4359 matches found
JetEngine < 3.1.3.1 - Author+ Remote Code Execution
The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. fetch"/wp-admin/admin.php?action=jetengineformsimport", "headers": "accept": "text/html", "content-type": "multipart/form-data;...
WordPress Amazon S3 Plugin < 1.6 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Simple Giveaways < 2.45.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Login with admin user and navigate to "Giveaways...
Simple Giveaways < 2.45.1 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Giveaways options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Login with an editor user and add/edit a...
Scheduled Announcements Widget < 1.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Note: First you need to add an Announcement...
Stylish Cost Calculator Premium < 7.9.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Stored Cross-Site Scripting which could be used against admins when viewing submissions submitted through the Email Quote Form. POST /wp-admin/admin-ajax.php HTTP/2 Host: hosthere Content-Lengt...
Article Directory <= 1.3 - Admin+ Stored XSS
The plugin does not properly sanitize the publishtermstext setting before displaying it in the administration panel, which may enable administrators to conduct Stored XSS attacks in multisite contexts. POST /wordpress/wp-admin/options.php HTTP/1.1 Host: 172.28.128.6 User-Agent: Mozilla/5.0 Window...
WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure
The plugin does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post. Run the below command in the...
WP Tiles <= 1.1.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks wp-tiles extraclasses='"...
Modern Events Calendar lite <= 5.16.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to the import/export section. 2. Enter the...
Solidres <= 0.9.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add a new currency...
User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF
The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role. Make a logged in admin open a page with the code below. Then, log in as a subscriber and see that you have full admin access...
Solidres <= 0.9.4 - Multiple Reflected XSS
The plugin does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open...
Shopping Cart & eCommerce Store < 5.4.3 - Admin+ LFI
The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks. 1. Login as Admin. 2. Go to wp-admin/admin.php?page=wp-easycart-products&subpage=products 3. Click on Import Products. Browse any file and click on import file. Intercept the...
WH Testimonials <= 3.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the whhomepage, whtextshort and whtextfull parameters of submitted Testimonials, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks curl -X POST 'http://example.com/add/' \ -H 'Content-Type: multipart/form-data;...
Redirection < 1.1.4 - Redirect Creation via CSRF
The plugin does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack. POST /wp-admin/admin-ajax.php HTTP/2 Host: sawcup.s2-tastewp.com Cookie: test=test; User-Agent: useragent Accept: / Accept-Language: en-US,en;q=0.5...
Easy Forms for MailChimp < 6.8.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its from parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Edit a form and put the following payload i...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.3 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. 1. Create a contact form and add a "multiple file upload" field. 2. Add the...
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. 1. Create a contact form and add a "multiple file upload" field. 2. Add the...
Image Over Image For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. imageoverimagevc...
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access in Maintenance Mode
The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them Run the below command in the developer console of the web browser while being on the blog as unauthenticated, when maintenance mode is...
Cookie Notice & Compliance for GDPR / CCPA < 2.4.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below shortcode in...
WP Dark Mode < 4.0.8 - Subscriber+ Local File Inclusion
The plugin does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation. As a...
Formidable Forms < 6.1 - IP Spoofing
The plugin uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections. 1. In WordPress's Settings Discussion page, add your IP address to the Disallowed Comment Keys field. This will block form submissio...
Complianz - GDPR/CCPA Cookie Consent < 6.4.2 - Contributor+ Stored XSS
The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks cmplz-consent-area...
Multiple e-plugins - Subscriber+ Privilege Escalation
The plugins, sold by the same developer e-plugins, do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function ivdirectoriesupdateprofilesetting uses updateusermeta with any data provided by the ajax call, which can be used to give the logged in...
Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update
The plugin has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user...
WP Statistics < 14.0 - Authenticated SQLi
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. Log...
WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. 1. Go to the plugin settings and insert all the settings, then save. 2. Insert the following shortcode in a post/page: wpic speed='""; alert1...
Watu Quiz < 3.3.9.1 - Reflected XSS
The plugin does not sanitise and escape some parameters such as email, dn, date and points before outputting then back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Schedulicity - Easy Online Scheduling <= 2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. schedulenowbutton bizkey='"...
menu shortcode <= 1.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit shortcode: redirect duration="1"...
WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
NEX-Forms < 8.3.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Add a form 2. Insert the following payloa...
HT Event < 1.4.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WP Shamsi <= 4.3.3 - Subscriber+ Attachment Deletion
The plugin has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment. Exploit 1 attachment id delete: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type': 'application/x-www-form-urlencoded...
WP Insurance < 2.1.4 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks < 1.1.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF
The plugin does not have CSRF checks when discarding Identify providers IdP, which could allow attackers to make logged in admins delete all IdP via a CSRF attack Make a logged in admin open: https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=discard...
Real Estate 7 < 3.3.5 - Reflected XSS
The theme does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
OAuth Single Sign On - SSO (OAuth Client) Enterprise < 48.4.9 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&action=delete&app=wordpress...
Free WooCommerce Theme 99fy Extension < 1.2.8 - Arbitrary Plugin Activation via CSRF
Description The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST',...
QuickSwish < 1.1.0 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers...
Real Estate 7 < 3.3.5 - Multiple CSRF
The theme does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, for example create/delete arbitrary lead alerts, manipulate properties add/remove from favourite etc To be disclosed on March 6th...
Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Preview Link Generator < 1.0.4 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Ever Compare < 1.2.4 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WC Sales Notification < 1.2.3 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
WP News <= 1.1.9 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WP Education < 1.2.7 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...