4359 matches found
BizLibrary <= 1.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Login as Admin. 2. Go to...
Ad Inserter < 2.7.27 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitra...
Active Directory Integration / LDAP Integration < 4.1.1 - Unauthenticated Data Disclosure
The plugin does not have proper authorization or nonce values for some POST requests, leading to unauthenticated data disclosure. In version 4.1.0 a nonce check was added to the request, but it still lacked authorization. The admininit hook calls MoLdapLocalLogin class loginwidgetsaveoptions meth...
Bit Form < 1.9 - RCE via Unauthenticated Arbitrary File Upload
The plugin does not validate the file types uploaded via it's file upload form field, allowing unauthenticated users to upload arbitrary files types such as PHP or HTML files to the server, leading to Remote Code Execution. As an unauthenticated user access a form containing a File Upload form...
Help Desk WP <= 1.2.0 - Editor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks. 1. Using a user with Editor Role privileges, go to the support page assigned for the Help Desk WP Plugin. 2. Click on "Add New Ticket", and fill t...
WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update
The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example Run the bel...
Clock In Portal <= 2.1 - Designation Deletion via CSRF
The plugin does not have CSRF check when deleting designations, which could allow attackers to make logged in admins delete arbitrary designations via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Designation with ID 2...
Pretty Url <= 1.5.4 - Admin+ Stored XSS in plugin settings
Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. In the "Enter the URL: field, add the XSS payloa...
Thumbnail carousel slider < 1.1.10 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting vulnerability which could be used against high privilege users such as admin. Make a logged in admin open: GET...
Clock In Portal <= 2.1 - Holidays Deletion via CSRF
The plugin does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Holiday with ID 1...
Clock In Portal <= 2.1 - Staff Deletion via CSRF
The plugin does not have CSRF check when deleting Staff members, which could allow attackers to make logged in admins delete arbitrary Staff via a CSRF attack Make a logged in admin open a page with the code below, this will make them delete the Staff with ID 1...
NEX-Forms < 8.4 - Admin+ SQL Injection
The plugin does not properly escape the table parameter, which is populated with user input, before concatenating it to an SQL query. POST /wp-admin/admin-ajax.php HTTP/1.1 Deleted Headers action=nfupdaterecord&table=Injection Point&editId=1&plugin=shared&title=exploit%60&formfields=/Deleted...
Ultimate Carousel For Elementor <= 2.1.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The plugin author was made aware of this vulnerability...
Japanized For WooCommerce < 2.5.8 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting With the PeachPay payment gateway enabled can be enabled via the settings: http://example.com/wp-admin/admin.php?page=wc4jp-options&tab=payment Make a logged in admin open the...
Ultimate Carousel For WPBakery Page Builder <= 2.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The plugin author was made aware of this...
Wp-D3 <= 2.4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. d3-source canvas='" onmouseover="alert1"...
WP Popups < 2.1.5.1 - Contributor+ Stored XSS
The plugin does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficie...
Video List Manager <= 1.7 - Admin+ SQL Injection
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin SELECT query: 1. Log in as admin. 2. Visit the following path on the site:...
Product Slider For WooCommerce Lite <= 1.1.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks psfwlgutenblock headingtag='h2"...
Membership Database <= 1.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Bitcoin / AltCoin Payment Gateway <= 1.7.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users Setup: 1. Install woocommerce dependency, no setup required 2. Install the vulnerable plugin woo-altcoin-payment-gateway version 1.7.1 3. ...
Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF
The plugin does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in Admin open a page containing the HTML code below '...
Post Shortcode <= 2.0.9 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks pcs template='" onmouseover="alert1"...
WP Login Box <= 2.0.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Set “Greeting Text” option to: alert1 Set “Enable...
Mega Addons For WPBakery Page Builder < 4.3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. vctestimonial link='target:"...
WPML Multilingual CMS < 4.6.1 - Reflected Cross-Site Scripting
The plugin does not escape some URL attributes before outputting them to a page, leading to a Reflected Cross-Site Scripting vulnerability. After setting up the plugin, visit the following URL: /wp-login.php?wplang=%20=id=x+type=image%20id=xss%20onfoc%3C!%3Eusin+alert0%0c...
ChatBot < 4.4.7 - Unauthenticated PHP Object Injection
The plugin unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function...
Cloud Manager <= 1.0 - Reflected XSS
The plugin does not sanitise and escape the query param ricerca before outputting it in an admin panel, allowing unauthenticated attackers to trick a logged in admin to trigger a XSS payload by clicking a link...
ChatBot < 4.4.5 - Stored XSS via CSRF
The plugin does not escape most of its settings before outputting them back in the dashboard, and does not have a proper CSRF check, allowing attackers to make a logged in admin set XSS payloads in them. Note: v4.4.5 fixed the CSRF issue, the lack of escaping was fixed in 4.5.1 and a separate iss...
WP Inventory Manager < 2.1.0.12 - Reflected XSS
The plugin does not sanitise and escape the message parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators. On a page where the wpinventory shortcode is embed, append the following payloa...
ChatBot < 4.4.9 - Unauthenticated Stored XSS
The plugin does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard curl -X POST --data 'qcbotstrweight=" style=animation-name:rotation...
ChatBot < 4.5.1 - Admin+ Stored XSS
The plugin does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Your Company ...
Pickup | Delivery | Dine-in date time <= 1.0.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go to this page:...
hiWeb Migration Simple <= 2.0.0.1 Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. The hiweb-migration-simple plugin is vulnerable to POST based XSS on endpoint...
UserPlus <= 2.0 - Stored XSS via CSRF
The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack. Open the .html file where the admin user is logged in history.pushState'', '', '/' input type="hi...
ChatBot < 4.4.9 - Subscriber+ OpenAI Settings Update to Stored XSS
The plugin does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS Run the below command in...
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. - Create a password protected package containing one or more files. - Navigate to the download page of the package e.g. /download/package1 - Inspect...
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below ' /...
SEOPress < 6.5.0.3 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
WP Custom Author URL < 1.0.5 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Login as Admin. 2. Go to...
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
The plugin does not sanitise and escape the edit parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators. Make a logged in admin open the following URL:...
Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access
The plugin does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example Run the below command in the developer console of the web browser while being on the blog as a subscrib...
Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
The plugin does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks import requests import sys import re if lensys.argv != 4: print'USAGE: python %s ' %...
Formidable Forms < 6.2 - Unauthenticated PHP Object Injection
The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary deserialization"; 1. Active this plugin a...
Limit Login Attempts < 1.7.2 - Unauthenticated Stored XSS
The plugin does not sanitize and escape the IP address retrieved from headers such as X-Forwarded-For when the "Site Connection" settings is set to "From behind a reversy proxy", which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks Setup: As admin, set the...
Slimstat Analytics < 4.9.4 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering certain shortcodes that concatenate attributes directly into an SQL query...
Stagtools < 2.3.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. 1. Create a Post and add a Shortcode. 2...
Site Reviews < 6.7.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Login as Admin. 2. Go to...