4359 matches found
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via langid Parameter
The plugin did not escape, validate or escape the 'langid' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin...
WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)
WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37lpsavepage whi...
Video on Admin Dashboard < 1.1.4 - Authenticated Stored XSS
Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. A user can insert a simple script in the Widget Title text field, e.g. "alert'XSS';. Every specified user role by the plugin will now be targeted...
Ellipsis Human Presence Technology <= 2.0.8 - Unauthenticated Reflected Cross Site Scripting (XSS)
The 'page' GET parameter of the inc/protected-forms-table.php file was affected by a reflected XSS vulnerability. http://www.example.com/wp-content/plugins/ellipsis-human-presence-technology/inc/protected-forms-table.php?&page="%20alert"XSS"...
Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)
Author: OmarK The vulnerability lies in the "accesstoken" parameter and can cause reflected XSS vulnerability. The issue is on the file ultimate-instagram-feed/admin/partials/uif-access-token-display.php line 19: the vulnerable code is the following: echo $GET'accesstoken'; There is an echo of th...
Student Result or Employee Database <= 1.6.3 - Auth Bypass
The Student Result or Employee Database WordPress plugin was affected by an Auth Bypass security vulnerability. curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer:...
Mail Masta 1.0 - Multiple SQL Injection
Multiple SQL Injection vulnerabilities in Mail Masta Plugin version 1.0 for WordPress. The plugin is still affected and has been closed. Please refer to: https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin...
Dwnldr 1.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
User agent strings are logged when requesting downloads that are processed by dwnldr and displayed back to the admin with no encoding, allowing for scripts to be stored and executed. curl -A "User-Agent: alertdocument.cookie;" -O http:///?attachmentid=...
Yoast SEO <= 2.1.1 - Authenticated Stored DOM XSS
The "snippet preview" functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2. Vulnerable URL: /wp-admin/post-new.php?posttitle= Vulnerable Code wordpress-seo/js/wp-seo-metabox.js: function ystcleanstr if str == '' || str == undefined return...
CM Download Manager <= 2.0.0 - Unauthenticated Code Injection
The plugin does not validate and sanitise the CMDsearch parameter which used to create a custom function. This allows attacker to run arbitrary command on the remote server GET /cmdownloads/?CMDsearch=".phpinfo." HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Windows NT 6.3; WOW64; rv:33.0...
Media Library Assistant < 2.90 - Authenticated Blind SQL Injection
The Media Library Assistant WordPress plugin was affected by an authenticated admin+ blind SQL injection vulnerability when there is at least one Custom Field Rule set in the plugin's options. There need to be at least one Custom Field Rule in the plugin Custom Fields settings...
Love Travel 2.0-3.8 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 2.0-3.8. Vulnerable parameters: keyword, datefrom, dateto, pricefromto, nicdarkpricefrom, nicdarkpriceto The PoC will be displayed once the issue has been remediated...
Email Subscribers & Newsletters < 4.5.6 - Unauthenticated email forgery/spoofing
It allows a remote unauthenticated attacker to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com Content-Type:...
RSS Feed Widget < 2.8.1 - Authenticated Cross-Site Scripting (XSS)
The RSS Feed Widget WordPress plugin version 2.8.0 and below was vulnerable to Authenticated Cross-Site Scripting XSS within the "t" GET parameter. http://www.example.com/wp-admin/admin.php?page=rfwoptions&t=1"alert"xss"...
SendPress Newsletter < 1.20.7.13 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple Stored Cross-Site Scripting within SendPress Newsletter Settings due to improper input sanitation. The vulnerable fields are: - From Name - From Email - Where to send Test Email https://www.dropbox.com/s/slnc6oj1ryssvuz/sendpress-xss.mp4?dl=0 Payloads - v alert1337/// - v 1.20.7.13: "...
WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)
One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use "template" pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was...
Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)
By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart. curl -i -s -k -X $'POST' \ -H...
Newsletter Lite < 4.6.19 - Multiple Issues
- Lack of CSRF, Authorisation and sanitisation checks in the ajaxloadneweditor function, registered as an AJAX method, can lead to an authenticated reflected XSS issue. - Authenticated Directory Traversal leading to RCE XSS: As an authenticated user with a role as low as a Subscriber, open...
CP Contact Form with Paypal <= 1.3.01 - Multiple XSS
The CP Contact Form with PayPal WordPress plugin was affected by a Multiple XSS security vulnerability. Version &r=1 fixed in 1.2.98...
WP Background Takeover <= 4.1.4 - Directory Traversal
Allows for an attacker to browse files via the download.php file http://target.com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php...
EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary Code Execution
There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql"...
Real-Time Find and Replace < 4.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email...
Elementor Page Builder < 2.8.5 - Authenticated Reflected XSS
The Elementor Website Builder WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. /wp-admin/admin.php?page=elementor-system-info&lndan%22%3e%3cscript%0csrc%3d//0x7f000001%3e%3c/script%3e=1...
Chained Quiz < 1.1.8.2 - Unauthenticated Reflected XSS
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the 'totalquestions' POST parameter when a user completes a quiz. The code in question accepts the 'totalquestions' parameter without escaping the special characters: models/quiz.php $output =...
Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution
The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability. The nonce aicheck in the final request can be obtained by querying the homepage with the AIWPDEBUGGING cookie set to 2. Then, use an account with a role as lo...
Ultimate Member < 2.0.52 - CSRF and Stored XSS issues
A CSRF vulnerability in adding/editing user roles in Ultimate Member 2.0.49. It also lead to stored XSS. Edit WPScanTeam: July 9th, 2019 - v2.0.50 released and still affected. Escalated to WP Plugins Team July 9th, 2019 - v2.0.51 released, fixing the CSRF but not the XSS July 11th, 2019 - Escalat...
Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)
In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publishdate . By adding parameter " and add any XSS payload , the xss payload will execute. To...
Wechat Broadcast <= 1.2.0 - Local/Remote File Inclusion
This bug was found in the file: /wechat-broadcast/wechat/Image.php echo filegetcontentsisset$GET"url" ? $GET"url" : ''; The parameter "url" it is not sanitized allowing include local or remote files To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact...
wpForo Forum <= 1.4.9 - Unauthenticated SQL Injection
The wpForo Forum WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability. http://www.example.com/index.php/community/?wpfd=0&wpfob=relevancy&wpfo=desc%2cselectfromselectsleep20a&wpfs=fff&wpfin=entire-posts...
WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The WPSOLR - Elasticsearch and Solr search WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...
Multiple Plugins - jQuery prettyPhoto DOM Cross-Site Scripting (XSS)
The jQuery prettyPhoto library bundled with many plugins was found to be vulnerable to DOM Cross-Site Scripting XSS. http://www.example.com/prettyPhotogallery/1,/...
Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection
The plugin is affected by an unauthenticated SQL injection via the billingfirstname parameter of the savedata AJAX call. From the original researcher: ./sqlmap.py -u https://example.com/wp-admin/admin-ajax.php --cookie='cookies content here' --method='POST'...
LocalWeb All In One plugin < 1.6.5 - Unauthenticated Stored Cross-Site Scripting (XSS)
An Unauthenticated Stored XSS vulnerability was discovered in the LocalWeb All In One plugin v1.6.3 for WordPress. There is an older version of this plugin called Web Instant Messenger, latest version is v1.1.1. The specificity of this plugin is that it interacts with the remote host...
Coditor <= 1.1 - Arbitrary File Edition, Deletion and Internal Directory Listing in wp-content
The coditorprocessajax AJAX call is missing any CSRF and authorisation checks, allowing low privilege users subscriber+ to read and edit any files in the wp-content folder, as well as list its content. The PoC will be displayed once the issue has been remediated...
Chamber Dashboard Business Directory < 3.3.1 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise user input when creating or editing a business in the dashboard, allowing high privilege users Editor+ to set XSS payloads in various fields. Login as an editor or admin, then add/edit a business and set the phone number as " The payload will then be executed in the...
Quiz and Survey Master < 7.0.1 - Unauthenticated Arbitrary File Deletion
This flaw allows users to delete arbitrary files like a site’s wp-config.php file which could effectively take a site offline and allow an attacker to take over the vulnerable site. history.pushState'', '', '/'...
Quiz and Survey Master < 7.0.1 - Arbitrary File Upload
This flaw made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. Set-up quiz that accepts file uploads, then upload file and change content-type to one set as approved. history.pushState'', '', '/' function submitRequest var xhr = new...
JobCareer < 3.5 - Multiple Cross-Site Scripting (XSS)
An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the JobCareer theme through 3.4 for WordPress. Unauthenticated Reflected XSS - Vulnerable parameters: jobtitle, specialisms, location Authenticated Persistent XSS on Employer Profile - «Complete Address...
CarePlus <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
An Unauthenticated Reflected XSS vulnerability was discovered in the CarePlus theme through 1.2 for WordPress. https://example.com/?s=%22%20autofocus%20onfocus=alertXSS;%20%22%3E...
Careerfy < 4.4.0 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Careerfy Job Board theme v4.3.0 for WordPress. https://example.com/jobs-listing/?%22%3E%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E=%3E...
Car Rental System <= 1.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the booking-list and cust-lookup pages. Inject XSS via most fields in the booking form...
Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation
"The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users" providing subscriber-level users and above with the ability to escalate their privileges. POST /wp-admin/admin-ajax.php?importpage=wordpresshfusercsv&step=3...
Code Snippets < 2.14.0 - CSRF to RCE
This "flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site." function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST", "http://waftesting.vhx.cloud:8080/wp-admin/admin.php?page=import-snippets", true;...
Contact Form Clean and Simple < 4.7.1 - Authenticated Stored XSS
The Contact Form Clean and Simple WordPress plugin was vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. This code will then be executed on every page with the contact form on the front-end. By checking the...
Reality < 2.5.3 - Unauthenticated Reflected XSS
Reflected XSS was discovered in the «Reality | Estate Multipurpose WordPress Theme», tested version — v2.5.1 Edit WPScanTeam: January 16th, 2020 - Report Received & Envato Contacted January 17th, 2020 - Envato Investigating February 6th, 2020 - Envato Contacted Again for Updates February 7th, 202...
WP Database Reset < 3.15 - Unauthenticated Database Reset
This flaw "allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state." URL/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111 Where you can set db-reset-tables%5B%5D to any database table you wan...
Minimal Coming Soon & Maintenance Mode < 2.17 - Insecure permissions: Export Settings/Theme Change
There was a flaw that would allow any user logged in as a subscriber or above to export the plugin settings as a .txt file or modify the theme of the maintenance page on a vulnerable site. Login with subscriber or above permissions and send the following request to export the plugin settings:...
Quiz And Survey Master < 6.3.5 - Authenticated Reflected XSS
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. https://domain.tld/wp-admin/admin.php?page=mlwquizoptions&quizid=...
Zoner < 4.2 - Persistent XSS & IDOR
----- Persistent XSS: ----- 'Address' input field on the 'Local information' block is vulnerable so you can use your payload to steal admin cookies or do some redirects etc. ----- IDOR: ----- POST request https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=deletepropertyactid=XXX=YYY...
Appointment Booking Calendar < 1.3.19 - Unauthenticated Stored XSS
Lack of authorisation check in the cpabcappointmentssaveedition function can lead to stored XSS via the editionarea parameter when cfwppedit is set to 'js' or 'css' /wp-admin/admin-ajax.php" method="POST" "/ /wp-admin/admin-ajax.php" method="POST" "/ The payload will be triggered in all pages wit...