4359 matches found
Event Monster < 1.2.1 - Admin+ SQLi
The plugin does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users...
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog As a...
StaffList < 3.1.6 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected cross-Site Scripting https://example.com/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in...
Simple Quotation <= 1.3.2 - Subscriber+ SQL injection
The plugin does not have authorisation and CSRF checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: /...
Cost Calculator < 1.6 - Contributor+ Stored Cross-Site Scripting
The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator Price Settings which gets injected on the edit page as well as any page that embeds the calculator using the shortcode, as well as the Text...
Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update
The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings PoC POST Request ON/OFF Captcha: POST /wp-admin/admin-ajax.php HTTP/2 Cookie: any authenticated user User-Agent: Mozilla/5.0 Content-Type:...
Orders Tracking for WooCommerce < 1.1.10 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the fileurl before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&fileurl=%3Cimg+src+onerror%3Dalert%281%29%3E&viwoterror=2...
WP Cookie User Info < 1.0.9 - Admin+ SQL Injection
The plugin does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection...
WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Export
The plugin does not have authorisation check on its export feature, allowing unauthenticated users to export them. https://example.com/?rpwcdpdexportsettings=1...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. Visit the following path on the site as an admin user:...
Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. 1. Login as Admin. 2. Go to wp-admin/admin.php?page=wp-easycart-products&subpage=products 3. Click on Import Products. Browse any file and click on import file. Intercept the...
Schedulicity - Easy Online Scheduling <= 2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. schedulenowbutton bizkey='"...
WP Table Reloaded <= 1.9.4 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins. Exploit...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the optionid POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
WP Opt-in <= 1.4.1 - Arbitrary Settings Update via CSRF
The plugin is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. Bad e-mail address." Failed sending to e-mail address." " " " document.getElementById"test".submit;...
Dokan < 3.6.4 - Vendor Stored Cross-Site Scripting
The plugin allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. As a vendor, add a review in any products with following payload: https://youtu.be/gGUNSG5s5JU...
Private Files <= 0.40 - Protection Disabling via CSRF
The plugin is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public document.getElementById"test".submit; That will also delete the .htaccess...
MailerLite < 1.5.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting The first digit of the ID must be an existing form ID...
WP-Invoice <= 4.3.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attacker to make a logged in admin update them and change the minimum role allowed to access the plugin's features to subscriber for example, which would make invoices available to any authenticated users...
Multisite Content Copier/Updater < 2.1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wmcccontenttype, wmccsourceblog and wmccrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-contenttype/' / alert/XSS-source/' / alert/XSS-record/' /...
AnyComment <= 0.3.1 - Open Redirect
The plugin has an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature...
Magic Post Thumbnail < 3.3.7 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its ids GET parameter before outputting it back in the bulk generation page, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=magicpostthumbnail%2Finc%2Fadmin%2Fbulkgeneration.php&ids=alert/XSS/...
Smooth Scroll Page Up/Down Buttons <= 1.4 - Authenticated Stored XSS via psb_positioning
The plugin does not properly sanitise and validate its psbpositioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog -- Payloads: $ m0ze"...
SEO Redirection < 6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the Redirect From and Redirect To fields when creating a new redirect in the dashboard, allowing high privilege users even with the unfilteredhtml disabled to set XSS payloads Create a new Custom redirect /wp-admin/options-general.php?page=seo-redirection.php and set a...
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks < 1.1.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Real Estate 7 < 3.3.5 - Multiple CSRF
The theme does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, for example create/delete arbitrary lead alerts, manipulate properties add/remove from favourite etc To be disclosed on March 6th...
WP News <= 1.1.9 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
OAuth Single Sign On - SSO (OAuth Client) Standard < 28.4.9 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=delete&app=wordpress...
Ocean Extra < 2.1.2 - Contributor+ Stored XSS
The plugin does not escape the class attribute of its oceanwpbreadcrumb shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks oceanwpbreadcrumb class='"...
Click to Chat < 3.18.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
OAuth Client by DigitialPixies <= 1.1.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. Make a logged in user visit a page with the following code fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Contact Form Entries < 1.3.0 - CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. - Submit a form using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms using =5+5 as the value - Export the data as CSV /wp-admin/admin.php?page=vxcfleads - Open the CSV with a spreadsheet...
reSmush.it Image Optimizer < 0.4.4 - Subscriber+ AJAX Calls
The plugin lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. Examples of actions where low-privileged users can directly ask - https://example.com/wp-admin/admin-ajax.php?action=resmushitbulkgetimages -...
Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
The plugin does not properly escape data when exporting it via CSV files. 1 Edit your subscriber account's nickname to: ;=1+3 2 As an administrator, export your users data via http://vulnerable-site.tld/wp-admin/tools.php?page=acui&tab=export, and open the resulting CSV file in Excel or equivalen...
Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/Edit a Course, add a new Topic and put the following...
Import all XML, CSV & TXT into WordPress < 6.5.8 - Admin+ SQLi
The plugin does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin With the additional https://wordpress.org/plugins/polylang/ plugin installed, import a CSV with the following payload in...
Clearfy Cache < 2.0.5 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When Disable assets manager on back-end" is off: https://example.com/wp-admin/admin.php?page=gonzales-wbcrclearfy&action=index&wbcrassetsmanager=1&a"alert/XSS/...
Favicon by RealFaviconGenerator < 1.3.23 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the jsonresulturl parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue...
Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion
The plugin includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation...
CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payloads in the "License ID" setting of the plugin and save: "alert/XSS/...
MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting
The plugin does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting https://example.com/?mappiframe=1&mapid=--%3E%3Cimg%20src%20onerror=alert/XSS/%3E...
Remove Footer Credit < 1.0.11 - Admin+ Stored Cross-Site Scripting
The plugin does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. In the plugin's settings, put the following values: - In "Step 1: Enter text/HTML to remove one per line" field: powered - In "Step 2:...
Orange Form <= 1.0 - SQL Injection via CSRF
In the plugin, the processbulkaction function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter $id. Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers...
WP Booking System – Booking Calendar < 2.0.15 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=wpbs-calendars&s=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D or...
Community Event < 1.4.8 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator...
External Media < 1.0.34 - Authenticated Arbitrary File Upload
The wpajaxupload-remote-file AJAX action of the plugin was vulnerable to arbitrary file uploads via any authenticated users. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Upload File $ch = curlinit; curlsetopt$ch, CURLOPTURL,...
Business Directory Plugin < 5.11.2 - Arbitrary Listing Export
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc The state is base64 encoded and will need to be adapted to the...
Easy Form Builder <= 1.0 - Unauthorised AJAX calls
While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...
Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update
The plugin has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user...