4359 matches found
Gallery by BestWebSoft < 4.7.0 - Author+ Stored Cross-Site Scripting
The plugin does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The attacker must have at least the privileges of the Author role. 1. Go to Galleries Add New. 2. Click "Add Media" and choose or upload an image. 3. When publishing or...
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
The plugin does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as editplugins etc Run the...
Evaluate <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Go to Settings » Evaluate » Add New. 2. Add...
Rock Convert < 2.6.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting On a page where the "Capture box | Rock Convert" widget is present, append ?"alert/XSS/, e.g:...
Translation Exchange <= 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Authenticated Stored Cross-Site Scripting XSS within the Project Key text field found in the plugin's settings. 1. Click on Use on translation exchange connector 2. In Basic Settings,insert following payload in Project Key text field. "alert55 3. Click Save Changes...
IP2Location Country Blocker < 2.26.5 - Ban Bypass
The plugin bans can be bypassed by using a specific parameter in the URL https://example.com/?admin-ajax=hehe...
Learning Courses < 5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Visit to Paypal Setting Under Learning Plugin Enter the XSS payload " in Email PDT...
Business Directory <= 1.2.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
This theme does not sanitise its search input, leading to a Reflected XSS issue when output back in the search result page. Note WPScanTeam: The theme has been removed from the WordPress marketplace listing on March 22nd, 2021 The PoC will be displayed once the issue has been remediated...
Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
The Underconstruction plugin admin configuration is vulnerable to stored XSS issues which will be triggered in the main page of the site, even when the unfilteredhtml is disabled. Edit WPScanTeam A fix was attempted in v3.80, but was insufficient. In the meantime, more fields were found to be...
Good LMS < 2.1.5 - Unauthenticated SQL Injection
The Good LMS WordPress plugin was vulnerable to Unauthenticated SQL Injection in its 'id' parameter of the gdlrlmscancelbooking action. POST /wp-admin/admin-ajax.php HTTP/1.1 action=gdlrlmscancelbooking&id=SELECT 1337 FROM SELECTSLEEP10MrMV...
GoToWP <= 5.1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. registermeeting type='" onmouseover="alert1...
Appointment Hour Booking < 1.3.73 - Unauthenticated iFrame Injection
The plugin does not sanitise and escape the email and general field parameters, which could allow unauthenticated users to perform iFrame injection attack As an unauthenticated user, submit a booking and put an iFrame payload in the email/general field parameter The iFrame will be executed when a...
WP Hide <= 0.0.2 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks in place when updating the customwpadminslug settings, allowing unauthenticated attackers to update it with a crafted request curl -X POST --data "customwpadminslug=attacker-value" https://example.com/wp-admin/admin-post.php Settings is...
Modula Image Gallery < 2.6.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=modula-gallery&page=modula-addons&a"alert/XSS/ Other URLs are affected...
WordPress Real Cookie Banner < 2.18.2 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When there is the notice about the updated template: https://example.com/wp-admin/index.php?a"alert/XSS/...
Tracked Tweets <= 0.2.9 - Stored Cross-Site Scripting via CSRF
The plugin does not have SCRF check when updating its settings, as well as does not sanitise and escape them when outputting them back. This could allow attackers to make a logged in admin update them to arbitrary values, including XSS payloads, via a CSRF attack ' /...
Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Go to Hummingbird's Settings Configs edit the "Name and Description" and put the following...
WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
The plugin contains a file passthru.php which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue https://example.com/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://wpscan.com...
Mobile Events Manager < 1.4.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Payload used: alert/XSS/ - Put the payload in the TMEM Events Settings Events Event prefix field, then Creat...
Event Tickets < 5.2.2 - Open Redirect
The plugin does not validate the tribeticketsredirectto parameter before redirecting the user to the given value, leading to an arbitrary redirect issue https://exampel.com/wp-admin/admin.php?page=wpajaxrsvp-form&tribeticketsredirectto=https://wpscan.com...
Download Manager < 3.1.22 - Plugin Settings Change via CSRF
The wpdmsettings AJAX action, used the section POST parameter to call the associated settings handler methods dynamically. However, the pluginUpdate section=plugin-update and Privacy section=privacy were missing CSRF checks. Furthermore, the Privacy function did not ensure that the options to be...
Time Sheets < 1.29.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Login as Admin. 2. Go to...
Structured Content < 1.5.1 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Carousel, Slider, Gallery by WP Carousel < 2.5.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wyppagetype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue...
Code Snippets < 2.14.3 - Reflected Cross-Site Scripting
The plugin does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue...
Spreadsheet Integration < 3.6.0 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape some parameters before outputting them back in the admin dashboard, leading to reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wpgsi&action=edit&id=1%22%3E%3Cimg+src+onerror%3Dalert%28%2FXSS%2F%29%3E POST...
Total Upkeep by BoldGrid < 1.14.10 - Unauthenticated Backup Download
The plugin does not restrict access to a file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them. The filepath in /wp-content/plugins/boldgrid-backup/cron/restore-info.json will reveal the internal path of the backup...
MDTF < 1.3.1 - Reflected XSS
The plugin does not sanitise and escape the taxname parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
New User Approve < 2.4.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting With the Membership settings /wp-admin/options-general.php disabled: https://example.com/wp-admin/index.php?a"alert/XSS/...
Coru LFMember <= 1.0.2 - Arbitrary Game Deletion/Activation via CSRF
The plugin does not have CSRF in place when deleting and activating games, which could allow attacker to make a logged in admin perform such actions...
WooCommerce – Store Exporter < 2.7.1 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a Reflected Cross-Site Scripting XSS vulnerability in the wooce admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=wooce&failed=1&message=%3Cscript%3Ealert1;%3C/script%3E...
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting...
MapifyLite < 4.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the Image URL either in the settings or in a location, allowing editor+ users to use a malicious payload, leading to Stored Cross-Site Scripting issues. Notes WPScanTeam: - The vendor has been notified on March 24th, 2021 - The pro version is very likely to be...
Limit Login Attempts Reloaded < 2.16.0 - Authenticated Reflected Cross-Site Scripting
The plugin does not properly sanitise user input in its options page, which could allow attackers to perform XSS attacks against logged in administrator by making them open a malicious URL The issue was partially fixed in 2.15.1, and fully remediated in 2.16.0...
Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks Run the below command in the developer console of the web browser while being on the blog as a...
StaffList < 3.1.7 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in various places in an admin page, leading to a Reflected cross-Site Scripting v v 3.1.7 - https://example.com/wp-admin/admin.php?page=stafflist&search=aa' style=animation-name:rotation onanimationstart=alert/XSS///...
Tracked Tweets <= 0.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting issue All parameters from the settings page are affected ' /...
Menubar < 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action available to any authenticated users, leading to a Reflected Cross-Site Scripting " /...
Page Security & Membership <= 1.5.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Force Public Pages" settings of the plugin...
Custom Dashboard & Login Page < 7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Note: v6.9.5 made the settings only available to admin with the unfilteredhtml capability, however existing payloads were...
Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation
The plugin did not properly restrict access when checking user with limited access, allowing them to query pages they should not be able to, which could lead to privilege escalation by creating a new administrator with full, unrestricted access to the blog. Created a temporary admin account via t...
GS Products Slider for WooCommerce < 1.5.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks gswps theme='" onmouseover="alert1"...
Visualizer < 3.7.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin-ajax.php?action=visualizer-edit-chart&library=yes&chart=6190&tab=visualizer&a"alert/XSS/...
WP Voting Contest <= 2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the postid parameter before outputting it back in the response via the wpvcsocialshareicons AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Download Monitor < 4.4.5 - Admin+ SQL Injection
The plugin does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue There need to be at least one log for the payload to trigger...
Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated admin+ Stored XSS issues. Notes WPScanTeam - The original reporter mentioned the issue being fixed in 2.10.2, but we could still trigger i...
SuperStoreFinder Plugins - Unauthenticated Arbitrary File Upload
The SuperStoreFinder premium WordPress plugins did not properly check file uploads, depending on the plugin, only checking for the mime type and/or the first extension of the file name. An attacker could set the Content-Type header to "Content-Type: text/csv", as well as use a double extension to...
Simple Giveaways < 2.45.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Login with admin user and navigate to "Giveaways...
Real Testimonials < 2.6.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...