4359 matches found
WooCommerce Composite Products < 8.7.6 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin On a page where a Component Product is displayed, append...
Stop Spammers Security < 2023 - Reflected XSS
The plugin does not sanitise and escape various parameters before outputting them back in admin dashboard pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the code below...
WooCommerce Ship to Multiple Addresses < 3.8.4 - Subscriber+ Shipping Address Disclosure via IDOR
The plugin does not ensure that the order to display the shipping address from belong to the user making the request, allowing any authenticated users, such as subscriber to view other shipping addresses via an IDOR https://example.com/checkout/shipping-addresses/?orderid=106...
WP Multi Store Locator <= 2.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks storelocatorshow location="'; alert1;...
Get Your Number <= 1.1.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the plugin's settings, enter the payload...
Frontend Post WordPress Plugin <= 2.8.4 - Contributor+ Arbitrary Redirect
The plugin does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain. ap-form-message redirect="https://wpscan.com"...
10WebSocial < 1.2.9 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below The XSS will be triggered when pressing...
AP Pricing Tables Lite <= 1.1.6 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 115 Accept: / Content-Type:...
Hostel < 1.1.5.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Manage Rooms and click on "Click here to...
Seo By 10Web < 1.2.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to SEO by 10Web » Sitemap section. 2. And n...
Directorist < 7.5.4 - Admin+ LFI
The plugin is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files. This PoC will work on Linux systems. 1. Navigate to the URL path: /wp-admin/edit.php?posttype=atbizdir&page=tools&step=2&file=/etc/passwd&delimiter=; 2.. You will be presented wit...
Download Manager < 3.2.71 - Broken Access Controls
The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's...
HollerBox < 2.1.4 - Admin+ SQL Injection
The plugin concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database. 1. Login as admin 2. Make sure HollerBox is installed and...
Advanced Custom Fields < 6.1.6 - Reflected XSS
The plugins do not escape the poststatus parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. osmmap mapborder='3px solid black;background:red;width:100px;height:100px;" onmouseover="alert1"'...
Login Rebuilder < 2.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Settings » Login rebuilder 2. In Login...
AnyWhere Elementor < 1.2.8 - Freemius API Key Disclosure
The plugin discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked. See the disclosed secret key in includes/pro.php...
Add to Feedly <= 1.2.11 - Admin+ Stored XSS
The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Install the plugin and insert the following payload in the field "Feed URL http://...": 1"alert1 Save th...
Elementor Website Builder < 3.12.2 - Admin+ SQLi
The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role. 1. Go to Elementor Tools Replace URL 2. Fill the first field with http://localhost:8000/ ...
WP Fatest Cache < 1.1.5 - Blind SSRF via CSRF
The plugin does not have CSRF check in an AJAX action, and does not validate user input before using it in the wpremoteget function, leading to a Blind SSRF issue Note: CSRF was fixed in 1.1.4, the SSRF in 1.1.5 Make a logged in admin open...
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks 1. Create a Newsletter popup any will do and publish it. 2. Use an incognito window and open the website involved, then run the following code in th...
Loginizer 1.7.8 - Reflected XSS
The plugin does not escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Otter - Gutenberg Blocks < 2.2.6 - Author+ PHAR Deserialization
The plugin does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP startBuffering; $phar-addFromString'test.png', 'text'; $phar-setStub"\xff\xd8\xff\n"; $phar-setMetadatanew Evil; $phar-stopBuffering; 2...
Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal
The plugin does not sanitize the dir parameter when handling the getsubdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root. - Payload: ../../../../../../../../../../../../../../../../../../../ - At the "Other...
Newsletter Popup <= 1.2 - Record Deletion via CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wpnewslettershowlocalrecord page is not protected with a nonce...
Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery
The plugin does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing. 1. Install the Log HTTP Requests plugin to inspect th...
WP EasyPay < 4.1 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin When there is no account connected, make a logged in admin open...
Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting. Ensure WooCommerce is installed. Visit the following path, while logged in as an Admin: /wp-admin/admin.php?page=ppom&productmetaid=5&dometa=edit&"alert/XSS/=1...
ClickFunnels <= 3.1.1 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. clickfunnelsembed url="javascript:alert1"...
Image Optimizer by 10web < 1.0.27 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the iowdtabsactive parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link. Make a logged in admin...
WP Inventory Manager < 2.1.0.13 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. 1. Go to WP Inventory Inventory Items and create a new Inventory Item. 2. Create a page and add the wpinventory shortcode. 3. View the new page on the frontend,...
Booking Manager < 2.0.29 - Subscriber+ SSRF
The plugin does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network. As an admin: Type in an internal URL for example...
SEO ALert <= 1.59 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Vanilla Beans » SEO Alert. 2. In "Slack...
YARPP - Yet Another Related Posts Plugin < 5.30.3 - Subscriber+ SQLi
The plugin does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks. Run the below command in the developer console of the web browser while being on the blog...
Tiempo.com <= 0.1.2 - Shortcode Deletion via CSRF
The plugin does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack Make a logged in admin open the URL below, this will make them delete the shortcode with ID 1...
Tiempo.com <= 0.1.2 - Stored XSS via CSRF
The plugin does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open a page with the code below input type="hid...
REST API TO MiniProgram <= 4.6.1 - Subscriber+ Attachment Deletion
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Tiempo.com <= 0.1.2 - Reflected XSS
The plugin does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' /...
URL Params < 2.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. urlparam htmltag='h1' attr='a'...
Ko-fi Button < 1.3.3 - Admin+ Stored XSS
The plugin does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup, and we consider it a low risk. 1. In the Kofi plugin settings, change...
WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. Note: The visitorId parameter's numerical prefix before the %27 must be different on each try...
Tablesome < 1.0.9 - Reflected XSS
The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting Make a logged in admin open one of the URL below when the feature/tracking notice has not been dismissed yet...
HTTP Headers < 1.18.8 - Admin+ SQL Injection
This plugin has an import functionality which executes arbitrary SQL on the server, leading to an SQL Injection vulnerability. 1. Create an SQL file with the following contents: UPDATE wpoptions SET optionvalue = "Hacked" WHERE optionname = "blogname" 2. As an admin user within WP Admin, navigate...
Side Cart Woocommerce < 2.2 - Settings Reset via CSRF
The plugin does not have CSRF check when reseting its Settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes...
Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. - Install the plugin and WooCommerce, whic...
Ninja Forms < 3.6.22 - Reflected XSS
The plugin does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
tagDiv Composer < 4.0 - Reflected Cross-site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the HTML code below...
ActiveCampaign < 8.1.12 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, add a "AC Forms" Gutenberg block to a...
KIWIZ Invoices Certification & PDF System <= 2.1.3 - Unauthenticated Arbitrary File Download
The plugin does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization assuming they can upload a file on the server To download ../../../../wp-config.php:...
RapidExpCart <= 1.0 - Stored XSS via CSRF
The plugin does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection...