4359 matches found
WP SMTP Mailing Queue < 2.0.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to "Settings SMTP Mailing Queue Tools"...
Zyrex Popup < 1.1 - Admin+ Arbitrary File Upload
The plugin does not validate the type of files uploaded when creating a popup, allowing a high privileged user such as an Administrator to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install. Create a new popup by filling in anything in the...
Quick Paypal Payments < 5.7.26.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Original request - with sandbox=checked POST...
Amr Ical Events Lists <= 6.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Login as Admin. 2. Go to...
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Submit a message in the chatbox, intercept the request using Burp Suite for example. Edit the request to reflect this request:...
Steveas WP Live Chat Shoutbox <= 1.4.2 - Unauthenticated Stored XSS
The plugin does not sanitise and escape a parameter before outputting it back in the Shoutbox, leading to Stored Cross-Site Scripting which could be used against high privilege users such as admins. On a clean Wordpress on localhost: 1. Modify the Shoutboxalias cookie with a value such as 2. Send...
Ajax Search Lite Pro < 4.26.2 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Ajax Search Lite < 4.11.1, Pro < 4.26.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF
The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcodeactivatesnippets capability delete arbitrary log files on the server, including outside of the blog folders Make a...
Random Text <= 0.3.0 - Subscriber+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers. fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
WP FEvents Book <= 0.46 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks 1. Create an event page using the plugin. 2. Access the page using an account with Subscriber role. 3. In the 'User notes' section, inject...
WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR
The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. 1. Book or cancel booking an event using an authenticated user. 2. Intercept the request using an HTTP Pro...
Easy Forms for MailChimp < 6.8.8 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the following code this requires the attacker to...
Weaver Xtreme Theme Support < 6.2.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Required theme:...
Video Central for WordPress <= 1.3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks video-central-subtitle src="'...
MS-Reviews <= 1.5 - Subscriber+ Stored XSS
The plugin does not sanitise and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting attacks As a subscriber, submit a review a page/post with msreviews embed with the following payload: alert/XSS/ The XSS will be triggered...
Easy Forms for MailChimp < 6.8.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below shortcodes i...
TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update
The plugin does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the...
Responsive WordPress Slideshows 3.29.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below '/...
Gallery by BestWebSoft < 4.7.0 - Author+ SQL Injection
The plugin does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin https://wordpress.org/plugins/slider-bws/ must also be installed for this vulnerability to b...
WC Fields Factory < 4.1.7 - ShopManager+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Newsletter < 7.6.9 - Reflected XSS
The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators Make a logged in admin open...
Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
- The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector. - Path Traversal Vulnerabillity also allows listing the entire folder & image file in the system. - The below...
Gallery by BestWebSoft < 4.7.0 - Author+ Stored Cross-Site Scripting
The plugin does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The attacker must have at least the privileges of the Author role. 1. Go to Galleries Add New. 2. Click "Add Media" and choose or upload an image. 3. When publishing or...
WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
The plugin does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution. 1. Use a WordPress instance...
WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation
The plugin has a flaw allowing unauthenticated attackers to create an admin account and take over the blog POST /wp-json/wp/v2/users HTTP/1.1 Host: 127.0.0.1 Upgrade-Insecure-Requests: 1 Accept:...
Woo Bulk Price Update < 2.2.2 - Reflected XSS
The plugin does not sanitize and escape escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Waiting: One-click Countdowns <= 0.6.2 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the pbcdownmetaid parameter before using it in a SQL statement via the pbcsavedowns AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Run the below command in the developer console of the web browser...
W4 Post List < 2.4.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. On a post, add a "W4 Post List" block, select a list a...
InPost Gallery <= 2.1.4.1 - Reflected XSS
The plugin does not sanitise and escape the imgurl parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI
The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks Run the below command in the developer console of the web browser while being on the blog as a...
Gift Voucher < 4.3.3 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the template parameter before using it in a SQL statement via the wpgvdoajaxvoucherpdfsavefunc AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber curl "http://$TARGETHOST/wp-admin/admin-ajax.php" --da...
MDTF < 1.3.1 - Reflected XSS
The plugin does not sanitise and escape the taxname parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Events Made Easy <= 2.3.14 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the searchname parameter before using it in a SQL statement via the emerecurrenceslist AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Open the URL below while being on the blog as subscriber user...
W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure
The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the develop...
Formidable PRO2PDF < 3.11 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the fieldmap parameter before using it in a SQL statement via the fpropdfexportfile AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Run the below command in the developer console of the web browser...
W4 Post List < 2.4.6 - Reflected XSS
The plugin does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting Make a logged in admin open https://example.com/wp-admin/edit.php?posttype=w4pl&page=w4pl-docs&a"alert/XSS/ On a page where there is a list with navigation displayed put a nav in t...
Pricing Tables For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Note: The plugin requires WPBakery Page...
WP Popup Banners <= 1.2.5 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the value parameter before using it in a SQL statement via the getpopupdata AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber Run the below command in the developer console of the web browser while...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. Visit the following path on the site as an admin user:...
Redirection < 1.1.5 - Plugin Reset via CSRF
The plugin does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack. https://example.com/wp-admin/admin-post.php?action=iruninstall...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. Visit the following path on the site as an admin user:...
Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins 1. Login as a WordPress administrator or any of the custom roles from GroundHogg 2. Navigate to the URL:...
FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...
Simple Giveaways < 2.45.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup As admin, add/edit a sharing method "Giveaways"...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
The plugin does not limit what log files to display in it's settings pages, allowing an authorized user admin+ to view the contents of arbitrary files and list directories anywhere on the server to which the web server has access. The plugin only displays the last 50 lines of the file. POST...
Klaviyo <= 3.0.10 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Klaviyo Settings, and at Klaviyo Setting...
All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS
The plugin does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user admin+ to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. Just create a test.pdf...
Hummingbird < 3.4.2 - Unauthenticated Path Traversal
The plugin does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module. This allows an attacker to: - Enumerate file system directories where the user who starts the web server process has write access. -...
Time Sheets < 1.29.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Login as Admin. 2. Go to...