4359 matches found
MiniMax <= 2.0.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The page-layout-builder WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/page-layout-builder/includes/layout-settings.php?layoutsettingsid="alert1;"...
EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary File Download
The plugin allows a WordPress site administrator or collaborator to download arbitrary files from the host file system though the plugin functionality of downloading .sql, .sql.zip or .sql.gz files created by the WordPress administrator. The file name to download is not sanitized and path travers...
Hide My WP <= 4.53 - Stored-Cross Site Scripting (XSS)
An attacker can make a fake attack attempt which will be logged, and can inject JavaScript. curl --referer 'you are using bad filtering for input ript alert"XSS here" ript; :; ;' http://example.com...
Candidate Application Form <= 1.3 - Unauthenticated Arbitrary File Download
Plugin is still affected and has been closed. The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files. $ curl...
Swim Team <= v1.44.10777 - Local File Inclusion
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files. $ curl...
WP Mobile Detector <= 3.2 - Stored Cross-Site Scripting (XSS)
The WP Mobile Detector plugin exposes the AJAX action ‘websitezoptions’ to all registered users on line 78 of wp-mobile-detector/websitez-wp-mobile-detector.php. Providing specially crafted form values will result in a Persistent XSS attack on Mobile visitors. import requests s = requests.session...
Simple Share Buttons Adder <= 6.0.0 - Reflected Cross-Site Scripting (XSS)
A reflected XSS in "Simple Share Buttons Adder" before version 6.0.1 lead to a reflected cross-site scripting vulnerability on all pages where the "Simple Share Buttons Adder" was added usually all blog posts. Exploitation required that the browser did not encode the parameters sent to the server...
NextScripts: Social Networks Auto-Poster < 3.4.18 - CSRF to Stored XSS
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to a Persistent XSS attack on the settings screen, due to a lack of sanitation of user input, and lack of Cross-Site Request Forgery token nonce. If a page with the following FORM in is visited by an administrative...
Auberge Theme <= 1.4.4 - DOM Cross-Site Scripting (XSS)
The Auberge WordPress theme was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/themes/auberge/genericons/example.html...
Exquisite Ultimate Newspaper Theme <= 1.3.3 - DOM Cross-Site Scripting (XSS)
The exquisite-wp WordPress theme was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/...
Mashshare <= 2.3.0 - Information Disclosure
The Mashshare plugin exposes a few AJAX commands via its own custom hook, which can be found in the file ‘includes/admin/admin-actions.php’, and the function ‘mashsbprocessactions’. This function is called upon the ‘admininit’ action being fired, which can be triggered by anyone when visiting the...
Tune Library <= 1.5.4 - SQL Injection
The Tune Library WordPress plugin was affected by a SQL Injection security vulnerability. http://www.example.com/?pageid=2&artistletter=G' UNION ALL SELECT CONCATWSCHAR59,version,currentuser,database,2--%20...
WP Mobile Edition <= 2.2.7 - Remote File Disclosure
The plugin is not filtering data in GET parameter 'files' in file 'themes/mTheme-Unus/css/css.php' http://www.example.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php...
MiwoFTP - File & Folder Manager <= 1.0.4 - Arbitrary File Disclosure
A hook is added to ‘init’ in the file ‘miwoftp/miwoftp.php’. This hook is triggered whenever a user visits the front end of the site. The function specified in this hook will proceed to allow the user to download a file within the scope of the home directory of the site. Various values from the G...
Specialist by Templatic - CSRF File Upload
The specialist WordPress theme was affected by a Templatic Theme CSRF File Upload security vulnerability. File Access: https://example.com/wp-content/themes/specialist/images/tmp/yourshell.php...
BSK PDF Manager < 1.5 - Multiple Authenticated SQL Injections
The plugin did not use prepared statement with the categoryid and pdfid parameter when viewing the /wp-admin/admin.php?page=bsk-pdf-manager and /wp-admin/admin.php?page=bsk-pdf-manager-pdfs page leading to Authenticated SQL Injection issues...
WP eBay Product Feeds < 1.2 - Cross-Site Scripting via rss_url Parameter
The WP eBay Product Feeds WordPress plugin was affected by a Cross-Site Scripting via rssurl Parameter security vulnerability. http://localhost/wordpress/wp-content/plugins/ebay–feeds–for–wordpress/magpie/scripts/magpieslashbox.php?rssurl=%3Cscript%3Ealert%281%29%3C/script%3E...
Affiliate Manager < 2.7.8 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly validate and sanitise data passed to the affiliate-register form, allowing unauthenticated user to set XSS payloads in some of its fields. The payloads will then be triggered when privileged users, such as admin, will view the created affiliate in the backend. As an...
Click to Top < 1.2.8 - Authenticated Stored Cross-Site Scripting
The Type scroll text field in the plugin settings page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the changes. It is triggered when a user loads any page on the website. All WordPress websites using Click to top WordPress Plugin...
Real Estate 7 < 2.9.1 - Stored XSS & IDOR
The 'Real Estate 7' premium WordPress theme is vulnerable to persistent XSS injection that allows an attacker to inject JavaScript or HTML code into the website front-end. There is also an Insecure Direct Object Reference issue, allowing unauthorized users to edit listings they should not have...
Service Finder Booking < 3.2 - Unauthenticated Local File Disclosure
The premium Service Finder Booking WordPress plugin was vulnerable to a Local File Disclosure vulnerability that could allow unauthenticated users to include arbitrary files on the server. http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php...
WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)
WP Support Plus Responsive Ticket System Choose a file ending with .phtml: After doing this, an uploaded file can be accessed at, say: http://example.com/wp-content/uploads/wpsp/1510248571filename.phtml...
Events <= 2.3.4 - Authenticated SQL Injection
Type user access: administrator user. $GET‘editevent’ is not escaped. File / Code: Path Request: /wp-content/plugins/wp-events/wp-events.php Line : 450 – 468 if isset $GET'editevent' $eventeditid = escattr $GET'editevent' ; ... $editevent = $wpdb-getrow "SELECT FROM $wpdb-prefixevents WHERE id =...
MailChimp for WordPress <= 4.1.6 - Authenticated Cross-Site Scripting (XSS)
Usage of the output of addqueryarg without escaping in various places in the WordPress Backend leads to reflected XSS vulnerability. URL/wp-admin/admin.php?page=mailchimp-for-wp-integrations&"alert1...
BP Profile Search <= 4.5.3 - PHP Object Injection
The plugin bp-profile-search insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. This vulnerability was patched in version 4.6, information is being released now as a disclosure period has expired...
WordPress Zero Spam <= 2.1.1 - Unauthenticated Blind SQL Injection
The WordPress Zero Spam WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability. HTTP request header: Client-IP: '+select0fromselectsleep10v+'...
Contus Video Comments - Unauthenticated Remote JPG File Upload
The contus-video-comments WordPress plugin was affected by an Unauthenticated Remote JPG File Upload security vulnerability. curl --data @image.jpg "http://www.example.com/wp-content/plugins/contus-video-comments/save.php?id=../image"...
Easy Contact Form Builder <= 1.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The tidio-form WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/tidio-form/popup-insert-help.php?formId="alert1;"...
YAWPP <= 1.2.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
The yawpp WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. POST /wordpress-4.3/?p=4 HTTP/1.1 Host: wp.lab User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.10; rv:42.0 Gecko/20100101 Firefox/42.0 Accept:...
Auto ThickBox Plus <= 1.9 - Reflected Cross-Site Scripting (XSS)
The auto-thickbox-plus WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/auto-thickbox-plus/download.min.php?file=%3Cscript%3Ealert%281%29%3C/script%3E...
Floating Social Bar <= 1.1.5 - Cross-Site Scripting (XSS)
The Floating Social Bar WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-admin/admin-ajax.php?action=fsbsaveorder&items1="alert"XSS";...
Anti-Malware & Brute-Force Security by ELI <= 4.15.22 - Stored XSS
The Anti-Malware and Brute-Force Security by ELI has two issues which we will cover in this report. The first is that no nonce CSRF token is utilized on the settings screen. This could potentially result in resource utilization by performing a large number of scans simultaneously, should an...
My Calendar <= 2.3.29 - Arbitrary File Override & Reflected XSS
The file override vulnerability allows an admin to override any file on the web server, ignoring settings such as DISALLOWFILEEDIT. Arbitrary File Override ----------------------- POST http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-styles Post Data: wpnonceavalidnonce...
Indieweb Post Kinds <= 1.3.1 - DOM Cross-Site Scripting (XSS)
The Post Kinds WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/indieweb-post-kinds/genericons/example.html...
Media File Manager Advanced <= 1.1.5 - Multiple Vulnerabilites
Media File Manager Advanced suffers from executing administrator actions by any authenticated user due to weak permissions checking. An attacker is able to delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting. Pos...
WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)
Description WordPress 4.1.5 and 4.2.2 removes the Genericons example file which came bundled with the twentyfifteen theme which is vulnerable to DOM based Cross-Site Scripting XSS. http://www.example.com/wp-content/themes/twentyfifteen/genericons/example.html1...
Facebook Page Photo Gallery <= 2.0.9 - DOM Cross-Site Scripting (XSS)
The facebook-page-photo-gallery WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/prettyPhotormsg0d/2,/...
Pie Register 2.0.14-2.0.15 - Privilege Escalation
User input is not validated correctly when accepting a login request via the Pie Register plugin. It is possible to manipulate posted variables in order to login using an arbitrary User ID such as 1, for the default Administrative account. import requests target="http://localhost" payload =...
Ptengine <= 1.0.1 - Reflected Cross-Site Scripting (XSS)
The ptengine-real-time-web-analytics-and-heatmap WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability...
WordPress Uninstall <= 1.1 - WordPress Deletion via CSRF
Any registered user can delete all WordPress database tables and files. This request makes it possible: http://wp.dev/wp-admin/admin-ajax.php?action=uninstall...
Tinymce Thumbnail Gallery <= 1.0.7 - download-image.php Local File Inclusion
The Tinymce Thumbnail Gallery WordPress plugin was affected by a download-image.php Local File Inclusion security vulnerability. As seen in access logs: http://www.example.com/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?href=../../../../wp-config.php...
WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?apiurl=apiurl%27%3E%3Cscript%3Ealert%284%29%3C/script%3E...
Ultimate Weather Plugin <= 1.0 - Unauthenticated Reflected XSS
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-content/plugins/ultimate–weather–plugin/magpierss/scripts/magpiedebug.php?url=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass
The plugin does not properly check for the CSRF nonce in the export and import features, which could allow attackers to make authenticated logged in administrators perform those actions via a CSRF attack. To bypass the nonce validation, just don't send the crpexportsettingsnonce or...
Sell Photo <= 1.0.5 - Authenticated Stored Cross-Site Scripting
The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin. The PoC will be...
Colorbox Lightbox <= 1.1.2 - Authenticated Stored Cross-Site Scripting
The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using...
Prolisting - Directory Listing < 1.27 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Prolisting - Directory Listing WordPress Theme», tested version — v1.2. https://demoapus.com/prolisting/listings/?searchdistance=%22%3E%3Cimg%20src=x%20onerror=alertXSS%3E...
Fruitful Theme < 3.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The Fruitful WordPress theme, version 3.8 and possibly below, was affected by an unauthenticated Reflected Cross-Site Scripting XSS vulnerability. The vulnerability was patched in version 3.8.1 of the Theme, although the changelog file only mentions: "Bug fix: Fixed issues on comment form" Add a...
Sassy Social Share <= 3.3.3 - Cross-Site Scripting (XSS)
AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such. PoC URL uses unauthenticated action "heateorssssharingcount": http://WORDPRESSDOMAINHERE/wp-admin/admin-ajax.php?action=heateorssssharingcount&urls=...
Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS
Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation notice https:///wp-admin/options-general.php?page=smae&smaeaction=remind&fwurl=Iyc7YWxlcnQoL1hTUy8pOy8v...