4359 matches found
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover
The plugin injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flocustomtableprefix cookie to an arbitrary value. On any website where flo-launch is active create cookie "flocustomtableprefix" with any string value to...
Favicon by RealFaviconGenerator < 1.3.23 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the jsonresulturl parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue...
Ad Inserter < 2.7.12 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the REQUESTURI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters In a browser which does not encode characters:...
WP Block and Stop Bad Bots < 6.88 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue GET / HTTP/1.1 User-Agent: '+SLEEP5-- g Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language:...
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin The nonce value of the stmlmsregister request must be retrieved from the ajax page. for this you should check the home page POST...
Wicked Folders < 2.18.10 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the folderid parameter before using it in a SQL statement in the wickedfolderssavesortorder AJAX action, available to any authenticated user. leading to an SQL injection As a subscriber:...
Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title
The plugin did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117 Creat...
Content Copy Protection & Prevent Image Save <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. -- PoC 1 | Authenticated Persistent XSS & XFS | Image saving disabled message text: ! POST...
Business Directory Plugin < 5.11.2 - Authenticated Stored Cross-Site Scripting
The plugin suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin. Log on as an admin, create or edit a Form Field wp-admin/admin.php?page=wpbdpadminformfields and set the Field Label input...
Doneren met Mollie < 2.8.5 - Unauthorised CSV Export leading to Sensitive Data Disclosure
The plugin did not check for user capability in the dmmexportdonations function, allowing any authenticated user to export a CSV file containing all donors personal information. GET /wp-admin/admin-post.php?action=dmmexport...
InPost Gallery <= 2.1.4.1 - Reflected XSS
The plugin does not sanitise and escape the imgurl parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
HT Politic < 2.3.8 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Post Grid, Post Carousel, & List Category Posts < 2.4.19 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Smart Post Show"...
Custom User Profile Fields for User Registration & Member Frontend Profiles with Paid Memberships Pro < 1.8.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Booster for WooCommerce - Subscriber+ Order Status Update
The plugins allow users to update their own order status via a settings defined by admins when the My Account module is enabled, however does not ensure that the status set is allowed. As a result, users could set arbitrary status to their own orders, making them paid without actually paying for...
No Future Posts <= 1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload in any of the plugin's settings such as Exclude posts IDs and save: " autofocus onfocus=alert/XSS///...
WP Downgrade < 1.2.3 - Admin+ Stored Cross-Site Scripting
The plugin only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed Access the settings of the...
SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the dkspeakoutsendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users Create a new email petition /wp-admin/admin.php?page=dkspeakoutaddnew, check x Do not send email onl...
Advanced iFrame < 2022 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the aiconfigid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue alert/XSS/;" / var form1 = document.getElementById'hack'; form1.submit;...
Add Subtitle <= 1.1.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the sub-title field available only with classic editor when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks The classic editor plugin is needed to see the sub-title field - Create a post a...
The Buffer Button <= 1.0 - Authenticated Stored Cross Site Scripting (XSS)
The plugin was vulnerable to Authenticated Stored Cross Site Scripting XSS within the Twitter username to mention text field. 1. Insert below payload in the Twitter username to mention text field "alert44 2. Click on Save Changes...
Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the fieldname and fieldtype parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-fieldname/' / alert/XSS-fieldtype/' / var form1 = document.getElementById'hack'; form1.submit;...
Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS https://example.com/giveaway/mygiveaways/?share=%3Cscript%3Ealertdocument.domain%3C/script%3E...
Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues Adds the following payloads in the API Key settings /wp-admin/options-general.php?page=aocritcss "alert/XSS/ --...
User Rights Access Manager < 1.0.4 - Improper Access Controls
The plugin did not properly restrict access to some paths, still allowing a restricted user to access them, and edit the Blog Options, create/edit posts and so on for example To reproduce it, install the plugin, create a new admin user and take all his privileges using the mentioned plugin block...
Article Directory <= 1.3 - Admin+ Stored XSS
The plugin does not properly sanitize the publishtermstext setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts. POST /wordpress/wp-admin/options.php HTTP/1.1 Host: 172.28.128.6 User-Agent: Mozilla/5.0 Window...
Page View Count < 2.6.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Page Views"...
Blog Designer – Post and Widget < 2.4.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: wpspwrecentpostslider design='" onmouseover="alert1" style="background:red;"'...
Real Cookie Banner < 3.4.10 - Contributor+ Stored XSS
The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. Exploit shortcode: rcb-consent class='"...
WP Admin UI Customize < 1.5.13 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "WP Admin UI Customize" » "Login Form". ...
Sharebar <= 1.4.1 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them test1" test2"...
ShortPixel Image Optimizer < 4.22.10 - Reflected Cross-Site Scripting
The plugin does not escape a generated URLs before outputting them back in an attribute, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/options-general.php?page=wp-shortpixel-settings&"alert/XSS/...
HPB Dashboard <= 1.3.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in the plugin's settings: "...
Turn off all comments <= 1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the rows parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/tools.php?page=toac&status=success&rows=%3Csvg%2Fonload%3Dalert%28%2Fxss%2F%29%3E...
Social comments by WpDevArt < 2.5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in any of the plugin's text field settings such as Title , Title font-size etc: "svg...
Page Restriction WordPress < 1.2.7 - Admin+ Stored Cross-Site Scripting
The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. In Page/Post Access tab, Use XSS Payload as "alert'XSS' in any of the pages available. XSS wi...
NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality
An unprivileged user could use the functionality of the plugin to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain. Search for a vulnerable domain with the dork:...
Profile Builder < 3.6.2 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the siteurl parameter before outputting it back in an href attribute, leading to a Reflected Cross-Site Scripting issue...
TrustMate.io integration for WooCommerce < 1.8.12 - Subscriber+ Arbitrary Plugin's Settings Update
The plugin does not have any CSRF and authorisation checks in the savecheckbox AJAX action, available to any authenticated users, allowing any authenticated user, such as subscriber to update arbitrary settings from the plugin. Due to the lack of escaping, it could lead to Stored Cross-Site...
Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion
The plugin does not have capability and CSRF checks in the deleteleadsbackend AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber could delete arbitrary Leads. Attackers could also make any logged in users delete leads via a CSRF attack POST...
Vik Rent Car < 1.1.7 - CSRF to Stored XSS
In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also ...
WP LMS < 1.1.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user including unauthenticated v1.1.3 fixed the XSS by escapin...
Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)
The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. The PoC will be displayed on April 16, 2021, to give users the time to update...
Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 - Unauthenticated File Upload Bypass
Due to the plugin not properly checking the file being uploaded via the dndcodedropzupload AJAX action, an attacker could bypass the checks in place and upload a PHP file. There was a working exploit provided along with this vulnerability. It also requires the Contact Form 7 plugin to be installe...
HT Slider For Elementor < 1.4.0 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WP OAuth Server < 4.2.5 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a CSRF attack. fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: n...
WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Note: First,...
CC Child Pages < 1.43 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit:...
WooCommerce Chained Products < 2.12.0 - Unauthenticated Arbitrary Options Update to 'no'
The plugin does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no' As unauthenticated, open the following URL to set the Blog Name to 'no':...
Seriously Simple Podcasting < 2.19.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Create a...