4359 matches found
Assistant < 1.4.4 - Editor+ SSRF
Description The plugin does not validate a parameter before making a request to it via wpremoteget, which could allow users with a role as low as Editor to perform SSRF attacks As an Editor or above, open http://example.com/index.php?flasstimageproxy&url=https://127.0.0.1...
WP Hotel Booking < 2.0.8 - Unauthenticated SQLi
Description The plugin does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admininit, allowing unauthenticated users to perform SQL injections Run the below command in the developer console of the web browse...
WP Hotel Booking < 2.0.9 - Contributor+ Arbitrary Post Deletion
Description The plugin does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them Run the below command in the developer console of the web browser while being on the blog as a Contributor user. This will put the post...
WP Hotel Booking < 2.0.8 - Subscriber+ Arbitrary Post Deletion
Description The plugin does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts Run the below command in the developer console of the web browser while being ...
Royal Elementor Addons and Templates 1.4.78 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Note that this vulnerability is identical to https://wpscan.com/vulnerability/281518ff-7816-4007-b712-63aed7828b34/ as it was introduce...
Slimstat Analytics < 5.0.10 - Contributor+ SQL Injection
Description The plugin is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers wit...
History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it. 1 Navigate to Instagram Feed Settings Manage Sources, then click o...
Responsive Pricing Table < 5.1.8 - Admin+ Stored Cross-Site Scriping
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a New Pricing Table and Add ...
Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply
Description The plugin does not correctly authorize the wpaseditreply function, allowing users to edit posts for which they do not have permission. Log in as a subscriber and run the following code in the browser, setting the replyid to any post ID. fetch"/wp-admin/admin-ajax.php", "headers":...
User Registration < 3.0.4.2 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Install and activate this plugin -...
Awesome Support < 6.1.5 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Visit the following URL as an admin user, with any valid ticket ID. Press the access k...
WP Simple Table Manager Plugin <= 1.5.6 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click Simple Table Manager then...
Front End PM < 11.4.3 - Sensitive Data Exposure via Directory Listing
Description The plugin does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled...
Templately < 2.2.6 - Unauthenticated Arbitrary Post Deletion
Description The plugin does not properly authorize the saved-templates/delete REST API call, allowing unauthenticated users to delete arbitrary posts. Ensure the Elementor plugin is installed so that the Elementor Template functionality is enabled. curl -X POST...
WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE. Make sure to have both WooCommerce and NinjaForms 3.4.34.2 NF's latest version on the 3.4 branch installed, then follow those instructions:...
Awesome Support < 6.1.5 - Submitter+ Arbitrary File Deletion
Description The plugin does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server. 1. Visit Tickets Settings File Upload 2. Ensure "Enable File Upload", "Enable drag-n-drop uploader for ticket form", and "Check this t...
URL Shortify < 1.7.9.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Multiple parameters in the plugin's...
WP Discord Invite < 2.5.2 - Admin+ Stored Cross Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the WP Discord Invite plugin...
Ninja Forms < 3.6.34 - Admin+ Stored XSS
Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however the...
Gutenberg < 16.8.1 - Contributor+ Stored XSS
Description The plugin does not adequately escape the content of the footnotes within the paragraph block of the block editor, leading to a Contributor+ Cross-Site Scripting vulnerability. 1. Create a new post as a Contributor user. 2. Add a paragraph block and add a footnote to the paragraph. 3...
WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
Description WordPress does not properly restrict which user fields are searchable via the REST API. from multiprocessing import Pool import requests import string import json import sys if lensys.argv != 2: printf'USAGE: sys.argv0 ' sys.exit url = sys.argv1.rstrip'/' + '/wp-json/wp/v2/users'...
Fattura24 < 6.2.8 - Reflected Cross-Site Scripting
Description The plugin does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability. wp-admin/options-general.php?page=fatt-24-tax&id=12alert1%3B...
Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update
Description The plugin does not prevent users with low privileges like subscribers from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS. Once the site gets at least 25 conversions using the plugin, a notice will show up on the...
Popup box < 3.7.2 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup. 1. Create a new PopUp Box within the plugi...
Memberlite Shortcodes < 1.3.9 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
EventPrime < 3.2.0 - Booking Creation via CSRF
Description The plugin does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks. Create an Event, noting its ID. Add a ticket type to the Event the details don't matter. As a logged-in user, visit a page with t...
EventPrime < 3.2.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. POC 1 - Visit any of the following pages created by the plugin: - Event Organize...
WP Meta and Date Remover < 2.2.0 - Subscriber+ Stored XSS
Description The plugin provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site...
WordPress File Sharing Plugin < 2.0.5 - Subscriber+ Sensitive Data and Files Exposure via IDOR
Description The plugin does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced 1. Create a private folder that contains a file that you intend keep secret. 2. Add the plugin shortcode...
Login screen manager <= 3.5.2 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the "Hov...
Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. Make sure you have Elementor installed and a page or post edited with Elementor. Here's the python script that will execute the exploit...
E2Pdf < 1.20.20 - Admin+ Stored Cross-Site Scriping
Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed 1 Create a new template on...
EventPrime < 3.2.0 - Reflected HTML Injection on keyword parameter
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to an HTML Injection on the plugin in the search area of the website. Insert '"Clickme! on the keyword search field or directly on the link...
Photos and Files Contest Gallery – Contact Form < 21.2.8.1 - Unauthenticated Stored XSS via HTTP Headers
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers. 1. Use a proxy such as BurpSuite to add the following header to all requests: X-Forwarded-For: 11.11.11.11 2. Create a gallery...
CITS Support svg, webp Media and TTF,OTF File Upload < 3.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. As an author, upload an SVG with the payload: alert"xss"; View the SVG and see the XSS...
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. 1 Navigate to "Newsletters Configuration History & Emails Configuration"...
Collapse-O-Matic <= 1.8.5.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor user create a new post and add a shortcode containing the following payload: expand elwraptag="img...
Track The Click < 0.3.12 - Author+ Time-Based Blind SQL Injection
Description The plugin does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database. Version 0.3.11 changes the API endpoint to only be...
WP Discord Invite < 2.5.1 - Arbitrary Settings Update via CSRF
Description The plugin does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request. alert1;'/...
Simple Posts Ticker < 1.1.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Simple Posts Ticker...
User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent
Description The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks. 1 Make sure the plugin's Enable User Agent For Log setting is set at /wp-admin/admin.php?page=ualpsettings 2 If you're...
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure
Description The plugin does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post such as draft and private via an IDOR vector Run the below command in the developer console of t...
WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the...
ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Content Disclosure
Description The plugin does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post such as draft and private via an IDOR vector. Password protected posts are not affected by...
User Activity Log Pro < 2.3.4 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. 1. In User Activity Log Settings, enable the setting "Allow Ip Address of users to log." and save...
WP Job Openings < 3.4.3 - Sensitive Data Exposure via Directory Listing
Description The plugin does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled...
ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks As a contributor, create or edit a post with the payload below while in code editor mode xyz The XSS will be triggered when...
PageLayer < 1.7.7 - Unauthenticated Stored XSS
Description The plugin doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts. Unauthenticated attacker Proof of Concept 1 As a legitimate administrator, schedule a post to be published in a few minutes. 2 Close every window to that site to preve...
WP Matterport Shortcode < 2.1.7 - Reflected XSS
Description The plugin does not escape the PHPSELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin Make a logged in admin open https://example.com/wp-admin/admin.php/"/?page=wpms-opti...
PageLayer < 1.7.8 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code. - As a user with Author+ capabilities, create a new post draft - Save it, then edit it using the PageLayer page builder - Navigate to the...