4359 matches found
WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)
Wordfence discovered an Authenticated Stored Cross-Site Scripting XSS security vulnerability within the WPBakery Page Builder WordPress plugin. The vulnerability could allow a low privileged user, such as contributor, to inject malicious JavaScript into posts. "Exploit Post", "content" =...
Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. Upload: The following file...
WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting
The plugin does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard...
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. v1.3.0 added CSRF checks, however authorisation was still missing and has been added in...
Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS
The plugin alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. 1. Run the following JavaScript in the browser's web console as a subscriber user. 2. Authenticate in a separate browser as an admin...
Cost Calculator <= 1.4 - Contributor+ Local File Inclusion
The plugin allows users with a role as low as Contributor to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout As a contributor, create a Cost Calculator post, set the Layout to /../../../../../../../../../../file assuming the file to...
WPJobBoard < 5.7.0 - Unauthenticated SQL Injection
An Unauthenticated SQL Injection vulnerability was discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: type, category. $ :: Payloads Boolean-based blind: /advanced-search/?query=4325&location=4325&type=7 AND 2392=SELECT CASE WHEN 2392=2392 THEN 2392 ELSE SELECT 8365...
Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload
According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog. Chloe Chamberland from Wordfence also confirmed the issue and added that "This vulnerability is being used in conjunction wi...
Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape user input before outputting it back in HTML attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wcmp-setting-admin&tab=vendor'alert/XSS/...
BA Book Everything < 1.3.25 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress. Vulnerable parameters: datefrom, dateto. $ :: Payloads: " " ! :: PoC:...
Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection
Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7. June 17th, 2020 - Confirmed & Escalated to Envato. June 19th, 2020 - v1.8 released. Fixing the issues. PoC Unauthenticated Reflected XSS:...
Accordion < 2.2.9 - Unprotected AJAX Action to Stored/Reflected XSS
This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0...
The Official WordPress Facebook Chat Plugin < 1.6 - Authenticated Options Change to Chat Takeover
This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. Obtain PageID from a test Facebook Page found under page - about - pageID. Use this...
Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
Genericons...
EasyJobs < 1.4.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the job-id parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting https://example.com/wp-content/plugins/easyjobs/admin/partials/easyjobs-candidates-display.php?job-id=%22%3E%3Cimg/src/onerror=alert/XSS/%3E...
Extra Charges To Payment Gateway For WooCommerce <= 2.0.2.1 - Unauthorised Arbitrary Plugin Settings Change to Stored XSS
The addformfields method, hooked to the adminhead action is lacking any CSRF and capability checks, allowing low privilege users to arbitrary update those settings, and set XSS payloads in them as well, which could lead to privilege escalation. Unauthenticated users could also make a logged in us...
Autoptimize < 2.7.8 - Race Condition leading to RCE
The plugin attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It ...
Tajer - Unauthenticated Arbitrary File Upload
The tajer WordPress plugin was affected by an Unauthenticated Arbitrary File Upload security vulnerability. curl -F "[email protected]" http://www.example.com/wp-content/plugins/tajer/lib/jQuery-File-Upload-master/server/php/index.php Shell is uploaded to:...
Events Made Easy < 2.2.36 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the searchtext parameter before using it in a SQL statement via the emesearchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks...
WP Travel Engine < 5.3.1 - Editor+ Stored Cross-Site Scripting
The plugin does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfilteredhtml capability is disallowed As an editor or admin, add or...
WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the fil...
Helios Solutions Brand Logo Slider <= 2.1 - Authenticated Arbitrary File Upload
An Authenticated user admin+ can bypass the security check of the plugin and upload arbitrary files via the Brand Logo. The PoC will be displayed once the issue has been remediated...
W3 Total Cache <= 0.9.7.3 - Cross-Site Scripting (XSS)
The W3 Total Cache WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. alert1"...
WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update
The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory h...
Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page...
Total Upkeep by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)
The plugin does not restrict access to a file containing sensitive information, such as the real server IP address, UID and so on, which may help attackers in further attacks. GET /wp-content/plugins/boldgrid-backup/cli/env-info.php ..., "phpuname":"Linux wordpress-server X.X.X-XX-generic XX-Ubun...
Comment Press < 2.7.2 - Unauthenticated Cross-Frame Scripting
An Unauthenticated Cross-Frame Scripting vulnerability was discovered in the Comment Press plugin v2.7.0 for WordPress. ! :: PoC Burp Suite: POST /wp-comments-post.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest...
Ninja Forms < 3.4.27.1 - CSRF leading to Arbitrary Plugin Installation
The plugin is affected by a Cross-Site Request Forgery CSRF which could allow attackers to make a logged administrator install an arbitrary plugin from the WordPress repository. http://example.com/wp-admin/admin-ajax.php?action=nfservicesinstall&plugin=wpscan&installpath=wpscan/wpscan.php...
File Manager < 6.5 - Backup File Directory Listing
The File Manager WordPress plugin could expose backup files if the web server had Directory Listing enabled. The File Manager WordPress plugin, version 6.4 and lower, failed to restrict external access to the fmbackups directory with a .htaccess file. This resulted in the ability for...
Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - Unprotected AJAX's leading to XSS
Nearly all of the AJAX action endpoints in this plugin failed to include permission checks allowing these actions to be executed by anyone authenticated on the site. The greatest impact was the pagelayersavecontent function that allowed pages to be modified and XSS to occur. $wpuser, 'pwd' =...
Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)
Multiple plugins were found to be vulnerable to the Dompdf unauthenticated Local File Inclusion LFI vulnerability CVE-2014-2383...
myGallery <= 1.4b4 - Unauthenticated File Inclusion
The MySliderGallery WordPress plugin was affected by an Unauthenticated File Inclusion security vulnerability. This vulnerability has been seen exploited in the wild with the following payload:...
Mitsol Social Post Feed <= 1.10 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them back in attributes, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Access Token User access...
PowerPack Addons for Elementor < 2.6.2 - Reflected Cross-Site Scripting
The plugin does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue...
CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal
The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin As admin, put the following payload in the "Cache directory for analytics.js" setting of the plugin: ../wp-includes, tic...
OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal
The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin As admin, put the following payload in the "Fonts Cache Directory" setting of the plugin: ../wp-includes, tick the "Remo...
Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation
The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the...
InfiniteWP Client < 1.9.4.5 - Authentication Bypass
As per agreement between the researcher and developer, details will be released on January 14th. It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwpmmbsetrequest which is located in the init.php file. This checks if t...
[0day] AIT CSV Import / Export <= 3.0.3 - Unauthenticated Arbitrary File Upload
The WPScan research team discovered an active exploitation attempt against a 0day vulnerability within the premium AIT CSV Import / Export WordPress plugin within our honeypot logs. The honeypot log showed a GET request to the following file:...
WP Maintenance <= 5.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
No nonce protection on form submissions leading to CSRF and no input/output sanitization allowing for XSS when CSRF is exploited. input type="hidden" name="wpmaintenancesocialop...
Security Audit <= 1.0.0 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Data ID setting of the plugin...
Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload
The plugin does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html...
JobSearch < 1.5.3 - Multiple Cross-Site Scripting Issues
An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin through 1.5.1 and 1.5.2 for WordPress. Authenticated Persistent XSS on the Candidate and Employer Profile pages. An Authenticated Persistent XSS @ Job Page will trigger on t...
Child Theme Generator <= 2.2.7 - Reflected Cross-Site Scripting
The plugin does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard alert/XSS/;" / var form1 = document.getElementById'hack'; form1.submit;...
Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS
The plugin does not have capability and CSRF checks in the mekssavebusinessselectedaccount AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site...
WooRockets Nitro <= 1.7.9 - Unauthenticated Arbitrary Plugin Installation
The theme does not have authorisation in some of its AJAX actions, and relied on CSRF checks for it. As one of the action allowed for nonces to be disclosed under a specific circumstance, unauthenticated users could then use them to install and active arbitrary plugins via a zip file, as well as...
Custom Post Type UI < 1.7.4 - CSRF to Stored XSS
The Custom Post Type UI WordPress plugin was vulnerable to Cross-Site Request Forgery CSRF and Stored Cross-Site Scripting XSS within the "Import Post Types" functionality in the "Tools" tab. This functionality allows users to import "Post Types" from other websites, or from backup, as JSON. This...
Support Board - Chat And Help Desk | Support & Chat <= 1.2.8 Stored XSS
Info: Weak security measures like bad textarea data filtering has been discovered in the «Support Board - Chat And Help Desk | Support & Chat». Demo Website: https://codecanyon.net/item/support-board-chat-and-help-desk/20752085 Backend: https://board.support/desk-demo/?login=true Login / Password...
CityBook < 2.3.4 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'CityBook - Directory & Listing WordPress Theme', tested version — v2.3.3: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR Edit WPScanTeam: December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January...
WP Statistic < 13.1.6 - Reflected Cross-Site Scripting
The plugin does not escape various generated links before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wpsvisitorspage&"alert/XSS/ https://example.com/wp-admin/admin.php?page=wpsreferrerspage&"alert/XSS/...