4359 matches found
Quote-O-Matic <= 1.0.5 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. https://example.com/wp-admin/edit.php?page=quote-o-matic.php&sortby=qomID+AND+SELECT+3477+FROM+SELECTSLEEP5DhVP...
Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download
The plugin does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs from the server even when they should not be able to for example in multisite First call...
WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection Extract the nonce from the index page search for "wpautosearchconfig", look for the "nonce" field Invoke the following...
Web Invoice <= 2.1.3 - Authenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well When...
LetsRecover < 1.2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. GET /checkout/order-received/30/?key=wcorderKwss5kjkrhgKG HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux...
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
The plugin does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as editplugins etc Run the...
Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. 1. Install woocommerce dependency, no setup required 2. Install the vulnerable plugin wholesale-market...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin https://example.com/wp-admin/admin.php?page=wsysadminfeeds&action=delete&id=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
WP User <= 7.0 - Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. 1. As an unauthenticated user, visit the "Sign Up" page by default, this is /?pageid=5, or /user/ 2. Extract the "wpuserupdatesetting"...
Team Members < 5.2.1 - Editor+ Stored XSS
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in a multisite setup. 1. Go to the "Teams" section » add a new te...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin https://example.com/wp-admin/admin.php?page=wsysadminpublishers&action=delete&id=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Visual Email Designer for WooCommerce < 1.7.2 - Multiple Author+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as author. action=INSERT HERE NAME OF...
WP-Lister Lite for Amazon < 2.4.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high-privilege users such as admin. 1. Install and activate WooCommerce dependency, no setup required 2. Install and activate the...
Image Optimizer, Resizer and CDN < 6.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Step 1: Install the plugin and register for an...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin https://example.com/wp-admin/admin.php?page=wsysadminrules&action=delete&id=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Superio - Job Board < 1.2.33 - Subscriber+ Stored Cross-Site Scripting
The theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Stored Cross-Site Scripting attacks. As a candidate, add the following payload on the Social Network option: javascript:alert1 As a recruiter, access the candidate page an...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/admin.php?page=letsrecover-templates&subscriberid=6&cartid=10+AND+SELECT+5926+FROM+SELECTSLEEP5erUA HTTP/1.1...
LetsRecover < 1.2.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
White Label CMS < 2.5 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
Qe SEO Handyman <= 1.0 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:91.0 Gecko/20100101...
Product list Widget for Woocommerce <= 1.0 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users such as high privilege one like admin. Make any unauthenticated or authenticated users su...
Qe SEO Handyman <= 1.0 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin POST /wp-admin/admin-post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 X11; Linux x8664; rv:91.0 Gecko/20100101...
Joy Of Text Lite < 2.3.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection Invoke the following curl command to induce a 5 second sleep: time curl...
Panda Pods Repeater Field < 1.5.4 - Reflected XSS
The plugin does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a user having at least Contributor permission. 1. Install Pods plugin dependency - https://wordpress.org/plugins/pods 2. Install the...
Login with Cognito < 1.4.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "Cognito Login » Configure OAuth", and a...
BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id
The plugin suffers from an Insecure Direct Object Reference IDOR vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointmentid query parameter. curl -s...
WP Social Sharing <= 2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Settings » WP Social Sharing page of the...
WP-Ban < 1.69.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to the plugin settings and set these fields...
WordPress Filter Gallery Plugin < 0.1.6 - Admin+ Stored XSS
The plugin does not properly escape the filters passed in the ufggalleryfilters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfilteredhtml capability is disabled...
All-in-One Addons for Elementor - WidgetKit < 2.4.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go to WidgetKit - API Keys, put the following...
Build App Online < 1.0.19 - Unauthenticated SQL Injection
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection Additional plugins required: https://wordpress.org/plugins/wc-multivendor-marketplace/...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the wpuserid GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. Exploit 1: The...
Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain To simulate a gadget chain, put the following code in a plugin class Evil...
Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE 1. Install and activate woocommerce dependency, no setup required 2. Install and activate the vulnerable...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgorder POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php...
Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection
The plugins do not escape the userid POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgmultiplefilesforpost POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the optionid POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation
The plugin does not validate user input before using it in fileexist functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present...
Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click the 'Settings' button of this plugin. 2...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the cgoptionid POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges i.e. on multisite WordPress configurations to leak sensitive information from the site's database. POST...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopyid POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Contest Gallery < 19.1.5 - Unauthenticated SQL Injection
The plugins do not escape the cgFields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080...
Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access
The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server. Run the below command in the developer console of the we...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the optionid GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgrow POST parameter before concatenating it to an SQL query in 3row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080 User-Agen...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the addCountS POST parameter before concatenating it to an SQL query in 4activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8080...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgdeactivate and cgactivate POST parameters before concatenating it to an SQL query in 2deactivate.php and 4activate.php, respectively. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. Exploit...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the optionid POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST...
Contest Gallery < 19.1.5.1 - Author+ SQL Injection
The plugins do not escape the cgid POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php?page=/index.php&editgallery=1&wpmad...