4359 matches found
Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion
The adminInit function of the admin/includes/class.actions.snippets.php file, registered as an admininit hook did not have any CSRF or capability checks for its close action, allowing unauthenticated users to delete arbitrary posts from the blog...
One Click SSL <= 1.4.6 - Multiple Issues
Lack of CSRF and authorisation checks in the settings page, as well as AJAX methods such as ajaxenablessl, ajaxscan and so on could allow unauthorised settings change as well as call of the AJAX methods by a low privileged user. Additionally, it could also allow arbitrary site options update due ...
Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename
The lack of CSRF, Authorisation and Path Traversal checks in wpajaxdeldir and wpajaxrenamedir AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also...
WebP Express <= 0.14.4 - Authenticated Stored XSS
Edit - WPScanTeam: The reported issue has been fixed in 0.14.5. Other sanitisation checks have been implemented in newest versions such as 0.14.6 and 0.14.8 while the plugin was closed, so the fixed in is set to 0.14.8 Video POC :...
Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection
WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. Technical details: Chained Quiz appears to be vulnerable to time-based SQL-Injection. The issue lies on the "$answer" backend variable...
Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS
WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example. The following parameters are vulnerable in fwsenddata function: fwdataid1 fwdataid...
WPHRM <= 1.0 - Authenticated SQL Injection
The vulnerability allows an employee users to inject SQL commands. http://localhost/PATH/?hr-dashboard=user&page=message&tab=viewmessage&from=inbox&id=SQL-23+union+select 1,2,3,4,5,SELECT+GROUPCONCATtablename+SEPARATOR+0x3c62723e+FROM+INFORMATIONSCHEMA.TABLES+WHERE+TABLESCHEMA=DATABASE,7,8--%20-...
Easy Modal <= 2.0.17 - Authenticated SQL Injection
This can only be exploited by a user who already has access to the admin with a valid nonce. During the security analysis, ThunderScan discovered SQL injection vulnerabilities in the Easy Modal WordPress Plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while bei...
Arabic Font - CSRF & Stored XSS
Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user...
Gravitate QA Tracker <= 1.2.1 - Unauthenticated PHP Object Injection
The plugin gravitate-qa-tracker insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over HTTP requests to sites with the gravitate-qa-tracker Plugin. The original researcher...
Ocim MP3 Plugin - Unauthenticated Reflected Cross-Site Scripting (XSS)
Credits to : Soufiane Boussali http://www.example.com/wp-content/plugins/ocim-mp3/source/pages.php?id=XSSPayload...
IMPress Listings <= 2.0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The IMPress Listings WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. IMPress Listings XSS Demo alertdocument.cookie;...
WordPress File Upload <= 3.4.0 - Unauthenticated Malicious File Upload
The WordPress plugin wp-file-upload does not adequately check the filetype before allowing it to be uploaded. It also uploaded files with execute permissions, allowing malicious payloads to be uploaded. 1. Install wp-file-upload on a WordPress site and activate it. 2. Create an upload form on a...
Google Adsense & Hotel Booking <= 1.0.5 - Open Proxy
Plugin is still affected and has been closed. The code in ./plugin/google-adsense-and-hotel-booking/proxy.php allows an arbitrary user to proxy POST requests though the host site. This may allow attackers to hide attacks, or DoS a site if the POST request is pointed back at itself causing a loop...
simple-image-manipulator <= 1.0 - Remote File Download
Plugin is still affected and has been closed. In ./simple-image-manipulator/controller/download.php no checks are made to authenticate the user or sanitize input when determining file location. $ curl...
RobotCPA Plugin V5 - Unauthenticated Local File Inclusion
The robotcpa WordPress plugin was affected by an Unauthenticated Local File Inclusion security vulnerability. This issue has been seen exploited in the wild with the following payload: http://www.example.com/wp-content/plugins/robotcpa/f.php?l=..%2F..%2F..%2Fwp-config.php...
Omni Secure Files 0.1.13 - Unauthenticated Arbitrary File Upload
This plugin came with the vulnerable plupload library and has been seen exploited in the wild. The vulnerable file is: http://www.example.com/wp-content/plugins/omni-secure-files/plupload/examples/upload.php...
MM Forms & MM Forms Community 2.2.6 - Unauthenticated Arbitrary File Upload
Attackers have been seen probing for the "/wp-content/plugins/mm-forms/includes/doajaxfileupload.php" file. PostShell.php "@$uploadfile"; curlsetopt$ch, CURLOPTRETURNTRANSFER, 1; $postResult = curlexec$ch; curlclose$ch; print "$postResult"; ? Shell Access :...
Real Estate 7 < 3.0.5 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Real Estate 7 theme v3.0.4 for WordPress. Vulnerable parameters: ctsqftfrom, ctsqftto, ctlotsizefrom, ctlotsizeto, ctmls. Edit WPScanTeam: The issue has been hot-fixed in 3.0.4. So the fixed in has been set to 3.0.5 the next...
Quiz and Survey Master < 7.0.2 - Unauthenticated Arbitrary File Upload
Because the plugin doesn't validate the name of the uploaded file, an unauthenticated user could upload a PHP script with a double extension, e.g., script.php.jpg, and execute it on HTTP servers running a configuration such as Apache + PHP FastCGI. Edit WPScanTeam: This appears to be due to an...
WooCommerce - NAB Transact < 2.1.2 - Payment Bypass
The plugin does not validate the origin of payment processor status requests, allowing orders to be marked as fully paid by issuing a specially crafted GET request during the ordering workflow. When presented with a payment screen, instead of submitting payment information, issue the following GE...
Cardoza WordPress Poll <= 36 - Authenticated SQL Injection
The Cardoza WordPress Poll plugin was vulnerable to authenticated SQL Injection in the "pollid" POST parameter when submitting a poll deletion request. action=deletepoll&pollid=SELECT 2822 FROM SELECTSLEEP5gsJu...
JobSearch < 1.5.5 - Unauthenticated Reflected Cross-Site Scripting
An Unauthenticated Reflected XSS vulnerability was discovered in the JobSearch plugin v1.5.4 for WordPress. https://eyecix.com/plugins/jobsearch/?jobtype=%3Cimg%20src%3Dx%20onerror%3Dalert%28%60XSS%60%29%3E...
Multi Scheduler <= 1.0.0 - Arbitrary Record Deletion via CSRF
The lack of CSRF check could allow attacker to delete arbitrary records from the plugin for example Professional ones via a CSRF attack. The issue is not patched, and has ben escalated to WP plugins team on May 29th, 2020 The PoC will be displayed once the issue has been remediated...
Grimag < 1.1.1 - Open Redirection
Description The Grimag WordPress theme was affected by an Open Redirection security vulnerability. /wp-content/themes/Grimag/go.php?https://example.com...
Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints
These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions 23 that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions. Al...
Export Users to CSV <= 1.4.2 - CSV Injection
An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads formula into the user account details field. When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload ge...
Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass
It is possible to login as an administrator on the site due to logical mistakes in the code. The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parserequest function calls the function decodeserverrequestwptc which check if the raw POST payload contains a certa...
Ultimate FAQ < 1.8.30 - Unauthenticated Reflected XSS
The HTML code generated by the FAQ shortcode does not sanitise the DisplayFAQ GET parameter, leading to an unauthenticated reflected Cross-Site Scripting issue on pages where such shortcode is used. Append the following payload on a page where a FAQ is embedded: ?DisplayFAQ=...
Poll, Survey, Form & Quiz Maker by OpinionStage < 19.6.25 - Unauthenticated Cross-Site Scripting (XSS)
This vulnerability has been seen actively exploited in the wild. http://www.example.com/wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email="alert1...
ECPay Logistics for WooCommerce <= 1.2.181030 - Unauthenticated Reflected XSS
The CVSStoreName, CVSAddress, CVSTelephone and CVSStoreID from the getChangeResponse.php are affected by reflected XSS issues. The PoC will be displayed once the issue has been remediated...
Custom 404 Pro < 3.2.9 - Authenticated Reflected XSS
The Custom 404 Pro WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. Version...
Travel Booking < 2.7.8.4 - Reflected & Stored XSS
Weak security measures like no input & textarea fields data filtering has been discovered in the 'Traveler - Travel Booking WordPress Theme'. Special Notes: 1 - 'Change Avatar' upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page Serve...
Loco Translate < 2.2.2 - Authenticated LFI
WordPress plugin Loco Translate version appears to have an Authenticated LFI Vulnerability under the 'Edit Template' Functionality. The following vulnerability can be exploited by any user with access to the plugin access can range from Admin to Subscriber WPScanTeam Note: Was not able to reprodu...
Ultimate Membership Pro 7.4.2 <= 7.5 - Arbitrary media include
In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on 7.4.2+ at least to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the...
Localize My Post 1.0 - Unauthenticated Local File Inclusion (LFI)
The localize-my-post WordPress plugin was affected by an Unauthenticated Local File Inclusion LFI security vulnerability. http://www.example.com/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd...
All In One Favicon <= 4.6 - Multiple Stored Authenticated XSS
Authenticated Stored Cross-Site Scripting XSS in 8 parameters: backendApple-Text backendGIF-Text backendICO-Text backendPNG-Text frontendApple-Text frontendGIF-Text frontendICO-Text frontendPNG-Text " "...
Email Subscribers & Newsletters < 3.4.8 - Unauthenticated Subscriber Download
The Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin WordPress plugin was affected by an Unauthenticated Subscriber Download security vulnerability. POST /?es=export ... option=viewallsubscribers...
Emag Marketplace Connector 1.0 - Unauthenticated Cross-Site Scripting (XSS)
The Emag Marketplace Connector WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post= "/alert"XSS"...
Active Directory Integration <= 1.1.8 - Authenticated SQL Injection
Type user acces: administrator user. Target need have configured ldap and active. Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line : 135 $result = $ADI-bulksyncback $GET'userid' ; $GET‘userid’ is not escaped. Path Method:...
Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal
Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web...
WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting (XSS)
The WP Statistics WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://mywordpress.com/wp-admin/admin.php?page=wpsreferrerspage&rangeend=123123"alert1a a="...
safe-editor <= 1.1 - Unauthenticated CSS/JS-injection
When saving JS/CSS in this plugin then both private and public ajax-hooks are being used. Because of this anyone can post JS/CSS that are saved to the db and printed to the head and footer portion of the page. In the file "index.php" in root folder on line 188 and 189 you can see that both privat...
WP Fastest Cache <= 0.8.4.8 - Blind SQL Injection
According to the researcher, for this vulnerability to be present WP-Polls plugin also needs to be installed...
PowerPress Podcasting < 6.0.5 - Authenticated Cross-Site Scripting (XSS)
By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access. 1. Logon into any...
Ninja Forms <= 2.9.21 - Authenticated Reflected Cross-Site Scripting (XSS)
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-admin/admin.php?page=nf-processing&title=alert123;...
JobMonster < 4.6.6.1 - Directory Listing in Upload Folder
The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. This could expose personal data such as people's resumes. Although Directory Listing can be prevented by securely configuring the we...
JobSearch < 1.5.6 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the JobSearch plugin v1.5.5 for WordPress. https://example.com/?%22%3E%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E=%3E...
Monalisa < 2.1.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
An Unauthenticated Reflected XSS vulnerability was discovered in the Monalisa theme through 2.1.2 for WordPress. https://example.com/reservation/?state=1%22--%3E%3Cimg%20src=x%20onerror=alertXSS;%3E...
JobSearch < 1.5.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
There is a Cross-Site Scripting vulnerability in the JobSearch plugin. https://eyecix.com/plugins/jobsearch/?searchtitle=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E&ajaxfilter=true&posted=all&sort-by=recent...