4359 matches found
FoxyShop < 4.8.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=foxyshopproduct&page=foxyshoptools&updatetemplate=error&error=...
Webriti SMTP Mail <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit;...
Hot Linked Image Cacher <= 1.16 - Image upload/cache abuse via CSRF
The plugin is vulnerable to CSRF. This can be used to store / cache images from external domains on the server, which could lead to legal risks due to copyright violations or licensing rules. document.getElementById"test".submit;...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection https://example/wp-admin/admin.php?page=fmweseditproduct&id=1+AND+SELECT+6037+FROM+SELECTSLEEP5Uiuu...
WP-Invoice <= 4.3.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them ' /...
Themify - Post Type Builder Search Addon < 1.4.0 - Reflected Cross-Site Scripting
The plugin does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability. On a page or post with a search form, add the following url query parameter: ?%22%3E%3Cscript%3Ealert1%3C/script%3E...
Material Design for Contact Form 7 <= 2.6.4 - Subscriber+ Arbitrary Settings Update leading to DoS
The plugin does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7mddismissnotice action, allowing any logged in user with roles as low as Subscriber to set arbitrary options to true, potentially leading to Denial of...
Cookie Information < 2.0.8 - Reflected Cross-Site Scripting
The plugin does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=wp-gdpr-compliance&x=%27+onanimationstart%3Dalert%28/XSS/%29+style%3Danimation-name%3Arotation+x...
Master Addons for Elementor < 1.8.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the errormessage parameter before outputting it back in the response of the jltmarestrictcontent AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting " name="errormessage"...
WP Ticket < 5.10.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Navigate to WP Ticket Forms edit layout of "Open a Ticket" or "Search Tickets"...
Quiz And Survey Master < 7.1.14 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape the 's' and paged GET parameter before outputting them in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=mlwquizlist&s="alert/XSS-s/&paged="alert/XSS-paged/...
Email Subscriber <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The kentoemailsubscriberajax AJAX action of the plugin, does not properly sanitise, validate and escape the submitted subscribeemail and subscribename POST parameters, inserting them in the DB and then outputting them back in the Subscriber list...
Multivendor Marketplace Solution for WooCommerce < 3.7.4 - Unauthenticated Arbitrary Product Comment
The plugin did not properly check for CSRF when saving a product comment, and took the user ID to link the comment to from user input. As a result, attackers can post arbitrary comment, as another user as well by manipulating the currentuserid parameter. POST / HTTP/1.1 Accept: application/json,...
DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
The dsgvoaiowritelog AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard wp-admin/admin.php?page=dsgvoaiofree-show-log. This could allow unauthenticated attackers to gain unauthorised access by...
Simple Giveaways < 2.45.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup As admin, add/edit a sharing method "Giveaways"...
WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion
The plugin has a flawed CSRF and authorisation check when deleting a client, which could allow any authenticated users, such as subscriber to delete arbitrary client. Run the below command in the developer console of the web browser while being on the blog as any authenticated users, such as...
Spacer < 3.0.7 - Admin+ Stored XSS
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Add new Spacers and add payload "Gem to Setting...
AWP Classifieds Plugin < 4.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection To read the userlogin and userpass columns from the wpusers table:...
Bricks Builder < 1.5.4 - Subscriber+ Remote Code Execution
The theme allows website editors to include executable code blocks in their website, which can contain arbitrary PHP code. By default, code execution is intended to be disabled, with website administrators having to explicitly allow code execution for specific user roles. However, due to improper...
Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. Create a new download on:...
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion
The plugin does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file To delete the license.txt at the root of the blog: await...
CURCY < 2.1.18 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wc-reports&a"alert/XSS/...
Advanced Uploader <= 4.2 - Subscriber+ Arbitrary File Upload
The plugin allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE As any authenticated user, upload a PHP file via /wp-admin/upload.php?page=adv-file-upload The file will be at https://example.com/wp-content/uploads/2022/03/.php...
WP Social Buttons <= 2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Delay Time General Settings or Top Margin Advanced Settings of the...
Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed Put the following payload in the API Key settings of the plugin: 'alert/XSS/ The XSS will be...
Link Library < 7.2.8 - Unauthenticated Arbitrary Links Deletion
The plugin does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request https://example.com/?posttype=linklibrarylinks&ll60reupdate=1...
Simple Events Calendar <= 1.4.0 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the eventid POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue POST /wp-admin/admin.php?page=simple-events&tab=existingevents HTTP/1.1 Content-Length: 33 Cache-Control: max-age=0...
Virtual Robots.txt < 1.10 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the content of the robots.txt, allowing high privilege users admin+ to use XSS payloads, which will be output back in the settings page of the plugin. Put the following directive in the plugin settings "User Agents and Directives for this site" Disallow:...
WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE
The plugin suffers from an arbitrary file upload issue in page where the formCadastro is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE. The PoC will be displayed once the...
Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form
The tutorquizbuildergetquestionform AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. python3 sqlmap.py -r /tutorunion4.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion4.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...
Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct
The tutormarkanswerascorrect AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutortime.txt --dbms=mysql --technique=T -p answerid --dump Where tutortime.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
ChatBot < 4.4.9 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard curl -X POST --data 'qcbotstrweight=" style=animation-name:rotation...
Woo Bulk Price Update < 2.2.2 - Reflected XSS
The plugin does not sanitize and escape escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
QuickSwish < 1.1.0 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers...
GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. gamipressvimeo url='https://vimeo.com/"...
Posts List Designer by Category < 3.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopyid POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR
The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. POST /testt/wp-admin/admin-ajax.php HTTP/2...
FluentForm < 4.3.13 - CSV Injection
The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection - As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV /wp-admin/admin.php?page=fluentforms&formid=1&route=entries - open the CSV with a...
WP Contact Slider < 2.4.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a Contact slider and put the payload below in the "Text to display" option:...
Official Integration for Billingo < 3.4.0 - ShopManager+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks. Put the following payload in the WooCommerce Settings Billingo E-mail Beállítások Gomb szöveg field in the table:...
Note Press <= 0.1.10 - Admin+ SQLi via Update
The plugin does not sanitise and escape the Update parameter before using it in a SQL statement when updating a note via the admin dashboard, leading to an SQL injection POST /wp-admin/admin.php?page=NotePress-Main-Menu&action=edit&id=17 HTTP/1.1 Accept:...
Dropdown Menu Widget <= 1.9.7 - Subscriber+ Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing low privilege users such as subscriber to update them. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Open the following URL as a subscriber:...
Simple Membership < 4.0.9 - Arbitrary Member Deletion via CSRF
The plugin does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=simplewpmembership&action=bulkdelete&members%5B0%5D=1&members%5B1%5D=2...
RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read
The plugin does not have proper authorisation, CSRF checks and validation of the rvmuploadregionsfilepath parameter in the rvmimportregions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server As a subscriber, open...
Skaut bazar < 1.3.3 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /skaut-bazar.php file which allows attackers to inject arbitrary web scripts https://example.com/wp-admin/options-general.php/"alert/XSS//?page=skatubazaroption...
WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well -- Payloads: $ " $ " -- PoC 1 | Authenticated...
Profile Builder & Profile Builder Pro < 3.3.3 - Authenticated Blind SQL Injection
The orderby parameter of the wp-admin/users.php?page=unconfirmedemails=email=asc page, which is available when the "Email confirmation" setting of the plugin is activated default is off, is not properly sanitised and validated before being concatenated in a SQL statement, leading to an SQL...
MS-Reviews <= 1.5 - Subscriber+ Stored XSS
The plugin does not sanitise and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks As a subscriber, submit a review a page/post with msreviews embed with the following payload: alert/XSS/ The XSS will be triggered...
WP Insurance < 2.1.4 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...