4359 matches found
IURNY by INDIGITALL < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the plugin's settings. 2...
Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Ensure Contact Form 7 is installed,...
User Activity Log < 1.6.5 - Unauthenticated SQLi
Description The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. Version 1.6.4 mitigates the issue for unauthenticated users but it is still...
WP-EMail < 2.69.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the "Email Options" section of t...
WP Brutal AI < 2.06 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. In the plugin settings, for a campaig...
WordPress Database Administrator <= 1.0.3 - Unauthenticated SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Run the command: curl -i -s -k -X POST --data-binary...
Contact Form Builder by Bit Form < 2.2.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a Blank form or select conta...
Custom Field For WP Job Manager < 1.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup To test, you also need to have WP Job...
Elementor < 3.5.5 - Iframe Injection
Description The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs...
T1 theme <= 19.0 - Open Redirect
Description The theme is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites. https://www.example.com/wp-content/themes/t1/page-templates/applyredirection.php?file=240317005410&urlnow=http://google.com&urljs=https://www.evil.com?...
WP Shopping Pages <= 1.14 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. Make a logged in admin access a page with the following code: ' input type...
Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending
Description The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action. Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog: Current...
MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi
Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note WPScan: The issue was fixed in 1.14.13, however a better patch was done in 1.14.15 a...
Bubble Menu < 3.0.5 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Click on the "Add new" tab. 2...
WP Food Manager < 1.0.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Food manager Add Food" and a...
WPCode < 2.0.13.1 - Reflected XSS
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting Make a logged in admin open https://example.com/wp-admin/admin.php?page=wpcode&a"alert/XSS/=2...
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Description The plugin does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment Login as a subscriber an open https://example.com/wp-admin/admin-post.php?action=multiparcelsdeleteshipping&id=1 to delete the shipment with...
MultiParcels Shipping For WooCommerce < 1.15.4 - Reflected XSS
Description The plugin does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Note: The issue was fixed in 1.14.15 but re-introduced in 1.14.16 Make a logged ...
Quiz And Survey Master < 8.1.11 - Contributor+ Stored XSS
Description The plugin does not properly sanitize and escape question titles, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks As a Contributor, create or edit a Quiz with the default theme and put the following payload in a question title...
Short URL < 1.6.5 - Admin+ Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. In the plugin settings, add the POC alert1 to the...
Multiple Plugins from Addify - Multiple CSRF
The plugins have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions addify-order-approval-woocommerce - To make a logged in admin approve the order with ID 103...
Grid Kit Premium < 2.2.0 - Multiple Reflected Cross-Site Scripting
The plugin does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URL below...
Forminator < 1.24.4 - Reflected XSS
The plugin does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. 1. Create a "Contact Us" form from the plugin presets 2. Click on the Message field, go to the "Settings" tab and choose a nam...
WooCommerce Pre-Orders < 2.0.3 - Arbitrary Pre-Order Canceling via CSRF
The plugin has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack Make a logged in admin open the URL below 42 being a pre-order to be canceled...
LMS by Masteriyo < 1.6.8 - Information Exposure
The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. curl -i -s -k -X $'GET' \ -H $'Host: localhost:8000' -H $'sec-ch-ua: ' -H $'Accept: application/json...
WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF
The plugin has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks Make a logged in admin open an HTML page...
User Activity Log < 1.6.3 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the txtsearch parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin. As an admin, visit either of the following URL's. Note that it takes several seconds for t...
Waitlist Woocommerce < 2.5.3 - Settings Reset via CSRF
The plugin does not have CSRF check when reseting its Settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=waitlist-woocommerce-settings&reset=yes...
Login/Signup Popup < 2.4 - Settings Reset via CSRF
The plugin does not have CSRF check when reseting its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=easy-login-woocommerce-settings&reset=yes...
Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. POST /register/ HTTP/1.1 Host: wpscan-vulnerability-test-bench.ddev.site User-Agent:...
POST SMTP Mailer < 2.5.7 - Arbitrary Log Deletion via CSRF
The plugin does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the managepostmansmtp capability delete arbitrary logs via a CSRF attack. Note: The AJAX actions are also affected by SQL injections, making the issue Make a logged in users...
NEX-Forms < 8.4.4 - Authenticated Stored XSS
The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins in multisite / admins in single site can create forms, however there is a settings allowing them to give lower roles access to such feature. Create a new form with the...
WooCommerce Pre-Orders < 2.0.2 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin When there is at least one pre-order, make a logged in admin open the URL below...
POST SMTP Mailer < 2.5.7 - Account Takeover via CSRF
The plugin does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the managepostmansmtp capability resend an email to an arbitrary address for example a password reset email could be resent to an attacker controlled email, and allow them to...
WooCommerce Google Sheet Connector <= 1.3.5 - Access Code Update via CSRF
The plugin does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=wc-gsheetconnector-config&code=attacker-code...
Querlo Chatbot <= 1.2.4 - Stored Cross-Site Scripting
The plugin does not escape or sanitize chat messages, leading to a stored Cross-Site Scripting vulnerability. Submit the following in the chat message: """ See the XSS in Querlo...
WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update
The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of H1 Affected functions: createpaymentintentajax updatepaymentintentajax saveupeappearanceajax updateorderstatusajax updatefailedorderajax As a...
Lana Shortcodes < 1.2.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Insert any of the following shortcodes in a...
Login Configurator <= 2.1 - Reflected Cross-Site Scripting
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators. Visit the following path:...
Floating Chat Widget < 3.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Steps to Reproduce: 1. Open Chaty Plugin Dashboard...
Membership Plugin - Restrict Content < 3.2.3 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged-in admin open a page containing the HTML code below. "/...
AN_GradeBook <= 5.0.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber Access the following URL to demonstrate SQLi:...
Enable SVG, WebP & ICO Upload <= 1.0.3 - Author+ Stored XSS
The plugin does not sanitize SVG file contents, leading to a Cross-Site Scripting vulnerability. 1. Upload an SVG file with the following contents. 2. View the SVG file on the frontend and see the alerts. alert/XSS2/...
InventoryPress <= 1.7 - Author+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks. 1. Create a "New Inventory Item" 2. In the "Description" field, add the value "alert"xss" 3. Edit the created item and see the XS...
Supsystic Popup < 1.10.19 - Prototype Pollution
The plugin has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype. 1 Create a pop-up that is set to load on any page 2 Go to http://example.com/?protopoc=polluted 3 Open browser console 4 Type poc and see polluted as the result...
WooCommerce Product Vendors < 2.1.77 - Vendor Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as Admin Vendor and above As an Admin vendor, open the URL below...
WooCommerce Pre-Orders < 2.0.1 - Contributor+ Stored XSS
The plugin does not validate and escape its layout shortcode attribute before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks woocommercepreordercountdown productid="64"...
WooCommerce Product Vendors < 2.1.77 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below html alert/XSS/" /...
Gravity Forms < 2.7.5 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin. Make a logged in admin open the following URL:...
WooCommerce Bulk Stock Management < 2.2.34 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...