4359 matches found
Woocommerce Customers Manager < 26.5 - Arbitrary Account Creation/Update by Low Privilege Users
The uploadcsv AJAX action, available to authenticated users, did not have proper capability checks. allowing any authenticated users, such as a subscriber, to call it and import arbitrary users. They could either update their own account, to make themselves administrator, or create new...
NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack https://example.com/wp-admin/admin.php?page=nxssnap-reposter&item=1&action=delete...
AddToAny Share Buttons < 1.7.48 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add the following payload in the Universal Button Image URL settings: " onerror=alert/XSS/ " The XSS...
uListing < 2.0.6 - Unauthenticated Privilege Escalation
An Unauthenticated Privilege Escalation vulnerability was discovered in the uListing plugin through v2.0.5 for WordPress. User registration must be allowed on the target website. PoC | Unauthenticated Privilege Escalation | Request: POST /wp-admin/admin-ajax.php?action=stmlistingregister HTTP/2...
Maintenance < 4.03 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them even when the unfilteredhtml capability is disallowed, which will be triggered in the frontend POST /wp-admin/admin.php?page=maintenance HTTP/1.1...
Ivory Search < 4.5.11 - Authenticated Reflected Cross-Site Scripting (XSS)
The setting page of Ivory Search 4.5.10 is vulnerable to reflected XSS when a logged in administrator visit a malicious link or page, as it does not sanitise or escape the GET post parameter before outputting it in a tag attribute As an admin user, open:...
Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure
The plugin does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users...
WPFront Scroll Top < 2.0.6.07225 - Authenticated Stored XSS
The plugin does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfilteredhtml capability is disallowed. Put the one of the payload below in the Image ALT setting of the plugin: The XSS will...
Dflip Lite < 1.7.10 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks dflip class='"...
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
The plugin allows SVG files to be uploaded by default via the dndcodedropzupload AJAX action, which could lead to Stored Cross-Site Scripting issue POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip,...
Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue. v 2.2.29 https://example.com/wp-admin/edit.php?posttype=accordions&page=settings&tab=a%22%3E%3Csvg%2Fonload%3Dalert%28123%29%3B%2F%2F%3E%3C%22 v...
Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make a logged in admin open a page containing the HTML code below input type="text" name="ip11" value="...
Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
The plugin does not sanitise and escape the month parameter before using it in a SQL statement via the getmonthlytimetable AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Cooked Pro < 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)
The plugin was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute. https://cooked.pro/demo/trial/5snjx6louabhdpg/profile/?t8osi%22%3e%3cscript%3ealert1%3c%2fscript%3edr7ag=1...
Sign-up Sheets < 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard As admin, add a new...
AdminPad < 2.2 - Note Update via CSRF
The plugin does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack Notes are displayed in the Dashboard /wp-admin/index.php...
MAZ Loader < 1.3.3 - Contributor+ SQL Injection
The plugin does not validate or escape the loaderid parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection. As a user with a role as low as Contributor, put the following shortcode in a page/post and view/preview it to get the login...
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. Put the following payload in the "Folder for new files" and "Maximum size of uploaded file" settings of the plugin: "alert/XSS/...
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design like subutton's onclick attribute...
WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access
The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones. Open the below URL as an...
GetPaid < 2.3.4 - Authenticated Stored XSS
In the plugin, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is...
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Description The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42 and not deletin...
Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS
The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Open a page...
WP Ultimate CSV Importer < 6.4.2 - Subscriber+ Arbitrary Option Deletion
The plugin does not have authorisation and CSRF checks when deleting options via the disablemainmode AJAX action, and does not ensure that the option to be delete belong to the plugin. As a result, any authenticated user, such as subscriber, could delete arbitrary options from the blog POST...
Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting
The plugin is lacking any capability and CSRF check when saving it's settings, allowing any authenticated users such as subscriber to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in al...
Comic Book Management System < 2.2.0 - Admin+ SQLi
The plugin does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. https://example.com/wp-admin/admin.php?page=cbmsweeklypicksadmin&action=updatepicks&id=1+AND+SELECT+7741+FROM+SELECTSLEEP3hlAf POST...
Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5" 2 - Click on "Contact - Add new...
LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
The plugin does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections. document.getElementById"test".submit;...
CF Geo Plugin < 7.13.12 - Reflected Cross-Site Scripting
The plugin does not escape the some parameter before outputting them back in admin pages, leading to a Reflected Cross-Site Scripting issue POST /wp-admin/admin.php?page=cf-geoplugin-activate HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language...
miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling
The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber...
MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting
The plugin does not escape the timezone attribute of the mxmtzctimezoneclocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks mxmtzctimezoneclocks timezone='"+alertXSS-timezone+"'...
Cookie Notice & Consent Banner for GDPR & CCPA Compliance < 1.7.2 - Authenticated Stored XSS
The plugin does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options. Go to the plugin's Customize Design page and open the "Wizard menu". Now scroll down and you will find an "Info Text" field where you can inject an XSS payload lik...
WP SMS < 5.4.9.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape some of its parameter before outputting them back in the pages, leading to reflected Cross-Site Scripting issues which will be executed in the context of a logged in admin. alert/XSS/' / alert/XSS/' / alert/XSS/' /...
Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the "Default Skin" field. Step1: Install and activate the plugin. Step2: Go to the plugin setting. Step3: Enter the following payload in the field "Default Skin" xss"alert1input type='text'...
OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error
The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration...
Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue Payloads: - Original reporter:...
Coupon Affiliates for WooCommerce < 4.11.0.2 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter in its Referral Visits dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
FluentSMTP < 2.0.1 - Authenticated Stored XSS
The plugin does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting XSS vulnerability. Only users with roles capable of managin...
HD Quiz < 1.8.4 - Authenticated Stored XSS
The plugin does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues Create or edit a Quiz, and put the following payload as an Answers of a "Multiple Choice: Text" Question: " autofocus...
UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
The plugin is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. - Right click the thumbnail of another user and copy the image URL. It will be something like:...
Recipe Card Blocks < 2.8.1 - Reflected Cross-Site Scripting
The plugin does not escape the message parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/index.php?slactivation=false&message=%3Cscript%3Ealertorigin%3C%2Fscript%3E...
tagDiv Composer < 3.5 - Unauthenticated Account Takeover
Description The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address Run the below command in the developer console of the web browser while being on the blog as an...
Restaurant Menu by MotoPress < 2.4.2 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Click on "Add New" under Restaurant Menu Plugin. Give any random title like...
Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
The plugin did not sanitise the mecpostid POST parameter in the mecfesform AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. If the Frontend Event Submission form is embed in a public page, then it could lead to any authenticated user, like subscribers to...
3DPrint < 3.5.6.9 - Arbitrary File and Directory Deletion via CSRF
Description The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into...
Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting
The plugin does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting XSS. Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user as low as subscriber, or unauthenticat...
ShareThis Dashboard for Google Analytics < 2.5.2 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the 'gaaction' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in...
3dady Real Time Web Stats <= 1.0 - Stored Cross-Site Scripting via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping, it could also lead to Stored Cross-Site Scripting issue Make a logged in admin open a...
Membership For WooCommerce < 2.1.7 - Unauthenticated Arbitrary File Upload
The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE. 1. Install and activate WooCommerce dependency, no setup required 2. Create a local file containing the payload on /tmp/payload.php 3. Execu...