4359 matches found
WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
The following payload placed in a page or post does not work in comments: TEST!!!caption width="1" caption='Click me...
Recall Products <= 0.8 - Authenticated SQL Injection
The Manufacturer POST parameter is vulnerable to SQL injection when submitting a deletion request. The PoC will be displayed once the issue has been remediated...
WP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting
There is a Stored Cross-Site Scripting XSS in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload...
InJob < 3.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)
An Authenticated subscriber+ Reflected XSS vulnerability was discovered in the InJob theme through 3.4.0 for WordPress. https://example.com/dashboard/?iwjtab=%22%3E%3Cimg%20src=x%20onerror=alertXSS;%3E...
Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection
Authenticated time-based SQL injection via the ascdesc, listfiltercount, and sortBy parameters. Form the original advisory see references: POST /wp-admin/admin.php?page=participants-database HTTP/1.1 Host: redacted....cause User-Agent: Mozilla/5.0 X11; Linux x8664; rv:68.0 Gecko/20100101...
Travel Booking < 2.7.8.6 - Reflected & Persistent XSS Issues
Reflected & Persistent XSS vulnerability was discovered in the 'Travel Booking WordPress Theme', tested version — v2.7.8.5 Edit WPScanTeam: January 11th, 2020 - Report received & Envato contacted January 12th, 2020 - Report updated with Reflected XSS, Envato notified again. January 12th, 2020 -...
Quiz And Survey Master < 6.2.2 - Authenticated Cross-Site Scripting (XSS)
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://example.com/wp-admin/admin.php?page=mlwquizresults&quizid=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E...
Open Graph for Facebook, Google+ and Twitter Card Tags <= 2.2.4.1 - Unauthenticated Cross-Site Scripting (XSS)
The Open Graph and Twitter Card Tags WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability...
Erident Custom Login & Dashboard 3.4-3.4.1 - Stored Cross-Site Scripting (XSS)
The Erident Custom Login and Dashboard plugin exposes a call to the updateoption method, when a specific POST field is posted to the plugins setting screen. No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to...
Photo Gallery <= 1.2.8 - Multiple Authenticated Reflected XSS
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by a Multiple Authenticated Reflected XSS security vulnerability. /wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg,jpeg,png,gif&callback=bwgaddpreviewimage&sortby=name";alert1...
Import Legacy Media <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-content/plugins/import–legacy–media/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E...
WP Floating Menu < 1.4.1 - Authenticated Reflected Cross-Site Scripting
The id GET parameter used by WP Floating menu does not correctly sanitise user input before reflecting the parameter back to the user, resulting in a reflected XSS vulnerability. Other sanitisation have been added to prevent other XSS issues as well as potential SQL injections...
Geo Magazine <= 2.0 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Geo Magazine theme through 2.0 for WordPress. Edit WPScanTeam: July 27th, 2020 - Confirmed & Escalated to Envato July 28th, 2020 - Envato Investigating August 17th, 2020 - No updates, disclosing The PoC will be displayed once th...
WP-Pro-Quiz <= 0.37 - CSRF Leading to Arbitrary Quiz Deletion
Abusing this Cross-Site Request Forgery CSRF issue, an unauthenticated attacker could make a logged in admin delete any quiz on vulnerable website. The PoC will be displayed once the issue has been remediated...
wpForo < 1.7.0 - New Users Set as Admin via CSRF
The plugin did not have CSRF in place in a page, allowing attacker to make a logged in admin set all new users as admins directly https://example.com/wp-admin/admin.php?page=wpforo-usergroups&default=1...
Houzez < 1.8.4 - Unauthenticated Cross-Site Scripting (XSS)
Two Reflected XSS vulnerability were discovered in the «Houzez - Real Estate WordPress Theme», tested version — v1.8.3.1 Edit WPScanTeam: January 11th, 2020 - Report received & Envato Contacted January 12th, 2020 - Envato Investigating January 27th, 2020 - v1.8.4 released, fixing the issue. -Demo...
Qards - Server Side Request Forgery (SSRF)
Google Dork: inurl:"plugins/qards" Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way. The vulnerable script...
WP e-Commerce Shop Styling <= 2.5 - Local File Inclusion
The code in ./wp-ecommerce-shop-styling/includes/download.php does not sanitise user input to prevent sensitive system files from being downloaded. You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with pat...
Activity Log < 2.7.0 - Authenticated SQL Injection
The plugin was vulnerable to SQL Injection in the order column of the past events table. time curl 'http://www.example.com/wp-admin/admin.php?page=activitylogpage&orderby=histtime%20AND%20SLEEP%280%29' -H 'Cookie: ...'...
CM Download Manager < 2.8.0 - Authenticated Cross-Site Scripting
The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue. Vulnerable page - 'cmdownload/add/' Vulnerable parameter - 'filename' in 'Content-Disposition' Header POST /cmdownload/add/ HTTP/1.1 Host: localhost:8081 User-Agent:...
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation
This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution RCE on a vulnerable site’s server. The following will create hello.php in the...
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.5.5 - Unauthenticated Remote Code Execution
The Drag and Drop Multiple File Upload – Contact Form 7 WordPress plugin was vulnerable to Remote Code Execution via file upload. The plugin used a blacklist of dangerous file extensions that it did not allow to be uploaded, however, the extensions .phar and .phpt were not within the blacklist,...
All in One Support Button < 1.8.8 - Authenticated Stored Cross-Site Scripting
The lack of CSRF and Capability checks on AJAX calls, such as arcontactussavemenuitem, could allow low-privilege users to perform stored XSS attacks. The payloads will then be triggered in frontend pages. The Vendor attempted a fix with v1.8.1, by adding capability and some sanitisation checks...
ListingPro < 2.0.14.5 - Reflected & Persistent Cross-Site Scripting
Reflected & Persistent XSS was discovered in the 'ListingPro - WordPress Directory Theme'. Current version is 2.0.14.2 August 9th 2019. Edit WPScanTeam: November 29th, 2019 - Envato Informed November 29th, 2019 - Envato Investigating December 4th, 2019 - v2.0.14.3 Released, fixing the reflected X...
Tidio Live Chat <= 4.1.0 - CSRF to Stored XSS
A CSRF vulnerability in the Tidio Live Chat WordPress Plugin var xhr = new XMLHttpRequest; xhr.open"POST", "https://wordpress.local/wp-admin/admin-ajax.php?action=tidiochatsavekeys", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...
SiteBuilder Dynamic Components <= 1.0 - Unauthenticated PHP Object Injection
The plugin sitebuilder-dynamic-components insecurely trusts serialized data submitted over AJAX requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over AJAX calls sites with the sitebuilder-dynamic-components Plugin...
WooCommerce Anti-Fraud <= 3.2 - Unauthenticated Order Status Manipulation
The WooCommerce Anti-Fraud WordPress plugin was affected by an issue where an unauthenticated user could change the order status of any order, as there were no checks when changing the order status. The orderid was also predictable. On an individual level, if you have already received your order,...
Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitise the search query, leading to an unauthenticated reflected Cross-Site Scripting issue /?s=%3Cimg%20src%20onerror=alert/XSS/%3E...
LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"
The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfilteredhtml" capability, allowing an escalated user to insert posts containing...
Online Hotel Booking System Pro <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details.. The XSS payload is then executed when an authenticated administrator user views the booking on the Customer-booking page. Inject XSS via most fields in the booking form, which will...
Minimal Coming Soon & Maintenance Mode < 2.15 - Insecure Permissions: Enable and Disable Maintenance Mode
There was a flaw that allowed any authenticated user with subscriber permissions or above the ability to enable and disable maintenance mode on a vulnerable site by sending a simple request. Login as a user with subscriber or above permissions and send the following request to enable maintenance...
Participants Database <= 1.7.5.9 - Cross-Site Scripting
Cross site scripting XSS vulnerability in the Wordpress Participants Database plugin 1.7.59 allows attackers to inject arbitrary javascript via the Name parameter. curl -k -F action=signup -F subsource=participants-database -F shortcodepage=/?pageid=1 -F thankspage=/?pageid=1 -F instanceindex=2 -...
Thumbnail Carousel Slider < 1.0.1 - Authenticated Shell Upload & CSRF
The original advisory states that this vulnerability is exploitable with editor and author roles but this is incorrect. Only the administrator role by default can trigger this vulnerability. However, CSRF on the image upload form makes this exploitable by a malicious actor. Create a file named...
Advanced Booking Calendar < 1.6.2 - Unauthenticated SQL Injection
The AJAX action abcbookinggetBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the...
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
The PHP Raw Widget https://www.dynamic.ooo/widget/php-raw/ of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com...
Elegant Testimonial <= 1.1.6 - Multiple Authenticated Stored Cross-Site Scripting
The name, company and text fields used while adding a testimonial to a page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a user loads a page where the plugin shortcode is used. All WordPress websites...
Travel Booking < 2.8.4 - Unauthenticated SQL Injection
Unauthenticated SQL Injection via the locationid parameter sqlmap --url="https://example.com/search-rental-full-map/?locationid=1" -dbs --random-agent --time-sec=8 03:13:37 INFO resuming back-end DBMS 'mysql' sqlmap resumed the following injection points from stored session: --- Parameter:...
Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS
=== DESCRIPTION - REFLECTED XSS ======================================== Catch Breadcrumb 1.5.4 plugin for WordPress allow Reflected XSS via a search query when used with one of the theme from the same author: Alchemist & Alchemist PRO, Izabel & Izabel PRO, Chique & Chique PRO, Clean Enterprise &...
Pricing Table by Supsystic < 1.8.2 - Insecure Permissions on AJAX Actions
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or...
Htaccess by BestWebSoft < 1.8.2 - CSRF to edit .htaccess
The Htaccess by BestWebSoft WordPress plugin was affected by a CSRF to edit .htaccess security vulnerability...
All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure
The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature. Edit WPScanTeam October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/ October 8th - Dev ACK & investigating it October 8th - v4.4.2...
Reality < 2.4.0 - Multiple Persistent XSS
----- Persistent XSS on any property page: ----- Vulnerable input fields: 1 - Description & Price - 'PRICE POSTFIX TEXT' and 'SECOND PRICE POSTFIX TEXT'; 2 - Additional Information - 'TITLE' and 'VALUE'; 3 - Location & Map - 'ADDRESS '. Payload Sample: ----- Persistent XSS on user profile page:...
WP-Members <= 3.2.7 - Cross-Site Request Forgery (CSRF)
No CSRF Protection on Add new Fields. Can also Edit and Delete fields the same way. 1.Download csrfwp-members.html 2.Change URL in html file.FORM ACTION. 3.Submit Request. Video POC : https://drive.google.com/file/d/1TuJK0NjxznjTDmoJF5wbGu2vMAXXikw/view?usp=sharing HTMLFILE :...
Contact Form Email <= 1.2.65 - Multiple Cross-Site Scripting (XSS) & CSRF
The Contact Form Email WordPress plugin was affected by a Multiple Cross-Site Scripting XSS & CSRF security vulnerability. http://www.example.com/wp-admin/admin.php?page=cpcontactformtoemail&edit=1&cal=1&item='"...
Content Timeline <= 4.4.2 - Multiple Blind SQL Injection
Multiple Blind SQL injections in the premium 'Content Timeline' Plugin. One unauthenticated and two authenticated injections. Contacted the author twice without any response. History: 09-16-2017 Contacted the author 09-16-2017 Requested CVE-ID 09-18-2017 CVE-ID Received 09-18-2017 Contacted the...
WooCommerce Email Test 1.5 - Order Information Disclosure
When this plugin is installed, any anonymous user can open this url https://www.domainname.de/?woocommerceemailtest=WCEmailCustomerCompletedOrder ..which shows the last most recent order along with all customer details, email address and cart content. This is a severe security/data privacy breach...
IBS Mappro <= 0.6 - Directory Traversal
The ibs-mappro WordPress plugin was affected by a Directory Traversal security vulnerability. http://www.example.com/wp-content/plugins/ibs-mappro/lib/download.php?file=/etc/passwd...
Greenmart < 2.5.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Due to an incomplete fix of CVE-2020-16140 see https://wpscan.com/vulnerability/10444, the reflected XSS attack is still possible on unauthenticated users, by extracting the searchnonce from the source of the homepage and adding it to the original payload. This is possible because WP nonces are...
Greenmart < 2.4.3 - Reflected Cross-Site Scripting (XSS)
The greenmartautocompletesearch AJAX action, available to both authenticated and unauthenticated users does not properly sanitise the callback parameter passed to it, resulting in a reflected Cross-Site Scripting issue. Edit WPScanTeam: The vendor 'fixed' the issue for authenticated users by addi...
RSVPMaker < 7.8.2 - Unauthenticated SQL Injection
The plugin does not sanitise user input before using it in a SQL statement in the signedupajax AJAX action. Note: Even though the reported SQL Injection was fixed in v7.8.2, other additional sanitisation was implemented in v7.8.3 to 7.8.6. sqlmap -u "https://localhost/?action=signedup&eventcount=...