4359 matches found
404 to Start <= 1.6.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the settings of the plugin, ent...
WP CSV <= 1.8.0.0 - Reflected XSS via CSV Import
The plugin does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, and doe snot have CSRF checks in place as well, leading to a Reflected Cross-Site Scripting. Create a .txt file and the below line there: $ echo "alert/XSS/" Make a logged in admin impo...
Qe SEO Handyman <= 1.0 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:91.0 Gecko/20100101...
Panda Pods Repeater Field < 1.5.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission. 1. Install Pods plugin dependency - https://wordpress.org/plugins/pods 2. Install the...
Salat Times < 3.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in any text field of Settings Salat Times: " Save, and the XSS will be...
My wpdb < 2.5 - Arbitrary SQL Query via CSRF
The plugin is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack document.getElementById"test".submit;...
eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting them back in attributes and JS code in admin dashboards, leading to Reflected Cross-Site Scripting Make a logged in admin open one of the URLs below...
Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go to the plugin's settings Popup tab, click on "C...
Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Custom DB Prefix settings of the plugin: BooksnPapers" style=animation-name:rotati...
Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following in the plugin's settings: test = "alert/XSS/ Tick the "Enable text hover in...
Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting
The plugin does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin Translator and Administrator by default to add arbitrary javascript payloads to the source...
hub2word <= 1.1.0 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF checks in its Hub2Wordsavesettings AJAX action, and does not validate the option key to be updated. As a result, any authenticated user, such as subscriber could update arbitrary WordPress options POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Embed Swagger <= 1.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the /swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0...
RSVP and Event Management < 2.7.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=rsvp-top-level&s="alert/XSS-s/&pagesize="alert/XSS-pagesize/...
XootiX Plugins - Various Versions CSRF to Arbitrary Options Update
The plugins Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce are all vulnerable to cross-site request forgery due to a missing nonce check that would make it possible for attackers to update arbitrary options on a vulnerable WordPress site...
Contact Form & Lead Form Elementor Builder < 1.7.0 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/Edit a form and put the following payload in a Filed Name or Default...
Related Posts for WordPress < 2.0.5 - Authenticated Stored XSS & XFS
The plugin does not sanitise its headingtext and css settings, allowing high privilege users admin to set XSS payloads in them, leading to Stored Cross-Site Scripting issues. Payloads: $ m0ze"div x PoC 1 | Authenticated Persistent XSS & XFS | Heading text: ! POST /wp-admin/options.php HTTP/2 Host...
WP24 Domain Check < 1.6.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin version 1.6.2 and possibly below, was vulnerable to Stored Cross-Site Scripting XSS in the plugin's fieldnameDomain settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability. In the plugin's advanced settings...
Chopslider <= 3.4 - Unauthenticated Blind SQL Injection
The id parameter of the getscript/index.php page is not sanitised when used in a SQL statement, leading to an unauthenticated blind SQL Injection issue. Vendor was contacted by researcher, on March 3rd, 2020 but no reply was received. The PoC will be displayed once the issue has been remediated...
User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF
The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access...
WordPrezi < 0.9 - Contributor+ Strored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks prezi url="https://prezi.com/'...
Jeeng Push Notifications < 2.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Account ID"...
Video Thumbnails <= 2.12.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the "Custom Field...
WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS
The plugin does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. Run the below command in...
JReviews <= 4.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting https://example.com/top-user-rated-listings?listview=2&q%22%3e%3cscript%3ealert1%3c%2fscript%3e=1...
ULeak Security & Monitoring <= 1.2.3 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings ...
Advanced Booking Calendar < 1.7.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue...
Link Library < 7.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...
WP Post Page Clone < 1.2 - Unauthorised Post Access
The plugin allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. Go to All Posts, find the post to clone, click "Click to Clone" then edit the cloned post to see its content...
Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting Once the "Server Requirements" are passed in the initial setup process you can bypass the check for localhosts by editing the islocalhost function in...
Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)
The includes/mc-getlists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmmmcapi AJAX call available to both authenticated and...
WP Paginate < 2.1.4 - Authenticated Stored Cross-Site Scripting (XSS)
The WP Paginate WordPress plugin, version 2.1.3 and possibly below, was vulnerable to Stored Cross-Site Scripting XSS in the plugin's preset settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability. POST...
Themify Shortcodes < 2.0.8 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Exploit shortcode: themifybutton color='red" onmouseover="alert1"'XSS/themifybutton...
Post Status Notifier Lite < 1.10.1 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin. Make a logged in high privilege user such as admin open the URL below...
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
The plugins do not escape the cgid POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php?page=/index.php&editgallery=1&wpmad...
Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes, leading to a Reflected Cross-Site Scripting. PS: The original advisory mentions the issue being in photo-gallery, however it is not the case. On a page where there is a gallery embed, append a'-alert/XSS///=1 e.g...
Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload
The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a file to...
Birthdays Widget <= 1.7.18 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed As admin, create/edit a Birthday and add the following payload in the Name field:...
SupportCandy < 2.2.7 - Arbitrary Ticket Deletion via CSRF
The plugin does not have CRSF check in its wpsctickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction...
WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint
The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permissioncallbac...
Product GTIN (EAN, UPC, ISBN) for WooCommerce <= 1.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. wpmproductgtin id='1' wrapper='div...
Clean Login < 1.13.7 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Note: 1. Firs...
Fancier Author Box by ThematoSoup <= 1.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Open the setting page of this plugin. 2. There...
Find and Replace All < 1.3 - Reflected Cross Site Scripting
The plugin does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue...
eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS via AJAX
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to any authenticated users, such as subscriber, leading to a Reflected Cross-Site Scripting Make a logged in user open a page containing the HTML code below alert/XSS/"...
404 to 301 < 3.1.2 - Reflected Cross-Site Scripting
Description The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=jj4t3-logs&a"alert/XSS/...
Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
The plugin does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or o...
Noptin < 1.6.5 - Open Redirect
The plugin does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue https://example.com/?noptinns=emailclick&to=https://wpscan.com...
Link Library < 7.2.8 - Library Settings Reset via CSRF
The plugin does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack https://example.com/wp-admin/admin.php?page=link-library-settingssets&settings=1&reset=1...
Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE
The plugin does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE. POST /addalisting/ HTTP/1.1...