4359 matches found
WP Logs Book <= 1.0.1 - Disable Logging via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make an admin open an HTML file containing:...
CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Widget Bundle <= 2.0.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Enable the "Text Form" widget 2. Ad...
HTML5 Video Player < 2.5.27 - Unauthenticated SQLi
Description The plugin does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks % time curl "https://example.com/?restroute=/h5vp/v1/video/1&id=1'+OR+SELECT+1+FROM+SELECTSLEEP5xyz--+-"...
Responsive video embed < 0.5.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. As a contributor, create a post...
Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
Description The plugin allows you to display custom field values for any post via shortcode without checking for the correct access 1. ADMIN: Install Advanced Custom Fields or ACF Pro 2. ADMIN: Create a new field group for posts and add a field to that 3. ADMIN: Fill in content for posts includin...
Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Go to the plugin settings 2. In the "Additional CSS" field, enter the payload 3. Save...
FooBox (Free and Premium) < 2.7.28 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Go to settings and change the "Specif...
Expert Invoice <= 1.0.2 -Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to Expert Invoice Customer...
Easy Notify Lite < 1.1.33 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks. - Create/edit a Notification https://example.com/wp-admin/post-new.php?posttype=easynotify - Put the following...
PostX < 4.1.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below code in a...
WordPress Jitsi Shortcode <= 0.1 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, add a shortcod...
Pray For Me <= 1.0.4 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin 1. Configure the plugin to add the first name and last name fields to the form:...
Inquiry Cart <= 3.4.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert9995'...
WP Prayer II <= 2.4.7 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing:...
LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Request: POST...
Similarity <= 3.0 - Plugin Reset via CSRF
Description The plugin does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack Make a logged in admin open an HTML file containing:...
SVGMagic <= 1.1 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. 1. Create a SVG file with the malicious payload within it; Example SVG file:...
Similarity <= 3.0 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert3' /...
AZAN Plugin <= 0.6 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make a logged in admin open an HTML file containing: alert999,2,2,3' / If the widget is...
Amen <= 3.3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Social Pixel <= 2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
Pray For Me <= 1.0.4 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make a logged in admin open an HTML file containing:...
The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
Description The plugin does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. e.g. password-protected events, drafts, etc. Free: 1. ADMIN: Install The Events Calendar 2. ADMIN: Create events with each status: published, private,...
WP Prayer II <= 2.4.7 - Email Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing:...
Alemha Watermarker <= 1.3.1 - Author+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. As an "author" level user, add a ne...
SVGator <= 1.2.6 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. 1. Create a SVG file with the malicious payload within it; Example SVG file:...
WordPress Jitsi Shortcode <= 0.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to:...
Search & Replace < 3.2.2 - Admin+ SQL injection
Description The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks such as within a multi-site network. 1. Go to the Tools parameter 2. Select Search & Replace 3. Click "Do Search & Replace" 4. Change the parameters...
FooGallery < 2.4.15 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Create a new...
Floating Chat Widget < 3.2.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go "Chaty Create New Widgets 3...
Themify Builder < 7.5.8 - Open Redirect
Description The plugin does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue curl -kvL https://www.example.com/wp-login.php \ -e http://arbitrary-referer \ -d...
Web Directory Free < 1.7.0 - Unauthenticated SQL Injection
Description The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based. curl --url...
Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to the plugin's settings. 2...
Arforms < 6.4.1 - Reflected XSS
Description The plugin does not properly escape user-controlled input when it is reflected in some of its AJAX actions. https://www.example.com/wp-admin/admin-ajax.php?action=currentmodal&positionmodal=alertdocument.domain...
Logo Slider < 4.0.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Using a contributor account, add a Logo Slider using the Shortco...
ArForms < 6.6 - Unauthenticated RCE
Description The plugin allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form 1. Create a form with an upload input 2. As an unauthenticated user, upload an image file and intercept the request. 3. Modify i...
WP Backpack <= 2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
ArForms < 6.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add or edit an existing form and in...
WP Stacker <= 1.8.5 - Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Make an admin open an HTML document containing: alert888' / alert2' /...
BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR
Description The plugin contains an IDOR vulnerability that allows a user to comment on a private post by manipulating the ID included in the request POST /wp-admin/admin-ajax.php HTTP/2 Host: online-communities.demos.buddyboss.com Cookie:...
BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment
Description The plugin contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request POST /wp-admin/admin-ajax.php HTTP/2 Host: buddyboss.example.com Cookie: REDACTED User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:120.0...
FS Product Inquiry <= 1.1.1 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some form submissions, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks 1. Add an inquiry form using the shortcode fspi-show-products-list 2. As a non-logged in visitor, enter the payload "...
FS Product Inquiry <= 1.1.1 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users Have any user admin or unauthenticated open an HTML page with...
Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Iframe Injection
Description The plugin lacks validation of URLs when adding iframes, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page. 1 Create a new post 2 Add and e-Learning block and upload a zip file 3 Select the "Insert As: Iframe" option 4 Intercept the reque...
Jetpack < 13.4 - Contributor+ Stored Cross-Site Scripting via wpvideo Shortcode
Description The plugin did not properly escape some of its shortcode attributes, allowing users with at least the contributor role to conduct Stored XSS attacks. wpvideo OcobLTqC freedom=true preloadContent='"src=x onerror=alertdocument.cookie xss'...
Gutenberg Blocks by Kadence Blocks < 3.2.37 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Add a Lottie Animation block to a post a...
The Events Calendar < 6.4.0.1 - Reflected XSS
Description The plugin does not properly sanitize user-submitted content when rendering some views via AJAX. The Events Calendar "...
Simple Ajax Chat < 20240412 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup This was partially fixed in 0240216 bu...
WP eMember < 10.3.9 - Reflected XSS
Description The plugin does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. https://www.example.com/wp-admin/admin-ajax.php?fieldId=alertdocument.cookie&action=checkname...