4359 matches found
Images Optimize and Upload CF7 <= 2.1.4 - Unauthenticated Arbitrary File Deletion
The plugin does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack. 1. Install contact-form-7 dependency 2. Install the vulnerable plugin images-optimize-and-upload-cf7...
Jetpack CRM < 5.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins As a...
Donations <= 1.8 - Unauthenticated SQLi
The plugin does not sanitise and escape the nddonationsid parameter before using it in a SQL statement via the nddonationssinglecauseformvalidatefieldsphpfunction AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection Create a new "Cause" and fill out the form...
Ad Inserter < 2.7.10 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the htmlelementselection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting "...
IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF
The plugin does not have CSRF check in the ip2locationcountryblockersaverules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend. Make an admin open a page with the following code in it, whi...
Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion
The plugin does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure...
Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key
The Target First WordPress Plugin, also previously known as Watcheezy, suffered from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the "weeWzKey" parameter that will be save as the "weeID" option. The input value...
Contact Form 7 Database Addon < 1.2.5.4 - Authenticated SQL Injections
The plugin did not properly sanitise the formids from the contactform POST array parameter before using them in a SQL statement in the processbulkaction function. This could allow high privilege users, such as admin to perform SQL Injection against the DBMS via the bulk actions: delete, read and...
Events Made Easy <= 2.3.14 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the searchname parameter before using it in a SQL statement via the emerecurrenceslist AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Open the URL below while being on the blog as subscriber user...
Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
ActiveCampaign for WooCommerce < 1.9.8 - Subscriber+ Error Log Cleanup
The plugin does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. Run the below command in the developer console of the web browser while being on the blog as a subscribe...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the optionid POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Event Monster < 1.2.0 - Visitors Deletion via CSRF
The plugin does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack To delete the attendee/visitor with ID 1, make a logged in admin open a page with the HTML code below The statement deleting attendee is also...
WP Attachments < 5.0.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Inject an XSS payload in the title by going to...
PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection
The plugin unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site. To simulate a gadge...
SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion
The plugin does not have authorisation and CRSF checks in its wpsctickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction. Other actions may be affected as well. POST /wp-admin/admin-ajax.php HTTP/1....
WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS
The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting Run the below command in...
Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API
While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsmrestgetbankquestions function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements...
eVision Responsive Column Layout Shortcodes <= 2.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. bscolumns class='" onmouseover="alert1"...
Restaurant Menu < 2.3.6 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The exploit requires at least a contributor...
EAN for WooCommerce < 4.4.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. algwceanproductimage productid='1'...
Simple Membership < 4.2.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. 1. Exploit...
Logo Slider < 3.6.0 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: First, you need to add a Logo Slider...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin https://example.com/wp-admin/admin.php?page=wsysadminfeeds&action=delete&id=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the cgoptionid POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. POST...
WooCommerce Shipping - DPD baltic < 1.2.11 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the Name field of...
Bricks Builder < 1.5.4 - Subscriber+ Arbitrary Post/Page Edition
The theme does not have authorisation in an AJAX action, which could allow any authenticated users such as subscriber to call it and edit any page, post, or template on the blog 1. Start with a clean Wordpress install 2. Install Bricks builder v1.5.3 3. Enable registrations on the website 4...
Top Bar < 3.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the...
Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting
The plugin does not escape the wpacuselectedsubtabarea parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue...
LabTools <= 1.0 - Subscriber+ Arbitrary Publication Deletion
The plugin does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication The PoC will be displayed once the issue has been remediated...
Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue which will be triggered in the admin dashboard due to the lack of escaping. v10.9.1 added a CSRF check, however...
Event Calendar < 1.1.51 - Reflected Cross-Site Scripting
The plugin does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues And move the mouse over the 'Untitled' text Firefox only:...
Event Calendar < 1.1.51 - Subscriber+ Event Creation
The plugin does not have proper authorisation and CSRF checks in the addcalendarevent AJAX actions, allowing users with a role as low as subscriber to create events Adding calendar events: fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
MZ Mindbody API < 2.8.3 - Unauthorised AJAX Calls
The plugin did not properly check for CSRF and authorisation in various AJAX actions, allowing attacker to make users call them and perform unwanted actions, as well as allow low privilege users to call them As a low privilege user such as subscriber...
Recently < 3.0.5 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise or escape its default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue POST /wp-admin/options-general.php?page=recently&tab=tools HTTP/1.1 Accept:...
LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile
The 'State' field of the Edit profile page of the plugin is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users such as students to elevate their privilege via an XSS attack when an admin...
Simple Membership < 4.0.4 - Authenticated SQL Injections
The plugin did not properly sanitise user input before using it in SQL queries in the admin backend, leading to authenticated admin+ SQL injections GET /wp/wp-admin/admin.php?status=&membershiplevel=&s=hhhh%27%20OR%20SLEEP%281%29%20OR%20firstname%20LIKE%20%27%25i%0A&page=simplewpmembership HTTP/1...
Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise the text fields such as Email Subject, Email Recipient, etc when creating or editing a form, leading to an authenticated author+ stored cross-site scripting issue. This could allow medium privilege accounts such as author and editor to perform XSS attacks...
Simple Social Buttons < 3.2.1 - Unauthenticated Reflected Cross-Site Scripting
The version 3.2.0 attempted to fix a reflected Cross-Site Scripting issue, by adding a CSRF check, which does not fully remediate it as unauthenticated users will all have the same nonce generated and valid for 12h to 24h, or 2 WP ticks. Only unauthenticated users can be attacked with this issue...
Canto <= 1.7.0 - Unauthenticated Blind SSRF
The plugin is affected by Blind SSRF issues via the domain parameter in three files: /includes/lib/tree.php, /includes/lib/detail.php and /includes/lib/get.php. All requests to the arbitrary domain/IP will be made with the HTTPS protocol The PoC will be displayed once the issue has been remediate...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
The plugin does not limit what log files to display in it's settings pages, allowing an authorized user admin+ to view the contents of arbitrary files and list directories anywhere on the server to which the web server has access. The plugin only displays the last 50 lines of the file. POST...
Web Invoice <= 2.1.3 - Authenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well When...
Highlight FocusĀ <= 1.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the plugins...
Gallery < 2.0.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...
Tipsacarrier <= 1.4.4.2 - Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements, and is lacking authorisation checks in some calls as well, leading to SQL Injection issues Vendor was notified on November 26th, 2021, did not reply nor fix the issue Affected files:...
Videos sync PDF <= 1.7.4 - Unauthenticated LFI
The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues https://example.com/wp-content/plugins/video-synchro-pdf/reglages/MenuPlugins/tout.php?p=LFI...
Users Ultra <= 3.1.0 - Unauthenticated SQL Injection
The plugin fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection. curl...
WP Dependency Installer < 4.3.1 - Arbitrary Plugin Installation from Dependency via CSRF
The wp-dependency-installer library, used in the plugins, does not have CSRF check in its dependencyinstaller AJAX action with the install method, which could allow attackers to make a logged in admin install plugins defined in the wp-dependencies.json via a CSRF attack. The slug has to be presen...
SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue. Note: Vendor decided to close the plugin and it won't be...
LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting
The plugin does not escape the qcres parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting As admin, enter the following payload in the Domain Key setting of the plugin: Then open...