4359 matches found
GigPress <= 2.3.28 - Subscriber+ SQLi
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks Run the below commands in the developer console of the web browser while being on the blog ...
Happyforms < 1.22.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Forms" Gutenberg...
Vimeo Video Autoplay Automute <= 1.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. vimeo clipid="1" color="'...
Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation
The plugin does not validate user input before using it in fileexist functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present...
Simple File List < 4.4.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup First Stored XSS - HTTP Request POST...
WP Athletics <= 1.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting...
Blackhole for Bad Bots < 3.3.2 - Arbitrary IP Address Blocking via IP Spoofing
The plugin uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abuse...
StatCounter < 2.0.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Project ID or Secure Code settings...
Rearrange Woocommerce Products < 3.0.8 - Subscriber+ SQL Injection
The plugin does not have proper access controls in the saveallorder AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content for example with an XSS...
Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
The plugin does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request v 3.6 - https:/example.com/wp-content/plugins/protect-wp-admin/lib/pwa-deactivate.php?disablepwa...
WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
The options.php file of the plugin accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it take...
Bello < 1.6.0 - Unauthenticated Reflected XSS & XFS
The theme did not properly sanitise and escape its listinglistview, btbblistingfieldmylat, btbblistingfieldmylng, btbblistingfielddistancevalue, btbblistingfieldmylatdefault, btbblistingfieldkeyword, btbblistingfieldlocationautocomplete, btbblistingfieldpricerangefrom and...
Software License Manager < 4.4.6 - CSRF to Stored XSS
The plugin did not have CSRF check on its settings page, nor sanitisation when outputting user input back. Attackers could make a logged in administrator change the plugin's settings, and put XSS payload in them. alert/XSS-1/' / alert/XSS-2/' / alert/XSS-3/' / alert/XSS-4/' /...
WP Spell Check < 9.13 - Ignored Word Deletion via CSRF
The plugin does not have CSRF check in place when deleting ignored words, allowing attacker to make a logged in admin delete them via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=wp-spellcheck-ignore.php&delete=4...
Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins curl -X POST --data "wmtvuninstall=1&wmtvuninstallconfirm=1&plugin=akismet/akismet.php" https://example.com...
Social Slider Feed < 2.0.6 - Admin+ Stored XSS via API Key
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the YT API Key settin...
Photo Gallery by Supsystic < 1.15.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
OnePress Social Locker <= 5.6.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; form id="test"...
Content Mask < 1.8.4.1 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options POST /wp-admin/admin-ajax.php...
Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a slider, put the following payload in the CSS settings and save: The XSS will be...
Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection curl 'http://example.com/?restroute=/olistener/new' --data '"id":" SELECT SLEEP3"' -H 'content-type: application/json'...
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a form and put the following payload in the 'E-mail To' field: " The XSS will be...
WP Time Slots Booking Form < 1.1.63 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a new calendar with the following Name: alert'XSS' The XSS will be triggered when editing or publishing the...
WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
Email Tracker < 5.2.6 - Reflected Cross-Site Scripting
The plugin does not escape user input before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Options Reset
The plugin has two AJAX actions, mepwlajaxlicenseactivate and mepwlajaxlicensedeactivate, which are available to both unauthenticated and authenticated users, and are lacking any authorisation, CSRF as well as checks to ensure that the options to be updated belong to the plugin. As a result,...
Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
The EFBPverifyuploadfile AJAX action of the plugin, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE. The PoC will be displayed once the issue has been remediated...
Formidable PRO2PDF < 3.11 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the fieldmap parameter before using it in a SQL statement via the fpropdfexportfile AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Run the below command in the developer console of the web browser...
WP Meta SEO < 4.5.3 - Subscriber+ Improper Authorization causing Arbitrary Redirect
The plugin does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability. Visit, for example, the page ?p=99999. This should create the first auto redirect entry in the wpwpmslinks table with ID 1. Now log ...
Workreap - Freelance Marketplace and Directory < 2.6.3 - Subscriber+ Private Message Disclosure via IDOR
The theme has a vulnerability with the notifications feature as it's possible to read any user's notification employer or freelancer as the notification ID is brute-forceable. POST /testt/wp-admin/admin-ajax.php HTTP/2 Host: host Cookie: Content-Type: application/x-www-form-urlencoded;...
DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go the DSGVO AIO Settings Cookie Notice settings a...
Download Manager < 3.2.44 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the login page made by the plugin, leading to Reflected Cross-Site Scripting, which is only exploitable against unauthenticated users On the login page from the plugin ie where the wpdmloginform is embed, appe...
Domain Replace <= 1.3.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=dr-convert&msg=%3Csvg%2Fonload%3Dalert%28%2Fxss%2F%29%3E...
Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfilteredhtml is disallowed Put the following payload in the "iCal link text" Feed Settings of the plugin...
Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read
The plugin does not validate the path parameter given to readfile, which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique...
Easy Social Icons < 3.2.1 - Admin+ Stored Cross-Site Scripting in add icon
The plugin does not properly escape the imagefile field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfilteredhtml capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the...
YOP Poll < 6.3.5 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the settings available to users with a role as low as author before outputting them, leading to a Stored Cross-Site Scripting issue As author, put the following payload in the Settings Integration Use Google reCaptcha Yes Site Key: v v 6.3.5 - "...
SEUR Oficial < 1.7.2 - Admin+ Arbitrary File Download
The plugin creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. Navigate to...
SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in one of the plugin's settings: "alert'XSS'; Affected files:...
10Web Map Builder for Google Maps < 1.0.70 - Authenticated Stored XSS
The plugin does not validate or escape its MAP API Key, Center Address, Center Lat, Center Lng and Zoom Level settings in the admin dashboard, allowing high privilege users such as admin to use JavaScript payload in them, leading to Stored Cross-Site Scripting issues even when the unfilteredhtml...
404 SEO Redirection <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
Description The plugin is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues The PoC will be displayed once the iss...
Modal Survey < 2.0.1.8.2 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise the msuid parameter from the survey participants page in the admin Dashboard, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=modalsurveyparticipants&msuid=%27%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E...
Preview Link Generator < 1.0.4 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Simple File List < 6.0.10 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to...
WP Meta SEO < 4.5.3 - Subscriber+ SQLi
The plugin does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users. Run the following js code in your web console on the dashboard as a subscriber: fetch 'admin-ajax.php', method: 'POST', headers:...
Download Attachments <= 1.2.24 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. download-attachments containerclass='"...
Advanced Recent Posts <= 0.6.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. lptwrecentposts colorscheme='"...
WP Spell Check < 9.13 - Admin+ Stored Cross-Site Scripting
The plugin does not escape ignored words, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add a word to ignore via...
WordPress Events Calendar Plugin < 1.4.5 - Multiple Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users such as high-privilege ones like admin. 1. Create a new calendar in the plugin's setting...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the optionid GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...