Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•137 views

ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS

Description The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks As a contributor, put the following payload in a post the payload will have to be updated accordingly to watch the...

5.4CVSS5.3AI score0.00419EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•142 views

NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization

Description The plugin is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Ensure your WordPress installation is using PHP version 7.4 or earlier. 2. Create a Gallery an...

7.5CVSS7.6AI score0.00701EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•161 views

NextGEN Gallery < 3.39 - Admin+ Local File Inclusion

Description The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks 1. Create a gallery and upload an image. 2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery creat...

4.9CVSS5.2AI score0.00787EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•112 views

Active Directory Integration < 4.1.10 - Unauthenticated Log Disclosure

Description The plugin stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so. This requires the plugin's Log Authentication Requests setting to be set...

7.5CVSS7.7AI score0.25855EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•185 views

WPSchoolPress < 2.2.5 - Teacher+ SQLi

Description The plugin uses the WordPress escsql function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers. 1. Install the WPSchoolpress plugin and Import Demo Data. 2. Log in as a teache...

8.8CVSS9.1AI score0.00721EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•165 views

Bookly < 22.4 - Admin+ SQLi

Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Go to Bookly Settings Logs Do a search and intercept the request The parameter columns%5B0%5D%5Bdata%5D with...

7.2CVSS7.3AI score0.00717EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•144 views

Simple Posts Ticker < 1.1.6 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Add a post with the shortcode:...

5.4CVSS5.4AI score0.00394EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•164 views

Vrm 360 3D Model Viewer <= 1.2.1 - Full Path Disclosure

Description The plugin exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode. 1. Create a page 2. Place the shortcode vrm360 canvasname=s1 modelurl=SACharacter.zip aspectratio=1.8 initialoffset=0.9 on the page SACharacter.zip should be a non-existent...

5.3CVSS5.4AI score0.00545EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•153 views

PowerPress Podcasting < 11.0.12 - Contributor+ Stored XSS

Description The plugin does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin. Add the following payload to the Media URL field:...

5.4CVSS7.1AI score0.00403EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•147 views

Testimonial Slider Shortcode < 1.1.9 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...

5.4CVSS5.9AI score0.00403EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•154 views

User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS

Description The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks. As a Contributor+ create a new post and add one of the following shortcode. avatar user="admin"...

5.4CVSS5.4AI score0.00394EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•163 views

NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete

Description The plugin is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server. 1. Create a Gallery called "My Gallery" and note its ID. 2. Run the following code in...

7.2CVSS7.1AI score0.00812EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•167 views

WordPress File Upload < 4.23.3 - Author+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as authors to perform Stored Cross-Site Scripting attacks. 1. Add the following shortcode to a post: wordpressfileupload redirect="true" redirectlink="javascript:alert1" 2. Upload...

5.4CVSS5.3AI score0.00394EPSS
Exploits3
wpexploit
wpexploit
•added 2023/09/25 12:0 a.m.•178 views

Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Register a student account and go to the...

5.4CVSS6AI score0.00403EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/21 12:0 a.m.•155 views

Enable Media Replace < 4.1.3 - Author+ PHP Object Injection

Description The plugin unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog Step 1: Add the following code to the end of the file located at...

8.8CVSS8.9AI score0.00837EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/21 12:0 a.m.•146 views

Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting

Description The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts. Using malicious SVG files: Go to a product page that features the file upload form, and paste the following in your browser...

5.4CVSS5.7AI score0.00395EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/21 12:0 a.m.•148 views

Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. msalert...

5.4CVSS5.4AI score0.00403EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/21 12:0 a.m.•151 views

EventON < 2.2 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a new events. 2. In the "Eve...

4.8CVSS4.8AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/21 12:0 a.m.•194 views

DoLogin Security < 3.7.1 - Subscriber+ IP Address leak

Description The plugin does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. Just login to subscriber account and go to: http://localhost/wp-admin/index.phplog...

6.5CVSS6.5AI score0.00861EPSS
Exploits1
wpexploit
wpexploit
•added 2023/09/21 12:0 a.m.•127 views

Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting

Description The plugin does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. Upload an allowed WordPress extension such as JPG and inject it with a script such as: alert1;. To...

6.1CVSS7.3AI score0.0042EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/20 12:0 a.m.•222 views

Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)

Description The plugin does not prevent redirects to the login page via the authredirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled. Example using GravityForms to redirect to the login page...

5.3CVSS5.5AI score0.02235EPSS
Exploits3References1
wpexploit
wpexploit
•added 2023/09/20 12:0 a.m.•148 views

Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks 1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious scri...

6.1CVSS6.1AI score0.0047EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/19 12:0 a.m.•191 views

File Manager Pro < 1.8.1 - Admin+ Remote Code Execution

Description The plugin allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. As an admin, use the File Manager UI to upload a file shell.php...

7.2CVSS7.5AI score0.01331EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/19 12:0 a.m.•194 views

File Manager Pro < 1.8.1 - Admin+ Stored Cross-Site Scripting

Description The plugin does not adequately validate and escape some inputs, leading to XSS by high-privilege users. As an admin, open the File Manager and run the following JS code: fetch"http://localhost:10008/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencode...

4.8CVSS5AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/19 12:0 a.m.•176 views

Weaver Xtreme Theme Support < 6.3.1 - Admin+ PHP Object Injection

Description The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin: class Test...

7.2CVSS7.2AI score0.00976EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/19 12:0 a.m.•145 views

Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload

Description The plugin does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE On a page where there is a form with a Signature field, run the following code in the web developer console while...

9.8CVSS7.5AI score0.03283EPSS
Exploits3
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•110 views

Socialdriver <= 2021 - Prototype Pollution to XSS

Description The theme has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting XSS attack. Access the URL:...

6.2AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•269 views

WooCommerce < 8.1.1 - Shop Manager+ User Metadata Disclosure

Description The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data As a shop manager or product vendor admin: Edit an order/create an...

7.3AI score
Exploits0References2
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•241 views

File Manager Pro < 1.8 - Remote Code Execution via CSRF

Description The plugin does not properly check the CSRF nonce in the fsconnector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. As a Super Admin, run the following code ...

8.8CVSS8.6AI score0.06838EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•132 views

Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS

Description The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators As an unauthenticated user, submit a booking form such form can be added via the Booking Calendar Block on a...

6.1CVSS6AI score0.00475EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•145 views

WooCommerce Subscriptions < 4.6.0 - Subscription Suspension/Activation via CSRF

Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...

7.3AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•120 views

Checkout Field Editor < 1.7.5 - Checkout Fields Update via CSRF

Description The plugin does not have CSRF check in place when updating checkout fields, which could allow attackers to make logged in users update them via a CSRF attack input type="hidden" name="fieldvalidation1" value="req...

7.1AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•135 views

WooCommerce Payments < 4.9.0 - Subscription Suspension/Activation via CSRF

Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...

7.3AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/09/11 12:0 a.m.•201 views

Read More & Accordion < 3.2.7 - Admin+ PHP Object Injection

Description The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : voi...

7.2CVSS7.6AI score0.00783EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/08 12:0 a.m.•139 views

Staff / Employee Business Directory for Active Directory < 1.2.3 - Improper escaping of LDAP entries

Description The plugin does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. Add a...

6.6AI score0.00395EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/07 12:0 a.m.•166 views

Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution

Description The plugin is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mlastreamfile' parameter from the /includes/mla-stream-image.php file, where images are processe...

9.8CVSS9.9AI score0.82585EPSS
Exploits6References3
wpexploit
wpexploit
•added 2023/09/06 12:0 a.m.•139 views

My Account Page Editor < 1.3.2 - Subscriber+ Arbitrary File Upload

Description The plugin does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE Prerequisite: This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't the...

6.6AI score0.00816EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/04 12:0 a.m.•151 views

All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF

Description The plugin does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks. This CSRF attack will reject a Quote in the database. 1. Go to All In One Quote Quotes 2. Click "Add quote", fill in the title, and save. 3. Find the Quote ID, convert it ...

8.8CVSS8.8AI score0.00321EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/04 12:0 a.m.•159 views

All in One B2B for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation

Description The plugin does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation. curl 'https://example.com/' -d...

6.9AI score0.00569EPSS
Exploits2
wpexploit
wpexploit
•added 2023/09/01 12:0 a.m.•165 views

Activity Log < 2.8.8 - IP Spoofing

Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. Run the following code in the web browser and note on the backend that the IP address has been faked...

5.3CVSS5.4AI score0.00627EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/31 12:0 a.m.•162 views

Multiple Plugins from ServMask - Unauthenticated Access Token Update

Description The plugins do not have authorisation in the init function hooked to the admininit action, allowing unauthenticated attackers to update the access token With the All-in-One WP Migration Box Extension installed, open the below URL as unauthenticated:...

6.7AI score0.09666EPSS
Exploits1
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•157 views

Translate WordPress with GTranslate < 3.0.4 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. This vulnerability affects multiple...

4.8CVSS6AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•172 views

Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Note: The vendor was made aware of th...

4.8CVSS4.8AI score0.00379EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•157 views

Prevent files / folders access < 2.5.2 - Admin+ Arbitrary File Upload

Description The plugin does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server. 1 Create a PHP file cmd.php with the contents 2 Go to https://example.com/wp-admin/admin.php?page=momediarestrict&tab=privatedirectory 3 Then upload a fi...

7.2CVSS7.5AI score0.01297EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•149 views

DoLogin Security < 3.7 - IP Spoofing

Description The plugin uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. 1. Send login request with x-forwarded-for: REDACTEDIP 2. See spoofed IP address in the "Login Attempts Log"...

5.3CVSS5.4AI score0.00624EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•439 views

Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload

Description The plugin does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. NOTE: Because of an error in this version of the plugin, the following POC only works on PHP versions previous to 8.0. 1. As an admin,...

7.2CVSS7.4AI score0.01698EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•138 views

Locatoraid Store Locator < 3.9.24 - Reflected XSS

Description The plugin does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Setup as admin: - Locatoraid Configuration Google Maps Enter "none" at...

6.1CVSS6.1AI score0.0042EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•159 views

WP Job Portal < 2.0.6 - Unauthenticated SQLi

Description The plugin does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users Setup as admin: Create a dummy company and a job if there are none Attack as unauthenticated: time curl -X POST --data...

9.8CVSS9.9AI score0.03122EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•623 views

Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE

Description The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42 and not deletin...

9.8CVSS9.7AI score0.39554EPSS
Exploits2
wpexploit
wpexploit
•added 2023/08/30 12:0 a.m.•148 views

FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access

Description The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server. On a multisite instance, log in as an admin. Click on File Organizer in the sidebar. The UI gives full control to the files on the server, despite not being a...

7.2CVSS7.2AI score0.00628EPSS
Exploits1
Total number of security vulnerabilities4359