4359 matches found
Salat Times < 3.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in any text field of Settings Salat Times: " Save, and the XSS will be...
OWM Weather < 5.6.9 - Contributor+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as contributor Logon as contributor and open the below URL, which will result in a delayed response If the "could not find original...
Font Awesome 4 Menus <= 4.7.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Put the following payload in the "A custom...
Popup Maker < 1.16.11 - Contributor+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins Create a New popup Insert pop-up name, title, and body text. Add a new trigger with defau...
Event Monster < 1.2.1 - Admin+ SQLi
The plugin does not validate and escape some parameters before using them in SQL statements, which could lead to SQL Injection exploitable by high privilege users...
WP User Frontend < 3.5.29 - Obscure Registration as Admin
The plugin uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpufencryption. This could allow an attacker having access to the AUTHKEY and AUTHSALT constant via an arbitrary file access issue for...
Booster for WooCommerce - ShopManager+ Arbitrary File Download
The plugins do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to for example in multisite Enable the "Checkout File Upload" module and open the following URL as a...
Booster for WooCommerce - Checkout Files Deletion via CSRF
The plugins do not have CSRF check in place when deleting files uploaded at the checkout, allowing attackers to make a logged in shop manager or admin delete them via a CSRF attack Requirements: - Enable the "Checkout File Upload" module of the plugin...
Event Monster < 1.2.0 - Visitors Deletion via CSRF
The plugin does not have CSRF check when deleting visitors, which could allow attackers to make logged in admin delete arbitrary visitors via a CSRF attack To delete the attendee/visitor with ID 1, make a logged in admin open a page with the HTML code below The statement deleting attendee is also...
Evaluate <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Go to Settings Ā» Evaluate Ā» Add New. 2. Add...
My wpdb < 2.5 - Arbitrary SQL Query via CSRF
The plugin is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack document.getElementById"test".submit;...
Login Block IPs <= 1.0.0 - IP Spoofing Bypass
The function checkisloginpage uses headers for the IP check, which can be easily spoofed. Set HTTPCLIENTIP to bypass blocks / use allowed IP addresses...
Spacer < 3.0.7 - Admin+ Stored XSS
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Add new Spacers and add payload "Gem to Setting...
WP Best Quiz <= 1.0 - Author+ Stored XSS
The plugin does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks. 1. Go to Quiz Ā» Add Categories. 2. Inset a category with the payload as name: alert1. 3. The XSS will be trigged when accessing the Add Categories...
Contact Form 7 Database Addon < 1.2.6.5 - CSV Injection
The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection Use a Contact Form 7 form and submit an Excel formula in the message field, such as "=5+5" without quotes. Export the entry as CSV using the plugin and import it into Excel...
Zoho CRM Lead Magnet < 1.7.6.2 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF in some AJAX actions, and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary blog options such as defaultrole and userscanregister. v response.text...
Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in various pages, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=grid-kit&action=edit&id=...
tagDiv Composer < 3.5 - Unauthenticated Account Takeover
Description The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address Run the below command in the developer console of the web browser while being on the blog as an...
OAuth Client by DigitialPixies <= 1.1.0 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. Make a logged in user visit a page with the following code fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Contact Form Entries < 1.3.0 - CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. - Submit a form using Contact Form 7, Ninja Forms, Elementor Forms or WP Forms using =5+5 as the value - Export the data as CSV /wp-admin/admin.php?page=vxcfleads - Open the CSV with a spreadsheet...
OAuth Client by DigitialPixies <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Put the following payload in any of the plugin'...
reSmush.it Image Optimizer < 0.4.7 - Multiple CSRF
The plugin does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. input type="hidden" name="action" value="resmushit&...
Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins curl -X POST --data "wmtvuninstall=1&wmtvuninstallconfirm=1&plugin=akismet/akismet.php" https://example.com...
reSmush.it Image Optimizer < 0.4.4 - Subscriber+ AJAX Calls
The plugin lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. Examples of actions where low-privileged users can directly ask - https://example.com/wp-admin/admin-ajax.php?action=resmushitbulkgetimages -...
WP Attachments < 5.0.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. Inject an XSS payload in the title by going to...
ImageMagick-Engine < 1.7.6 - Command Injection via CSRF
The plugin is missing CSRF checks in multiple actions, which could allow attackers to make a logged in admin perform unwanted actions. In this case, it could lead to RCE via Command Injection https://example.com/wp-admin/admin-ajax.php?action=imetestimpath&clipath=payload...
Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message Setup: - In the General Settings of the plugin, check the "Show Chat...
Grid Kit Premium <= 1.8.53 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes, leading to a Reflected Cross-Site Scripting. PS: The original advisory mentions the issue being in photo-gallery, however it is not the case. On a page where there is a gallery embed, append a'-alert/XSS///=1 e.g...
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog As a...
eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS via AJAX
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to any authenticated users, such as subscriber, leading to a Reflected Cross-Site Scripting Make a logged in user open a page containing the HTML code below alert/XSS/"...
Complianz (Free < 6.3.4, Premium < 6.3.6) - Translator SQLi
The plugins allow a translators to inject arbitrary SQL through an unsanitized translation. SQL can be injected through an infected translation file, or by a user with a translator role through translation plugins such as Loco Translate or WPML. 1. Install Complianz and set the following options ...
WP Hide <= 0.0.2 - Unauthenticated Settings Update
The plugin does not have authorisation and CSRF checks in place when updating the customwpadminslug settings, allowing unauthenticated attackers to update it with a crafted request curl -X POST --data "customwpadminslug=attacker-value" https://example.com/wp-admin/admin-post.php Settings is...
Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload
The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a file to...
eCommerce Product Catalog Plugin for WordPress < 3.0.72 - Reflected XSS
The plugin does not sanitise and escape some parameter before outputting them back in attributes and JS code in admin dashboards, leading to Reflected Cross-Site Scripting Make a logged in admin open one of the URLs below...
WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection curl -isk -X 'POST' -H "Content-Type: application/json" --data '"sku":"a" AND SELECT 42 FROM SELECTSLEEP5wlHd-- pOeU"'...
Product Stock Manager < 1.0.5 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options To set the default role for new users to administrator, run the below command in t...
FluentForm < 4.3.13 - CSV Injection
The plugin does not validate and escape fields when exporting form entries as CSV, leading to a CSV injection - As unauthenticated, submit a form using =5+5 as value in any field - As admin, export the data as CSV /wp-admin/admin.php?page=fluentforms&formid=1&route=entries - open the CSV with a...
Easy Digital Downloads < 3.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack...
Import and export users and customers < 1.20.5 - Subscriber+ CSV Injection
The plugin does not properly escape data when exporting it via CSV files. 1 Edit your subscriber account's nickname to: ;=1+3 2 As an administrator, export your users data via http://vulnerable-site.tld/wp-admin/tools.php?page=acui&tab=export, and open the resulting CSV file in Excel or equivalen...
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files 1 Create 'poc.zip' with 2 files like below 1-1 'exploit.php.txt' is as follows...
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. 1 Download 'poc.zip' via...
Highlight FocusĀ <= 1.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the plugins...
Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following co...
Easy WP SMTP < 1.5.0 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...
eCommerce Product Catalog Plugin for WordPress < 3.0.71 - Reflected XSS
The plugin does not sanitise and escape an URL before outputting it back in an attribute of product category pages, leading to a Reflected Cross-Site Scripting https://example.com/products-category/cat/?productcategory=1&a%2522%253e%253cscript%253ealert%2528/XSS/%2529%253c%252fscript%253e=1...
AWP Classifieds Plugin < 4.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection To read the userlogin and userpass columns from the wpusers table:...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. " / document.forms0.submit;...
Envira Gallery Lite < 1.8.4.7 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers https://example.com/wp-admin/edit.php?posttype=envira&page=envira-gallery-lite-addons&"alert1...
Rock Convert < 2.6.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting On a page where the "Capture box | Rock Convert" widget is present, append ?"alert/XSS/, e.g:...
WP Contact Slider < 2.4.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a Contact slider and put the payload below in the "Text to display" option:...