4359 matches found
USM Premium < 16.3 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Put the payload in any text field of the "8 Do y...
WP User Switch < 1.0.3 - Subscriber+ Authentication Bypass
The plugin does not properly verify the 'wpuswhoswitch' cookie value, which allows attackers with low-privilege accounts like Subscribers to bypass authentication and login as any other existing user. Log-in as a subscriber onto the affected site. Run the following JS script in your browser's...
Contact Form and Calls To Action by vcita <= 2.7.1 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions alert1;&uid=a”alert2;...
Contact Form Builder by vcita < 4.10.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email parameter in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts targeting higher privileged users, such as administrators, into the plugin settings...
WooCommerce Box Office < 1.1.52 - Unauthenticated Ticket Barcode Update
The plugin does not have authorisation and CSRF when updating a ticket bar-code, allowing unauthenticated users to perform such action curl https://example.com/wp-admin/admin-ajax.php -d "action=saveticketbarcode&ticketbarcodeimage=xxx&ticketbarcodetext=xxxxx&ticketid=86"...
Multiple plugins by vcita - CSRF to Stored XSS in settings page
The plugin does not protect the live-site-parse-vcita-callback settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a logged in user with contributor role or higher to click a link...
CRM and Lead Management by vcita <= 2.7.1 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to inject arbitrary web scripts by tricking a user with the contributor role or higher to click a link. The plugin does not protect its settings page against CSRF attacks, allowing an...
Contact Form Builder by vcita <= 4.10.2 - Settings Update Via CSRF
The plugin does not protect its settings page against CSRF attacks, allowing an unauthenticated attacker to change the plugin's settings, and on older versions alert1;...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Missing authentication
The plugin does not validate authorization in its vcita-wordpress/v1/actions/auth REST route endpoint, allowing an unauthenticated attacker to set the connection parameters for the vcita account connection, including businessname and email address. Furthermore, the variables are stored in the...
CRM and Lead Management by vcita < 2.7.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email and uid parameters in the plugin settings before rendering it on the page, which could allow users with roles as low as contributor to inject arbitrary web scripts targeting high privilege users such as administrators...
Multiple plugins by vcita - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and the email field in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts in the plugin settings page, which could target high privilege users such as administrators...
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitize and escape the businessid parameter of an unprotected REST route endpoint before rendering it back in pages on the website, allowing an unauthenticated attacker to inject arbitrary web scripts, which could target authenticated users such as administrators. curl...
Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.3 - Denial of Service via CSRF
The plugin does not protect its vcitalogout ajax action against CSRF attacks, allowing an unauthenticated attacker to log the site out from it's vcita account by tricking a logged in user to send a crafted request, causing a denial of service for the appointment scheduling functionality...
Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.0 - Subscriber+ Denial of Service by account logout
The plugin does not validate authorization in the vcitalogout ajax action, allowing any logged in user with roles as low as subscriber to log the site out from the cvita account, causing a denial of service for the appointment scheduling functionality...
Contact Form and Calls To Action by vcita < 2.7.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email and uid parameters in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts into the settings, targeting higher-privileged users such as administrators...
WooCommerce Box Office < 1.1.51 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks tickets columns='111"...
File Manager Advanced Shortcode <= 2.3.2 - Unauthenticated Remote Code Execution through shortcode
The plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users. 1. Add the following shortcode to a...
Feather Login Page < 1.1.2 - Missing Authorization to Non-Arbitrary User Deletion
The plugin does not check authorization when processing the ftlpp-ext-expirable-delete-user ajax action, which could allow users with roles as low as subscriber to delete temporary users generated by the plugin, furthermore it does not protect the action against CSRF attacks, allowing an...
CRM Perks Forms < 1.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the formid field in the plugin settings page, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...
Feather Login Page < 1.1.2 - Missing Authorization to Authentication Bypass and Privilege Escalation
The plugin lacks authorization checks in the ftlpp-ext-expirable-get-users ajax action, allowing logged in users with roles as low as subscriber to access the login links for the temporary users created by the plugin, which can be used for privilege escalation. GET...
Feather Login Page < 1.1.2 - Cross-Site Request Forgery to Privilege Escalation
The plugin does not protect its ftlpp-ext-expirable-login-link action against CSRF attacks, allowing an unauthenticated attacker to add users of any role on their behalf by tricking a logged in administrator to submit a crafted request. POST...
AI-Engine < 1.6.83 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Go to Meow Apps » AI Engine » Chatbot tab » Visu...
Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API
The plugin does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. curl --json ' "media": "tmpname": "/WPCONTENTPATH/wp-config.php",...
QueryWall: Plug'n Play Firewall <= 1.1.1 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. 1. Send GET /wp-admin/admin.php?page=querywall&orderby=datetimegmt&order=desc%2cselectfromselectsleep20a 2. See SQL execut...
SlideOnline <= 1.2.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The PoC will be displayed once the issue has...
File Renaming on Upload < 2.5.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Multiple inputs in the plugin's settings -- for...
AI ChatBot < 4.5.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot 1. Go to "Settings Language Settings ChatBot Keywords" 2. Enter...
Google Map Shortcode <= 3.1.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Note: The plugi...
WP Custom Cursors < 3.2 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. 1. Add a new "WP Custom Cursor". 2. Return to the "WP Custom Cursors" page and click edit Cursor. 3.The WP Custom Cursors...
Upload Resume <= 1.2.0 - Captcha Bypass
The plugin does not validate the captcha parameter when uploading a resume via the resumeuploadform shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site. The PoC will be displayed once the issue has been remediated...
Conditional Menus < 1.2.1 - Reflected XSS
The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the HTML code below '...
Ultimate Dashboard < 3.7.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Ultimate Dashboard - Settings - General"...
qubotchat < 1.1.6 - Unauthenticated Stored XSS
The plugin doesn't filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard. 1. Enter " as the malicious payload into the chatbot input. 2. See XSS vulnerability...
Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow...
Easy Forms for Mailchimp < 6.8.9 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. When the debug settings is enabled ie...
Qubotchat < 1.1.6 – Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Add a "button" to the chatbot 2. In the "Text...
WooCommerce Warranty Requests < 2.1.7 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below v = 2.1.6...
Icegram Engage < 3.1.12 - Reflected XSS
The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Integration for Contact Form 7 and Zoho CRM, Bigin < 1.2.4 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin 1. Send a GET request with...
Multiple Plugins from Wow-Company - Reflected XSS
The plugins do not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' / The XSS will be triggered when pressing...
AI ChatBot < 4.5.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Go to plugin settings under "WPBot Lite Simple Text Responses" 2. Enter the payload Test Query"...
Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: The plugin requires WPBakery Page...
Photo Gallery by Ays < 5.1.7 - Reflected XSS
The plugin does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs below v 5.1.7 -...
File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. fileup class='" onmouseover="alert1"'...
Contact Form Email < 1.3.38 - Unauthenticated Stored Cross-Site Scripting
The plugin does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability. 1. Publish the default form to a page by clicking on "Contact Form to Email" in the sidebar, and the "Publish" button beside the form name. 2. Visit the form on the frontend. Fil...
Quiz Maker < 6.4.2.7 - Reflected XSS
The plugin does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below other URL are also affected...
ConvertKit < 2.2.1 - Reflected XSS
The plugin does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
WooCommerce Brands < 1.6.46 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add a Brand with an image, and assign it to ...
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.61 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the admin dashboard when the WPML plugin is also active and configured, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page...
Stop Spammers Security < 2023 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the payload below in any of the "Challenge &...