4359 matches found
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin https://example.com/wp-admin/admin.php?page=wsysadminpublishers&action=delete&id=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Superio - Job Board < 1.2.33 - Subscriber+ Stored Cross-Site Scripting
The theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Stored Cross-Site Scripting attacks. As a candidate, add the following payload on the Social Network option: javascript:alert1 As a recruiter, access the candidate page an...
Qe SEO Handyman <= 1.0 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/admin-post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:91.0 Gecko/20100101...
Analytics for WP <= 1.5.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the Settings page of this plugin, in the bo...
WP Best Quiz <= 1.0 - Author+ Stored XSS
The plugin does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks. 1. Go to Quiz » Add Categories. 2. Inset a category with the payload as name: alert1. 3. The XSS will be trigged when accessing the Add Categories...
Gallery < 2.0.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...
Donate Extra <= 2.02 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting ' document.form1.submit;...
Coru LFMember <= 1.0.2 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads ' / ' / ' / " / ' /...
ThirstyAffiliates < 3.10.5 - Subscriber+ unauthorized image upload + CSRF
The plugin lacks authorization checks in the tainsertexternalimage action, allowing a low-privilege user with a role as low as Subscriber to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the...
IP2Location Country Blocker < 2.26.9 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, enable Frontend Blocking and put the following payload in the Display page when visitor is blocked U...
Error Log Viewer < 1.1.2 - Arbitrary Text File Deletion via CSRF
The plugin does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. On Web Servers other than Windows, the /wp-content/plugins/error-log-viewer/savedlogs/...
WP Popup Banners <= 1.2.5 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the value parameter before using it in a SQL statement via the getpopupdata AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Run the below command in the developer console of the web browser while...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. Visit the following path on the site as an admin user:...
WordPress Amazon S3 Plugin < 1.6 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Simple Giveaways < 2.45.1 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Giveaways options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Login with an editor user and add/edit a...
Cost Calculator <= 1.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. ndcostcalculator id='" onmouseover="alert1"...
Materialis Companion < 1.3.40 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Required them...
Giveaways and Contests by RafflePress < 1.11.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. rafflepress id='1' minheight="'; alert1; '"...
Image Hover Effects Css3 <= 4.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Hover Effects » Hover Effects » Add New...
Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack...
Student Result or Employee Database < 1.8.0 - Unauthorised REST Calls
The plugin has a flawed permission callback in its REST endpoints, allowing unauthenticated attackers to call them and add/edit/delete arbitrary student for example POST /wp-json/v2/ssradddata HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Gravity PDF < 6.3.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=gfeditforms&view=settings&subview=pdf&id=1&a'alert/XSS/...
WooCommerce Menu Cart < 2.12.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When there is no shop active yet: https://example.com/wp-admin/index.php?a"alert/XSS/...
External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. On any post on the affected site, add the following link to a comment: Click here for XSS Click on the link, you should be getting an alert box...
Videos sync PDF <= 1.7.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when editing a video, and does not escape some of its fields, which could allow attackers to make a logged in admin change them and lead to Stored Cross-Site Scripting issues 2, 00:00:10-3, 00:00:15-4, 00:00:20-5" /...
Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE
The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user Admin+ to inject arbitrary HTML or javascript even with unfilteredhtml disallowed, leading to a stored cross-site scripting XSS vulnerability. Further it is also possible to inje...
Easy Smooth Scroll Links < 2.23.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any text field settings of the plugin for example Scroll Speed and...
WP User < 7.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters in pages where the wpuser shortcode is used, leading to Reflected Cross-Site Scripting issues PAGEWITHSHORTCODE is a page with the wpuser shortcode embed https://example.com/?pageid=PAGEWITHSHORTCODE&formid="alert/XSS/...
Ad Invalid Click Protector (AICP) < 1.2.6 - Authenticated SQL Injection
The plugin is affected by a SQL Injection in the id parameter of the delete action. http://127.0.0.1:8001/wp-admin/admin.php?page=aicpbanneduserdetails&action=delete&id=0%20OR%201=1%20--%20k...
Amazon Affiliate < 3.17.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y...
Domain Check < 1.0.17 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=domain-check-profile&domain=alert/XSS/...
Qubely < 1.7.8 - Subscriber+ Arbitrary Post Deletion
The plugin does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts Note: v1.7.7 added capability check, CSRF che...
Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE
When the Apple Touch Icons & Splash Screen add-on is active, its superpwasplashscreenuploader AJAX action, does not properly check for CSRF, authorisation and the content of the uploaded archive file. This allows attackers to upload an archive with a PHP file, leading to RCE by either using a low...
All 404 Redirect to Homepage < 1.21 - Authenticated Reflected Cross-Site Scripting (XSS)
The tab parameter of the settings page of the plugin was vulnerable to an authenticated reflected Cross-Site Scripting XSS issue as user input was not properly sanitised before being output in an attribute...
WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR
The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. 1. Book or cancel booking an event using an authenticated user. 2. Intercept the request using an HTTP Pro...
Resume Builder <= 3.1.1 - Subscriber+ Stored XSS
The plugin does not sanitize and escape some parameters related to Resume, which could allow users with a role as low as subscriber to perform Stored XSS attacks against higher privilege users Run the below command in the developer console of the web browser while being on the blog as subscriber...
User Activity <= 1.0.1 - IP Spoofing
The plugin checks headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing 1. Send login request with x-forwarded-for: REDACTEDIP 2. Show spoofed IP address in the dashboard OWASP A09:2021 – Security Logging and Monitoring Failures...
WOOCS < 1.3.9.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins...
Find and Replace All <= 1.3 - Arbitrary Replacement via CSRF
The plugin does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack Make a logged in admin open a page with the below code...
Login Block IPs <= 1.0.0 - IP Spoofing Bypass
The function checkisloginpage uses headers for the IP check, which can be easily spoofed. Set HTTPCLIENTIP to bypass blocks / use allowed IP addresses...
Amministrazione Aperta < 3.8 - Admin+ LFI
The plugin does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file generates a fatal error when accessed directly and the affected...
Multiple Themes - Reflected Cross-Site Scripting via Customizer Notify
The qualitycustomizernotifydismissaction and ticustomizernotifydismissrecommendedplugins AJAX actions names can differ depending on the theme, available to authenticated users in multiple themes do not validate or escape the id parameter before outputting it back in the response, leading to...
SupportCandy < 2.2.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks supportcandy page="init';alert/XSS///"...
Document Embedder < 1.7.5 - Unauthenticated Arbitrary Private/Draft Post Title Disclosure
The plugin contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. https://example.com/wp-json/doc/v1/single/509 509 being the ID of a private/draft Post...
real.Kit < 5.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. modal open='1' class='" onmouseover="alert1...
Companion Sitemap Generator <= 4.5.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. html-sitemap columns='1"...
GS Insever Portfolio < 1.4.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. gsinstagram id='" onmouseover="alert1"...
Annual Archive < 1.6.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. archives tag='ul onmouseover="alert1"'...
ChatBot < 4.2.9 - Unauthenticated Settings Reset
The plugin does not have authorisation and CSRF checks when reseting its settings via an AJAX action available to unauthenticated users, which could allow unauthenticated attackers to reset the plugin's settings https://example.com/wp-admin/admin-ajax.php?action=qcldwbchatbootdeletealloptions...
CPO Companion < 1.1.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...