <= 2.0.9 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks pcs template='" onmouseover="alert1"...
Free WooCommerce Theme 99fy Extension < 1.2.8 - Arbitrary Plugin Activation via CSRF
Description The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST',...
OAuth Single Sign On - SSO (OAuth Client) Premium < 38.4.9 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=delete&app=wordpress...
Strong Testimonials < 3.0.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit:...
Easy Accordion < 2.2.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Welcart e-Commerce < 2.8.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack. 1. Add a product item to the plugin. The item name, for example, "first". You will also use this in the shortcode...
Font Awesome < 4.3.2 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. Exploit shortcode: icon name='circle-exclamation'...
Metricool < 1.18 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the settings page of the plugin, add the...
Mautic Integration For WooCommerce < 1.0.3 - Arbitrary Options Update via CSRF
The plugin does not have proper CSRF check when updating settings, and does not ensure that the options to be updated belong to the plugin, allowing attackers to make a logged in admin change arbitrary blog options via a CSRF attack. The attack could also be performed via a LFI if one is present ...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgorder POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgmultiplefilesforpost POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message Setup: - In the General Settings of the plugin, check the "Show Chat...
Shortcut Macros <= 1.3 - Subscriber+ Arbitrary Settings Update
The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. Open the following HTML code while being logged in as a subscriber, or make any logged in user open it via a CSRF attack...
WP-Email < 2.69.0 - Anti-Spam Protection Bypass via IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based anti-spamming restrictions. Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any of the other headers used in getipaddress. curl...
Note Press <= 0.1.10 - Admin+ SQLi via Bulk Actions
The plugin does not sanitise and escape the ids from the bulk actions before using them in a SQL statement in an admin page, leading to an SQL injection...
Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure
The plugin does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 104 Accept: application/json, text/javascript, /; q=0.01...
Coupon Affiliates < 4.16.4.5 - Unauthenticated Stored XSS
The plugin does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. curl https://example.com/wp-admin/admin-ajax.php --data...
Cost Calculator <= 1.8 - Authenticated Local File Inclusion
The plugin allows authenticated users Contributor+ in versions 1.5, and Admin+ in versions = 1.8 to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout As a contributor, create a Cost Calculator post, set the Layout to...
AnyComment < 0.2.18 - Comment Rating Increase/Decrease via Race Condition
The plugin is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower the rating of other users https://www.youtube.com/watch?v=0IqZL-slt00 1. Make a new comment 2. Like your comment and intercept it using...
Five Star Restaurant Reservations < 2.4.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have capability and CSRF checks in the rtbwelcomesetschedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins As a...
ACF Photo Gallery Field < 1.7.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the post parameter in the includes/acfphotogallerymetaboxedit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue...
Multiple Plugins from AYS Pro - Reflected Cross-Site Scripting (XSS)
The plugins did not properly sanitise and escape some GET parameters before outputting them back in attributes, leading to reflected Cross-Site Scripting issues which will be executed in the context of a logged in administrator...
Download Manager < 3.1.23 - Unauthorised Asset Manager Usage
The majority of the AJAX actions related to the Asset Manager use the same nonce action ie the NONCEKEY constant, and are lacking any authorisation checks. Given that the nonce is available in other pages, accessible by low priviledge users such as author, or even subscribers depending on the...
Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS
The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note WPScanTeam: The CSRF has ben fixed and proper capability checks have also been adde...
Loginizer < 1.6.4 - Unauthenticated SQL Injection
The Loginizer WordPress plugin was found to be affected by an Unauthenticated SQL Injection vulnerability found by the security researcher mslavco. The vulnerability was triggered within the brute force protection functionality, which was enabled by default when the plugin was first installed. Wh...
Stop Spammers Security < 2023 - Reflected XSS
The plugin does not sanitise and escape various parameters before outputting them back in admin dashboard pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the code below...
Multiple e-plugins - Subscriber+ Privilege Escalation
The plugins, sold by the same developer e-plugins, do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function ivdirectoriesupdateprofilesetting uses updateusermeta with any data provided by the ajax call, which can be used to give the logged in...
WP Social Widget < 2.2.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wpsw facebook='" onmouseover="alert1"'...
WP Extended Search < 2.1.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: wpessearchform searchformcssclass='" onmouseover="alert1"'...
JetWidgets For Elementor < 1.0.14 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks jw-posts showimage='yes'...
Bg Bible References <= 3.8.14 - Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Steps to reproduce: 1. Install the vulnerable plugin bg-biblie-references 3.18.4 2. As an unauthenticated or authenticated user, visit the following URL which...
Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection
The plugins do not escape the userid POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
The plugins do not escape the cgFields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080...
reCAPTCHA <= 1.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. On the setting page of this plugin, enter the...
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
The plugin does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file POST /wp-admin/admin-ajax.php...
WP Hide & Security Enhancer < 1.8 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/admin.php?page=wp-hide-cdn&component=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x...
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS
The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it As any authenticate...
Name Directory < 1.25.4 - Arbitrary Directory/Name Deletion via CSRF
The plugin does not have CSRF checks in place when deleting Directories and Names, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=name-directory&deletedir=2...
NextScripts: Social Networks Auto-Poster < 4.3.26 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=nxssnap&a"alert/XSS/...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element Content
The plugin does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks As a contributor or above, create a post using Brizy editor and: - Add a Text Element then put the following payload:...