4359 matches found
BruteBank - WP Security & Firewall < 1.9 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. POST /wp-admin/admin.php?page=brutebank-settings HTTP/1.1 publickey=site.a%22%2522aaaa%3Daaa&secretkey=aaa&update=Update...
Splash Header < 1.20.8 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue. Put the following payload in the "Note title" and "Note message" settings of the plugin: "alert/XSS-Title/ and alert/XSS-Msg/ Th...
YARPP - Yet Another Related Posts Plugin < 5.30.3 - Subscriber+ SQLi
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks. Run the below command in the developer console of the web browser while being on the blog...
Image Hover Effects Ultimate < 9.7.0 - Unauthenticated Arbitrary Option Update
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. The original report mentioned the issue being fixed in 9.6.2, however it was still possible for attackers to exploit it and proper remediation h...
Podcast Importer SecondLine < 1.3.8 - Admin+ SQLi
The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file Put the XML below on a web server replacing the PAYLOAD with the correct one, then import a podcast...
GeoDirectory Location Manager < 2.1.0.10 - Multiple Unauthenticated SQL Injections
In the plugin, the AJAX action gdpopularlocationlist did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. The prerequisite to exploiting this vulnerability is finding a page on the vulnerable si...
FooGallery < 2.0.35 - Authenticated Stored Cross-Site Scripting
In the plugin, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue. Create or edit a gallery and add the following payload in the Custom CSS field: Then, view t...
Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue /wp-admin/admin.php?page=ultimate-maps-supsystic&tab="onmouseover=alert1//...
Passster < 3.5.5.9 - Protection Bypass & Arbitrary Post Access
The plugin does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts such as private content, by sending a specifically crafted request. The nonce can be retrieve...
Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the plugin's settings with a text input: - v alert/XSS/ - v...
Quiz And Survey Master < 7.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Quiz Url Slug setting: "alert/XSS/ Create ...
Appointment Hour Booking < 1.3.16 - Authenticated Stored Cross-Site Scripting
The plugin does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a new Calendar Appointment Hour Booking Add new Put the following payload in the Form Settings...
WP Google Maps < 8.1.12 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue Note: The vendor attributed the issue in the changelog to the wrong reporter us, WPScan, as we reported it on behalf of th...
WP Cerber < 9.3.3 - User Enumeration Bypass via Rest API
The plugin does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users When the "Block access to users' data via REST API" settings is enabled...
Block and Stop Bad Bots < 6.62 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issues POST /wp-admin/admin.php?page=sbbmy-custom-submenu-page HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...
Vik Rent Car < 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue Add or Edit a Characteristic...
Gallery From Files <= 1.6.0 - Unauthenticated RCE
The upload feature of the plugin does not properly check for the allowed extensions, allowing them to be set in the request and attempting to remove the dangerous ones such as .php and .js, but forgetting about .php4, .html etc. As a result, unauthenticated users could upload arbitrary .php4 file...
WP Customer Reviews < 3.4.3 - Multiple Unauthenticated and Low Priv Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in WP Customer Reviews 3.4.2 and lower allow remote attackers to inject arbitrary JavaScript code or HTML. If WP Customer Reviews is enabled on a page, an unauthenticated attacker can exploit XSS via review form's parameters: - Reviewer Name -...
SMTP Mail < 1.2 - Reflected Cross-Site Scripting (XSS)
The plugin does not escape its page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
The plugin does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. Access the URL below as unauthenticated...
CBX Petition for WordPress <= 1.0.3 - Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. 1. Create and publish a new petition. 2. Invoke the following curl command, with the nonce in place, to induce a...
Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following co...
Meteor Slides < 1.5.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. meteorslidesh...
Formidable Forms < 6.1 - IP Spoofing
The plugin uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections. 1. In WordPress's Settings Discussion page, add your IP address to the Disallowed Comment Keys field. This will block form submissio...
My Site Audit <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue Create an audit with the...
Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download
The plugin does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs from the server even when they should not be able to for example in multisite First call...
Photo Gallery < 1.5.79 - Stored XSS via Uploaded SVG in Zip
The plugin did not ensure that uploaded SVG files inside a Zipped archive added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
WBW Currency Switcher for WooCommerce < 1.6.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup In the plugin's settings WooCommerce Settings...
Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting
The plugin does not escape the IP addresses which can be controlled by attacker via headers such as X-Forwarded-For of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue. POST /wp-login.php HTTP/1.1 Accept:...
Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure
The plugin does not have authorisation in its vczapigetwpusers AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog Open the following URL as a subscriber: https://example.com/wp-admin/admin-ajax.php?action=vczapigetwpuse...
Game Server Status <= 1.0 - Admin+ SQL Injection
The plugin does not validate or escape the serverid parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page sqlmap -u "https://example.com/wp-admin/admin.php?page=grohsfabian-add-game-servers&serverid=1" -p serverid --dbms mysql --cookie your cookie...
Afterpay Gateway for WooCommerce < 3.2.1 - Reflected Cross-Site Scripting
The plugin has sample files form the https://github.com/afterpay/sdk-php library, which do not escape some parameters before outputting them in attributes, leading to Reflected Cross-Site Scripting issues...
Realteo < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The plugin, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue...
Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the miccomment field Notes on time when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. Edit WPScanTeam January 22nd, 2021...
Frontend File Manager < 21.4 - File Upload via CSRF
The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf The file won't show up via the frontend/backend, but will be uploaded in the user folder ie in wp-content/uploads/useruploads//payload.pdf...
Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection
The plugin does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection...
Simple Download Monitor < 3.9.6 - Unauthenticated Log Access
The plugin saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames...
WP Sitemap Page < 1.7.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payloads in the mentioned settings of the plugin: - How to display the pos...
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options. - Install the plugin and set the API creds to: - Key:...
Frontend File Manager < 21.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. As the plugin does not validate the allowed file type, this could lead to attackers making admins allowing PHP file to be uploaded by any...
Classima < 2.1.11 - Reflected Cross-Site Scripting
The theme and some of its required plugins do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting https://example.com/all-ads/?q="+onmouseover%3Dalert%281%29+id%3Dx+tabindex%3D0+style%3Ddisplay%3Ablock The XSS will be triggered when the user...
Cool Tag Cloud < 2.26 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the style attribute of the cooltagcloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. cooltagcloud style='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert/XSS/'...
Bitcoin / AltCoin Payment Gateway for WooCommerce < 1.6.1 - Reflected Cross-Site Scripting
The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=cs-woo-altcoin-all-coins&s="alert/XSS/...
Cooked < 1.7.9.1- Unauthenticated Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to Unauthenticated Reflected Cross-Site Scripting XSS. For clarification, this vulnerability is separate to the similar vulnerability CVE-2021-24233. The PoC will be displayed once the issue has been remediated...
WP Ultimate CSV Importer < 6.4.1 - Subscriber+ Arbitrary File Upload
The plugin does not have authorisation and CSRF checks when uploading zip files via the zipupload AJAX call, and does not perform any check on the files to be extracted. As a result, any authenticated user, such as subscriber could upload an archive with PHP files in it, leading to RCE As any...
WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)
An AJAX action registered by the plugin did not have capability checks nor sanitization, allowing low privilege users subscriber+ to call it and set XSS payloads, which will be triggered in all backend pages. Version 4.5.6 fixed the XSS issue with sanitization of the parameters, but did not fix t...
WP Ultimate CSV Importer < 6.5.3 - Admin+ Blind SSRF
The plugin does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks Put an internal/LAN URL such as below in the file upload by URL function https://127.0.0.1:8080...
BadgeOS <= 3.7.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get-achievements&totalonly=true&userid=11 AND SELECT 9628...
Tabs < 3.6.0 - Unauthenticated Arbitrary Option Update
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options...
Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitise or escape some of the properties of the Recipe Card Block such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. As a...