4359 matches found
Simply Excerpts <= 1.4 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. Put the following payload...
BSK Contact Form 7 Blacklist <= 1.0.1 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the insertedcount parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...
Popup box < 3.8.6 - Admin+ Stored XSS in Categories
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Popup Box Categories" 2. Add...
AMP+ Plus <= 3.0 - Reflected Cross Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin https://example.com/?p=1&yolo=%22%3E%3CScRiPt%3Ealert%28%27XSS%27%29%3C%2FsCrIpT%3E...
Word Balloon < 4.20.3 - Avatar Removal via CSRF
Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link. Make a logged in admin open...
Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
Description The plugin is vulnerable from an RCE Remote Code Execution vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. 1 Go to main dashboard of plugin...
WP Fastest Cache < 1.2.2 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. 1. Visit WP Fastest Cache Settings. Ensure "Cache System" is enabled, and "Logged-in Users" is disabled. Click "Submit" at...
Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored XSS via SVG
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. As an author, upload an SVG file with malicious JavaScript: alert"pwned by daniloalbugrque"; Access the file through its URL to see...
Funnelforms Free < 3.4.2 - Form Deletion/Duplication via CSRF
Description The plugin does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks Make a logged in admin open an HTML page with the form below Deletion This will delete the form...
eCommerce Product Catalog Plugin for WordPress < 3.3.26 - Products Deletion via CSRF
Description The plugin does not have CSRF checks in some of its admin pages, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as delete all products Make a logged in admin open the URL below...
Welcart e-Commerce < 2.9.5 - Subscriber+ Arbitrary File Upload
Description The plugin does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server Setup As admin: - Go the the...
Welcart e-Commerce < 2.9.5 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below:...
Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection
Description The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary...
EventON < 2.2 - Admin + Stored HTML Injection
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfilteredhtml capability is disallowed. 1. Go to the Virtual Event - This is a virtual online event. 2. Configure...
Mmm Simple File List <= 2.3 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...
POST SMTP Mailer < 2.7.1 - Unauthenticated Cross-site Scripting
Description The plugin does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users. 1. Install Post SMTP in version 3. Visit /wp-admin/admin.php?page=postmanemaillog Post SMTP - Email Log 4...
WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored XSS
Description The plugin does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins wget --header="X-Forwarded-For: " https://example.com -q -O- The XSS will be triggered wh...
WP-UserOnline < 2.88.3 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks. curl https://example.com -H 'X-Forwarded-For: ' Then, as a high-privileged user, visit...
kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition
Description The plugin does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition. 1- Install and activate kk Star Ratings. 2- Go to the page that displays the star rating. 3- Using Burp and the Turbo Intruder extension, intercept the rating...
WordPress Backup & Migration < 1.4.4 - Subscriber+ Plugin Settings Update
Description The plugin does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded; charset=UTF-8", , "body":...
Security & Malware scan by CleanTalk < 2.121 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection. Send 5 invalid login requests and thus block the IP address. POST /wp-login.php HTTP/1.1 Host: localhost...
Webpushr < 4.35.0 - Unauthenticated Stored XSS
Description The plugin does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks. 1. Woocommerce needs to be installed as well as activating webpushr-web-push-notifications by creating an account. 2. Run the following...
Simple Social Buttons < 5.1.1 - Unauthenticated Password Protected Post Access
Description The plugin leaks password-protected post content to unauthenticated visitors in some meta tags As unauthenticated, view the source of any password-protected post and see that the content of the post is disclosed in the og:description and twitter:description meta tags...
WPB Show Core <= 2.2 - Unauthenticated Server Side Request Forgery
Description This plugin is vulnerable to server-side request forgery SSRF via the path parameter. Send a GET request to wpb-show-core/download-file.php with the path parameter set to an arbitrary URL http://example.com/latest/meta-data/iam/security-credentials/wpb-apps-prod-role the website will...
WordPress Backup & Migration < 1.4.5 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. This was partially fixed in version 1.4.4 but it still allowed XSS attacks from Admin users. fetch"/wp-admin/admin-ajax.php",...
Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
Description The plugin allows forum administrators, who may not be WordPress super-administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files e.g. .php, .phtml, potentially leading to remote code execution. Any user who has the rights to modify the...
Job Manager & Career < 1.4.4 - Directory listing to Sensitive Data Exposure
Description The plugin contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of...
Mmm Simple File List <= 2.3 - Subscriber+ Arbitrary Directory Listing
Description The plugin does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories. Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
WPB Show Core <= 2.2 - Unauthenticated Local File Inclusion
Description This plugin is vulnerable to a local file inclusion via the path parameter. Send a GET request to wpb-show-core/download-file.php with the path parameter set to an arbitrary file path on the server, - "/etc/resolv.conf" - "/etc/hosts" - "../../../wp-config.php"...
Limit Login Attempts Reloaded < 2.25.26 - Admin+ Missing Authorization to Toggle Plugin Auto-Update
Description The plugin is missing authorization on the toggleautoupdate AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin. As an Admin, open the Limit Login Attempts page in WP Admin and run the following code in the browser console: nonce =...
Bookly < 22.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. As an admin user, visit the Bookly...
Martins Free & Easy SEO Link buildings < 1.2.30 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in amin open...
Woocommerce Vietnam Checkout < 2.0.6 - Unauthenticated Stored XSS
Description The plugin does not escape the custom shipping phone field no the checkout form leading to XSS 1 Install both WooCommerce and the plugin. 2 Set a WooCommerce shipping method, and the store's address to one that is in Vietnam. 3 Add product to cart, and proceed to checkout 4 Tick "Ship...
Seraphinite Accelerator < 2.20.32 - Unauthorised Settings Reset/Import
Description The plugin does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them The issue was partially fixed in 2.20.29 only adding authorisation checks. CSRF checks were added in 2.20.32 As an unauthenticated user, open...
Medialist < 1.4.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks medialist style='"...
EventPrime < 3.3.6 - Booking Pricing Bypass
Description The plugin specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. Create an Event, noting its ID. Add a ticket type to the Event, ensuring that the price is not zero. As a logged-in user, go through the process of paying for ...
Appointment booking addon for Gravity Forms <= 1.9.5.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The "Translations" settings of the...
10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
Description The plugin does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service. fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php", "headers": "content-type":...
PubyDoc <= 2.0.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1 After the installing the plugin, create a new table at...
myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion
Description The plugin does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. 1. Visit myStickymenu + Create new Welcome Bar. Ensure "Collect leads" is enabled, enable the toggle at the top, and Save. 2. In a logged-out window, fill the lead form in the...
Popup Box < 3.7.9 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1 Create a new popup via /wp-admin/admin.php?page=ays-pb&action=add 2 Set its "Custom...
Seraphinite Accelerator < 2.2.29 - Authenticated Arbitrary Redirect
Description The plugin does not validate the URL to redirect any authenticated user to, leading to an arbitrary redirect Make a logged in user open https://example.com/wp-admin/admin-ajax.php?action=seraphaccelact&fn=acceptEula&redir=https%3A%2F%2Fwpscan.com...
Five Star Restaurant Menu and Food Ordering < 2.4.11 - Unauthenticated PHP Object Injection
Description The plugin unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog. Run the below command in the developer console of the web browser while being on the blog...
WP Post Popup <= 3.7.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Enter the following payload in the Close...
Seraphinite Accelerator < 2.2.29 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Bonus for Woo < 5.8.3 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open one of the URL below...
Article Analytics <= 1.0 - Unauthenticated SQL injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability. On a Wordpress blog using MySQL the following PoC allows to extract the hash of the...
Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 3.1.1 - fbplugin video...
WooHoo Newspaper Magazine Theme <= 2.5.3 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make an admin open an HTML page with the following HTML: document.forms0.submit; See that the plugin's "Header Options Toolbar...
Forminator and Forminator Pro < 1.27.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. Select...