4359 matches found
Live Chat Unlimited <= 2.8.3 - Stored Cross-Site Scripting (XSS)
Weak security measures like bad input field data filtering has been discovered in the 'Live Chat Unlimited'. Go to the demo website https://screets.com/try/lcx/night-bird/ and open chat window by clicking on «Open/close» link, then click on «Online mode» to go online. Use your payload inside inpu...
iLive <= 1.0.4 - Stored Cross-Site Scripting (XSS)
Info: Weak security measures like bad textarea data filtering has been discovered in the 'iLive - Intelligent WordPress Live Chat Support Plugin'. Current version of this premium WordPress plugin is 1.0.4. Demo Website: https://codecanyon.net/item/ilive-wordpress-live-chat-support-plugin/20496563...
Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
Unauthenticated remote code execution has been discovered in functionality that handles settings import. 1. Create payload file and host it on a location accessible by a targeted website. Payload content : "system'cat /etc/passwd'" 2. Visit...
Swape Theme - Authentication Bypass and Stored XSS
Similar to https://wpvulndb.com/vulnerabilities/8061, but with no authentication The theme suffers from a privilege escalation vulnerability, any user can trigger this vulnerability due to weak permissions checking. An attacker can update options, such as changing user's default role, registratio...
S3 Video Plugin <= 0.983 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The s3-video WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/s3-video/views/video-management/previewvideo.php?media="alert1;"...
Cerber Limit Login Attempts <= 2.0.1.6 - Unauthenticated Stored XSS
If the option "I'm behind a proxy" is enabled, the visitor IP is read from X-Forwarded-For header, stored & printed in the admin panel without any sanitization / validation. Set the X-Forwarded-For header to alert1, and perform an incorrect login...
WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
Wordpress plugin wp-symposium version 15.5.1 and probably all existing previous versions suffers from an unauthenticated SQL Injection in getalbumitem.php, parameter 'size'. The issue is exploitable even if the plugin is deactivated. PoC URL :...
Photocrati Theme 4.x.x - SQL Injection
http://www.example.com/wp-content/themes/photocrati-theme-path/ecomm-sizes.php?prodid=SQL...
10Web Social Post Feed < 1.1.27 - Authenticated SQL Injection
Authenticated SQL injection in the 10Web Social Post Feed WordPress Plugin 1.1.26 via the /wordpress/wp-admin/admin.php?page=infoffwd searchvalue parameter. https://drive.google.com/file/d/1Hndhdy3leYTzutx-DJvu1B-tW5Y5teBB/view...
Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload
The aoccssimport AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing POST /wp-admin/admin-ajax.php HTTP/1...
Sell Media < 2.4.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
A Cross-site scripting XSS vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter aka $searchterm or the Search field. https://example.com/sell-media-search/?keyword="alert/XSS/...
Ultimate Member < 2.1.7 - Unauthenticated Open Redirect
The Ultimate Member WordPress plugin was vulnerable to an Unauthenticated Open Redirect vulnerability, affecting the registration and login pages where the "redirectto" GET parameter was used. https://www.example.com/register/?redirectto=https://www.evil.com/...
TownHub < 1.3.0 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «TownHub - Directory & Listing WordPress Theme», tested version — v1.2.9. Edit WPScanTeam June 17th, 2020 - Confirmed & Escalated to Envato June 18th, 2020 - v1.3.0 released, fixing the issue...
Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS)
Stored XSS "post-auth" in "tittle" field of the "Error Alert" and "Success Alert" sections of the plugin's settings page due to poor sanitization of entered characters. When you enter the payload and save the changes, it is permanently embedded in the html code of the settings page, so all users...
Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access
This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. Steps to reproduce: 1. Log in as a subscriber on target WordPress site. 2. View the page source of /wp-admin and command+f to search for...
Profile Builder and Profile Builder Pro < 3.1.1 - User Registration With Administrator Role
The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin's forms. The vulnerability only exists in the Plugin's own generated Registration Form or Profile Edit Form. This mean...
Batch-Move Posts <= 1.5 - Broken Authentication leading to Unauthenticated Stored XSS
An attacker can add a Cross-Site Scripting XSS payload remotely without any authentication. The Payload gets triggered when an Admin visits the settings page of the plugin. Edit WPScanTeam: The plugin is still affected and has been closed. Vulnerable code is from lines 68 to 84. The code gets the...
bbPress Login Register Links On Forum Topic Pages <= 2.7.5 - CSRF to Stored XSS
Lack of CSRF checks in the plugin's settings allow arbitrary change of the settings, which can also lead to stored XSS issues. The payload below will result in a stored XSS in the 'Style Customize' page. " /...
JobCareer < 2.5.1 - Authenticated Stored Cross-Site Scripting
Bad input fields data filtering has been discovered in the 'JobCareer | Job Board Responsive WordPress Theme'. http://jobcareer.chimpgroup.com/candidate/asdasdasdasdasd/ Register a new account on the demo website: http://jobcareer.chimpgroup.com/ , then go to the «Resume» profile tab:...
Pie Register <= 3.0.17 - Unauthenticated Cross-Site Scripting (XSS)
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. ttp://www.website.com/wordpress/index.php/forgot-password/?"alert1...
Duplicator <= 1.2.40 - Unauthenticated Arbitrary Code Execution
If installer files, installer.php and installer-backup.php, are not removed by the administrators, a code injection during the database setup step allows to execute arbitrary code on the server. actionajax=3&actionstep=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=test';...
Open Graph for Facebook, Google+ and Twitter Card Tags <= 2.2.4 - Authenticated Reflected XSS
There is a reflected XSS vulnerability caused by "Open Graph for Facebook, Google+ and Twitter Card Tags" in the wdfbogerror parameter on a GET request when editing a post. This can be exploited by tricking an authenticated Wordpress administrator into clicking a malicious link. This vulnerabilit...
Super Socializer <= 7.10.6 - Authentication Bypass
You can log in to the site with any user if you know the user's email address. // Steps: // Fill this 3 variable var url = 'http://my-site.com/wordpress/', //website url. Closing slash required email = '[email protected]', //The admin email address to exploit nonce = 'e86377d05a'; // View the...
RegistrationMagic - Custom Registration Forms <= 3.8.0.4 - Authenticated SQL Injection
The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by a Custom Registration Forms = 3.8.0.4 - Authenticated SQL Injection security vulnerability. GET...
Referrer Detector <= 4.2.1.0 - Unauthenticated PHP Object Injection
The plugin referrer-detector insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. The original researcher notified the WordPress Plugins team. Attack is exploitable over HTTP requests to sites with...
Kama Click Counter <= 3.4.9 - Authenticated Blind SQL Injection
The Kama Click Counter WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability. http://www.example.com/wp-admin/admin.php?page=kama-clic-counter&orderby=linkname&order=ASC%2cselectfromselectsleep30a&paged=1...
e-search <= 1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The e-search WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/e-search/tmpl/dateselect.php?date-from="alert1;alert1;"...
Wordpress Video Gallery <= 2.7 - SQL Injection
The contus-video-gallery WordPress plugin was affected by a SQL Injection security vulnerability. http://example.com/wp-admin/admin-ajax.php?action=rss&type=video&vid=SQLi...
Ruven Toolkit <= 1.1 - tinymce/popup.php popup Parameter Reflected XSS
The ruven-toolkit WordPress plugin was affected by a tinymce/popup.php popup Parameter Reflected XSS security vulnerability. http://localhost/wp-content/plugins/ruven-toolkit/tinymce/popup.php?popup=popup'alertdocument.cookie&...
YITH Request a Quote for WooCommerce < 1.6.4 - Unauthorised AJAX call via CSRF
The ajax method did not properly check for CSRF, allowing attackers to make users call the ajaxadditem, ajaxremoveitem or ajaxvariationexist actions, which will tamper with their session quote. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
Add From Server <= 3.3.3 - Authenticated Path Traversal to Arbitrary File Access
An authenticated attacker with low permission can read arbitrary files on server using Path Traversal. The plugin author states that this is by design and that the plugin should not be used. Please refer to the references. http://example.com/wp-admin/upload.php?page=add-from-server&adirectory=/...
FoodBakery < 2.0 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the FoodBakery theme through 1.9 for WordPress. Note: The issue was hot patched in 1.9. As a result, there are two 1.9 versions out there, one vulnerable and one with the patch...
MapPress Maps Pro < 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions
The pro version of this plugin registers several AJAX actions that call functions which lack capability checks and nonce checks, specifically the ‘ajaxget’, ‘ajaxsave’, and ‘ajaxdelete’ functions in mappresstemplate.php. As such, it is possible for a logged-in attacker with minimal permissions,...
Ultimate Membership Pro < 8.6.2 - Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy
Version 8.6.1 attempted fo fix multiple critical issues mainly lack of authorisation checks, allowing low privileges users to call the admin functions of the plugin, leading to PII disclosure and login bypasses. However, the fixes were not sufficient: - An indeedIsAdmin check was added to all AJA...
Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities
Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it. Diretory Trasversal: POST /wordpress/wp-admin/admin-ajax.php HTTP/1....
WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution
WP Support Plus Responsive Ticket System Choose a file ending with .phtml: After doing this, an uploaded file can be accessed at, say: http://example.com/wp-content/uploads/wpsp/1510248571filename.phtml...
UserPro <= 4.9.17 - Authentication Bypass
The userpro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. 1 - Google Dork inurl:/plugins/userpro 2 - Browse to a site that has the userpro plugin installed. 3 - Append ?upautolog=true to the...
Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution
The Shortcodes Ultimate plugin does not sanitize the "filter" argument to the "sumeta", "suuser", and "supost" shortcodes, allowing the filter to be set to the "system" function which runs arbitrary code. This is being exploited in the wild; I discovered this though analysis of modsecurity audit...
Adminer <= 1.4.5 - Security Bypass
The plugin is still affected and has been closed. https://example.com/wp-content/plugins/adminer/inc/editor/index.php...
WP Front End Profile <= 0.2.1 - Privilege Escalation & Stored Cross-Site Scripting (XSS)
It is possible to modify a POST request to overwrite user meta including 'wpcapabilities' and 'wpuserlevel' which results in a privilege escalation vulnerability. User input is not sanitised or escaped on output resulting in a stored XSS vulnerability. Timeline: 2016-09-12: Vulnerability found...
Admin Font Editor <= 1.8 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The admin-font-editor WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/admin-font-editor/css.php?size="alert1;"...
wptf-image-gallery 1.0.3 - Remote File Download
Plugin is still affected and has been closed. The ./wptf-image-gallery/lib-mbox/ajaxload.php code doesn't sanitize user input or check that a user is authorized to download files. This allows an unauthenticated user to download sensitive system files: 1 $ curl...
Smart Website Tools by AddThis 4.0.6-5.0.2 - Stored XSS
The Smart Website Tools by AddThis plugin exposes an AJAX function called 'atasyncloading' in 'addthis/addthis-for-wordpress.php'. Access to this function is restricted to Registered users, however is not restricted to Administrative users, meaning that anyone with an account on the target site c...
Easy2Map Photos <= 1.0.9 - SQL Injection
The code in Functions.php is vulnerable to SQL Injection because they are not parameterising or sanitising user input. sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2mimgsavemapname" --cookie=COOKIEHERE --level=5 --risk=3...
Subscribe Sidebar <= 1.3.1 - Authenticated Reflected Cross-Site Scripting
The 'status' GET parameter in subscribesidebar.php, which is displayed in the plugin's option page, is vulnerable to reflected XSS attacks. /wp-admin/options-general.php?page=subscribesidebar.php&status=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E...
Woocommerce Subscriptions < 3.0.3 - CSRF to Cancel/Re-Activate Subscription
During a blog assessment, we identified a CSRF issue in the Woocommerce Subscriptions plugin, which could allow attackers to cancel and re-activate a logged in user's subscription. Even though the wpnonce parameter was needed in the request, its value was not verified, allowing an empty value to ...
Pricing Table by Supsystic < 1.8.1 - Cross-Site Request Forgery to XSS and Setting Changes
CSRF can be exploited against any of the functionalities in the Pricing Table by Supsystic WordPress plugin in vulnerable versions. One example:...
Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities
Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Authenticated using a low privilege account, such as subscriber Remote Code Execution on default Installation, as well as PII disclosure such as emails, IP addresses, hashed passwords, usernames, User-Agent and so o...
WP Database Reset < 3.15 - Privilege Escalation
This flaw "allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request." Login as a subscriber then send the following request:...
WP Simple Spreadsheet Fetcher For Google < 0.3.7 - Arbitrary API Key update via CSRF
The lack of Cross-Site Request Forgery CSRF checks on the plugin's settings page could allow CSRF attacks to set an arbitrary API key...