4359 matches found
Jock on air now < 5.6.3 - Authenticated Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some Show parameters before outputting them in pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Vulnerable parameters: linkURL some validation is done and...
FluentAuth < 1.0.2 - Bypass blocks by IP Spoofing
The plugin prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass the IP-based blocks set by the plugin. Set HTTPXREALIP, HTTPXFORWARDEDFOR, HTTPCFCONNECTINGIP or HTTPCLIENTIP to spoof the IP address...
Affiliates Manager < 2.9.14 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Currency Symbol" settings of the plugin and save: " Other settings...
Multiple Plugins - Reflected Cross-Site Scripting via PHPRelativePath Library
The plugins are using the PHPRelativePath library, which contain an example file affected a Reflected Cross-Site Scripting POST /wp-content/plugins/mpl-publisher/vendor/grandt/relativepath/RelativePath.Example1.php HTTP/1.1 Accept:...
Business Hours Indicator < 2.3.5 - Authenticated Stored XSS
The plugin does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue Put the following payload in the "Now closed message" setting and save them: alert/XSS/ Then refresh the setting...
Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also b...
Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download
The plugin does not validate user input used to generate system path, allowing high privilege users such as admin to download arbitrary file from the server even when they should not be able to for example in multisite First call...
WordPress to Hootsuite (< 1.3.9) & Buffer (< 3.7.5) - Reflected Cross-Site Scripting
The plugins do not properly sanitise and escape user input before outputting it back in pages and attributes, which could lead to reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wp-to-buffer-log&s=alert/XSS/...
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
The plugin does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts Invoke the following curl command to delete the user user id 2 curl https://example.com/wp-admin/admin-ajax.php --dat...
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin When deleting a scan logs /edit-comments.php?page=ctcheckspamlogs, intercept the request and change the spamids parameter to...
Qwizcards < 3.62 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Within Settings Qwizcards Qwizcardsa Option, put the following payload in the Qwizcards-content HTML...
Email Artillery <= 4.1 - Arbitrary File Upload
The plugin does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denyin...
Form Maker by 10Web < 1.15.6 - Admin+ SQLI
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Create/edit a form, go to the Settings MySQL Mapping i.e...
WP Mapa Politico Espana < 3.7.0 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in any of the Maps Zona setting fields such as A Coruna:...
Ninja Forms < 3.6.22 - Reflected XSS
The plugin does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
WP Google Review Slider < 11.8 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber. Run the following code in the browser console on any WP Admin page. fetch'/wp-admin/admin-ajax.php', method: 'POST',...
Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion
The plugin has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...
uListing < 2.0.6 - Multiple CSRF
The plugin is lacking proper CSRF checks in multiple protected actions within wp-admin pages, leaving them vulnerable to CSRF attacks. PoC | CSRF | Add/Edit Pricing Plans: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: agent or admin cookies User-Agent: Mozilla/5.0 Content-Type:...
Tickera < 3.5.1.0- Plugin Data Deletion via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. 1. Navigate to Tickera Settings » Delete info 2. Delete info request intercept like that POST...
Better Find and Replace < 1.2.9 - Reflected Cross-Site Scripting
The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=cs-all-masking-rules&s=alert/XSS/...
Envira Gallery Lite < 1.8.3.3 - Authenticated Stored Cross-Site Scripting
The plugin does not properly sanitise the images metadata namely title before outputting them in the generated gallery. This allows privileged accounts such as editor+ to perform XSS attacks even without the unfilteredhtml capability against users visiting the gallery in the frontend. As an...
Pods < 2.7.29 - Multiple Authenticated Stored Cross-Site Scripting (XSS)
The plugin is vulnerable to an Authenticated Stored Cross-Site Scripting XSS security vulnerability in multiple parameters. 1. Go to /wp-admin/admin.php?page=pods 2. Edit one of the pods 3. Choose "Labels" menu 4. In "Label", "Singular Label", "Add New", or "All" input field, you can inject an XS...
Simple Post <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. 1. Install WordPress 5.7.2 2. Install and activate Simple Post 3. Navigate to...
Advanced Order Export For WooCommerce < 3.1.8 - Reflected Cross-Site Scripting (XSS)
This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. wp-admin/admin.php?page=wc-order-export&tab=alert/XSS/...
Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType combined with content, align, color, variant and fontID argument of a Gutenberg block. As a contributor, put the...
SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting
The plugin is affected by a cross site scripting XSS vulnerability in the plugin's setting page. Enter the payload below for the "SMS Alert Username" in the plugin's settings. "+onfocus="alert1"+autofocus=" You will observe that the JavaScript payload successfully got reflected is and we are...
PhoneTrack Meu Site Manager <= 0.1 - Authenticated Stored XSS
The plugin does not sanitise or escape its "phpid" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. Put the following payload in the "phpid" field in the plugin's settings /wp-admin/options-general.php?page=phtmanager: "alert/XSS/...
Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=moove-taxonomy-settings&tab=" onMouseOver="alert1;...
Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
The plugin did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. https://drive.google.com/file/d/1lLEXDyPp4LcKoCOqYS7A-0YgpIQD-ND/view?usp=sharing...
Ivory Search < 4.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the post parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue. The data parameter was also affected, although it was not reported...
Live Scores for SportsPress < 1.9.1 - Reflected Cross-Site Scripting
The plugin does not sanitise the lsfsmatchdate parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=spevent&page=lsfs-live-matches&lsfsmatchdate="alert/XSS/...
Jock on air now < 5.6.2 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'PHPSELF' before outputting it back in an attribute in its settings, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=joansettings...
Gutenslider < 5.2.0 - Contributor+ Stored XSS
The plugin does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor or above, create/edit a post, put the below code while in Code Editor mode, and view/preview the post The...
YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure
The plugin does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin @author : 0xshdax Rafshanzani Suhada @usage : python3 script.py http://localhost import requests, sys, re, json Setup here url = sys.argv1 headers =...
WP Visitor Statistics (Real Time Traffic) < 5.6 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection https://example.com/wp-admin/admin-ajax.php?action=refUrlDetails&id=sleep1%20--%20g...
WPeMatico RSS Feed Fetcher < 2.6.12 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a campaign and add the following feed URL:...
Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
The plugin did not sanitise its facebookpixelid and googleanalyticsid settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used. -- Payloads: $ 'm0ze'; alertdocument.cooki...
Simple Social Media Share Buttons < 3.2.4 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the Share Title settings before outputting it in the frontend pages or posts depending on the settings used, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Sha...
WPFront Notification Bar < 2.1.0.08087 - Authenticated Stored XSS
The plugin does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. To execute the XSS on all frontend pages and plugin's setting page, add the following payload in the...
GiveWP < 2.12.0 - Authenticated Stored XSS
The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. Put the following payload in any Donation Level Text field of a Donation Form ie...
Images to WebP < 1.9 - Authenticated Local File Inclusion
The plugin does not validate or sanitise the tab parameter before passing it to the include function, which could lead to a Local File Inclusion issue Assuming WordPress installed at C:\xampp\htdocs\wordpress,...
Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS
The plugin does not properly sanitize values used when creating new calendars. Open the Appointment Hour Booking Tab. Enter XSS payload like "alertdocument.location in new calendar name field. and click on "add new" button. Go back to the Appointment Hour Booking Tab and select "Publish" for any...
Highlight < 0.9.3 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Tick the "Enable Highlight" setting of the plugin, and put the following payload in the CustomCSS setting as well:...
ThirstyAffiliates < 3.9.3 - Authenticated Stored XSS
The ThirstyAffiliates Affiliate Link Manager WordPress plugin was vulnerable to authenticated stored Cross-Site Scripting XSS. An authenticated attacker, such as an author, could attach an image with malicious JavaScript as its title, which would be executed once viewed by an administrator user...
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...
Grid Gallery < 1.2.5 - Authenticated Stored Cross Site Scripting (XSS)
The plugin does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability. Step 1: Install Grid Gallery - Photo Image Grid Gallery plugin in word press and activate the plugin. Step 2...
VDZ Verification < 1.4 - Authenticated Stored XSS
The plugin does not sanitise its Meta Tag settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the Meta Tag field in the plugin's Settings...
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfilteredhtml capability is disallowed - Create a new Download, add the following payload in the "Version" and "Link Label" fields from the 'Package...
VDZ CallBack < 1.14.6 - Authenticated Stored XSS
The plugin does not properly sanitise or escape some of its settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Title setting of the plugin...
ThinkTwit < 1.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue. Put the following payload in the "Consumer key" setting of the plugin /wp-admin/options-general.php?page=thinktwit: - v alert/XSS/ - v 1.7.1 : "...