4359 matches found
ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS
Description The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks As a contributor, put the following payload in a post the payload will have to be updated accordingly to watch the...
NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization
Description The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a Gallery an...
NextGEN Gallery < 3.39 - Admin+ Local File Inclusion
Description The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks 1. Create a gallery and upload an image. 2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery creat...
Active Directory Integration < 4.1.10 - Unauthenticated Log Disclosure
Description The plugin stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so. This requires the plugin's Log Authentication Requests setting to be set...
WPSchoolPress < 2.2.5 - Teacher+ SQLi
Description The plugin uses the WordPress escsql function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers. 1. Install the WPSchoolpress plugin and Import Demo Data. 2. Log in as a teache...
Bookly < 22.4 - Admin+ SQLi
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Go to Bookly Settings Logs Do a search and intercept the request The parameter columns%5B0%5D%5Bdata%5D with...
Simple Posts Ticker < 1.1.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Add a post with the shortcode:...
Vrm 360 3D Model Viewer <= 1.2.1 - Full Path Disclosure
Description The plugin exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode. 1. Create a page 2. Place the shortcode vrm360 canvasname=s1 modelurl=SACharacter.zip aspectratio=1.8 initialoffset=0.9 on the page SACharacter.zip should be a non-existent...
PowerPress Podcasting < 11.0.12 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin. Add the following payload to the Media URL field:...
Testimonial Slider Shortcode < 1.1.9 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS
Description The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks. As a Contributor+ create a new post and add one of the following shortcode. avatar user="admin"...
NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
Description The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Create a Gallery called "My Gallery" and note its ID. 2. Run the following code in...
WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as authors to perform Stored Cross-Site Scripting attacks. 1. Add the following shortcode to a post: wordpressfileupload redirect="true" redirectlink="javascript:alert1" 2. Upload...
Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Register a student account and go to the...
Enable Media Replace < 4.1.3 - Author+ PHP Object Injection
Description The plugin unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog Step 1: Add the following code to the end of the file located at...
Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. Using malicious SVG files: Go to a product page that features the file upload form, and paste the following in your browser...
Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. msalert...
EventON < 2.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a new events. 2. In the "Eve...
DoLogin Security < 3.7.1 - Subscriber+ IP Address leak
Description The plugin does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. Just login to subscriber account and go to: http://localhost/wp-admin/index.phplog...
Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. Upload an allowed WordPress extension such as JPG and inject it with a script such as: alert1;. To...
Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
Description The plugin does not prevent redirects to the login page via the authredirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled. Example using GravityForms to redirect to the login page...
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks 1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious scri...
File Manager Pro < 1.8.1 - Admin+ Remote Code Execution
Description The plugin allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. As an admin, use the File Manager UI to upload a file shell.php...
File Manager Pro < 1.8.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not adequately validate and escape some inputs, leading to XSS by high-privilege users. As an admin, open the File Manager and run the following JS code: fetch"http://localhost:10008/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencode...
Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection
Description The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin: class Test...
Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE On a page where there is a form with a Signature field, run the following code in the web developer console while...
Socialdriver <= 2021 - Prototype Pollution to XSS
Description The theme has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting XSS attack. Access the URL:...
WooCommerce < 8.1.1 - Shop Manager+ User Metadata Disclosure
Description The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data As a shop manager or product vendor admin: Edit an order/create an...
File Manager Pro < 1.8 - Remote Code Execution via CSRF
Description The plugin does not properly check the CSRF nonce in the fsconnector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. As a Super Admin, run the following code ...
Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
Description The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators As an unauthenticated user, submit a booking form such form can be added via the Booking Calendar Block on a...
WooCommerce Subscriptions < 4.6.0 - Subscription Suspension/Activation via CSRF
Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...
Checkout Field Editor < 1.7.5 - Checkout Fields Update via CSRF
Description The plugin does not have CSRF check in place when updating checkout fields, which could allow attackers to make logged in users update them via a CSRF attack input type="hidden" name="fieldvalidation1" value="req...
WooCommerce Payments < 4.9.0 - Subscription Suspension/Activation via CSRF
Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...
Read More & Accordion < 3.2.7 - Admin+ PHP Object Injection
Description The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : voi...
Staff / Employee Business Directory for Active Directory < 1.2.3 - Improper escaping of LDAP entries
Description The plugin does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. Add a...
Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution
Description The plugin is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mlastreamfile' parameter from the /includes/mla-stream-image.php file, where images are processe...
My Account Page Editor < 1.3.2 - Subscriber+ Arbitrary File Upload
Description The plugin does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE Prerequisite: This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't the...
All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF
Description The plugin does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks. This CSRF attack will reject a Quote in the database. 1. Go to All In One Quote Quotes 2. Click "Add quote", fill in the title, and save. 3. Find the Quote ID, convert it ...
All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation
Description The plugin does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation. curl 'https://example.com/' -d...
Activity Log < 2.8.8 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Run the following code in the web browser and note on the backend that the IP address has been faked...
Multiple Plugins from ServMask - Unauthenticated Access Token Update
Description The plugins do not have authorisation in the init function hooked to the admininit action, allowing unauthenticated attackers to update the access token With the All-in-One WP Migration Box Extension installed, open the below URL as unauthenticated:...
Translate WordPress with GTranslate < 3.0.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. This vulnerability affects multiple...
Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Note: The vendor was made aware of th...
Prevent files / folders access < 2.5.2 - Admin+ Arbitrary File Upload
Description The plugin does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server. 1 Create a PHP file cmd.php with the contents 2 Go to https://example.com/wp-admin/admin.php?page=momediarestrict&tab=privatedirectory 3 Then upload a fi...
DoLogin Security < 3.7 - IP Spoofing
Description The plugin uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. 1. Send login request with x-forwarded-for: REDACTEDIP 2. See spoofed IP address in the "Login Attempts Log"...
Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload
Description The plugin does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. NOTE: Because of an error in this version of the plugin, the following POC only works on PHP versions previous to 8.0. 1. As an admin,...
Locatoraid Store Locator < 3.9.24 - Reflected XSS
Description The plugin does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Setup as admin: - Locatoraid Configuration Google Maps Enter "none" at...
WP Job Portal < 2.0.6 - Unauthenticated SQLi
Description The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users Setup as admin: Create a dummy company and a job if there are none Attack as unauthenticated: time curl -X POST --data...
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Description The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42 and not deletin...
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Description The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. On a multisite instance, log in as an admin. Click on File Organizer in the sidebar. The UI gives full control to the files on the server, despite not being a...