4359 matches found
JReviews <= 4.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting https://example.com/top-user-rated-listings?listview=2&q%22%3e%3cscript%3ealert1%3c%2fscript%3e=1...
Official Integration for Billingo < 3.4.0 - ShopManager+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks. Put the following payload in the WooCommerce Settings Billingo E-mail Beállítások Gomb szöveg field in the table:...
Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go to the plugin's settings Popup tab, click on "C...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting Affected parameter: acts.tdatts.imagesize input type="hidden" name="atts"...
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import intentionally or not a malicious file, and a suitable gadget chain is present on the site. To simulate a gadget chain, put the following code in a plugin class Evil public...
PublishPress Capabilities < 2.5.2 - Admin+ PHP Objection Injection
The plugin unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site. To simulate a gadge...
WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS
The plugin does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. Run the below command in...
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...
Create Block Theme < 1.2.2 - Unauthenticated Arbitrary File Upload
The plugin does not have authorisation and CSRF checks, as well as does not validate the file to be uploaded, which could allow unauthenticated attackers to upload arbitrary files to the server As unauthenticated user, open The file will be uploaded at...
Blog2Social < 6.9.10 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers Run the script below in the web browser console while being logged in as a subscriber and on the Blog2Social...
WP ALL Export Pro < 1.7.9 - Authenticated SQLi
The plugin uses the contents of the ccsql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports...
Form Maker by 10Web < 1.15.6 - Admin+ SQLI
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Create/edit a form, go to the Settings MySQL Mapping i.e...
Bricks Builder < 1.5.4 - Subscriber+ Remote Code Execution
The theme allows website editors to include executable code blocks in their website, which can contain arbitrary PHP code. By default, code execution is intended to be disabled, with website administrators having to explicitly allow code execution for specific user roles. However, due to improper...
Bricks Builder < 1.5.4 - Subscriber+ Arbitrary Post/Page Edition
The theme does not have authorisation in an AJAX action, which could allow any authenticated users such as subscriber to call it and edit any page, post, or template on the blog 1. Start with a clean Wordpress install 2. Install Bricks builder v1.5.3 3. Enable registrations on the website 4...
WP Super Cache < 1.9 - Unauthenticated Cache Poisoning
The plugin is affected by a cache poisoning issue curl 'https://example.com//?s=12333'...
Blog2Social < 6.9.10 - Subscriber+ SSRF
The plugin does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks Run this script in the web browser console while being logged in as a subscriber...
WP Humans.txt <= 1.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Humans.txt texare...
Retain Live Chat <= 0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Rtain App ID...
Anti-Spam by CleanTalk < 5.185.1 - Admin+ SQLi
The plugin does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin When deleting a scan logs /edit-comments.php?page=ctcheckspamlogs, intercept the request and change the spamids parameter to...
Post to CSV by BestWebSoft <= 1.4.0 - Author+ CSV Injection
The plugin does not properly escape fields when exporting data as CSV, leading to a CSV injection - create a post using =5+5 as the title - export the data as CSV /wp-admin/admin.php?page=post-to-csv.php - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula gets...
WP ALL Export Pro < 1.7.9 - Authenticated Code Injection
The plugin does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be...
Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...
LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF
The plugin does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections. document.getElementById"test".submit;...
Contact Bank <= 3.0.30 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a form and put the following...
AdminPad < 2.2 - Note Update via CSRF
The plugin does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack Notes are displayed in the Dashboard /wp-admin/index.php...
Easy Digital Downloads < 3.1.0.2 - Unauthenticated CSV Injection
The plugin does not validate data when its output in a CSV file, which could lead to CSV injection. - Submit an order using =5+5 as "first name" and empty "last name" the plugin allows that. - Export the data as CSV from Reports Export. - Open the CSV with a spreadsheet application Excel, Libre...
3dady Real Time Web Stats <= 1.0 - Stored Cross-Site Scripting via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping, it could also lead to Stored Cross-Site Scripting issue Make a logged in admin open a...
Forym <= 1.5.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting On a blog having the plugin and the Search Forum Widget active, append the following parameter: ?s="...
Sabai Discuss < 1.4.14 - Reflected Cross Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page when number filters are enabled, leading to Reflected Cross-Site Scripting https://example.com/questions?category=77&filter=1&fieldnumbermin="...
miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling
The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber...
Frontend File Manager < 21.4 - File Upload via CSRF
The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf The file won't show up via the frontend/backend, but will be uploaded in the user folder ie in wp-content/uploads/useruploads//payload.pdf...
Meks Easy Social Share < 1.2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Intercept the request made when saving the setting...
Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass
The plugin does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. curl -X POST -F "sizelimit=10485760" -F...
Frontend File Manager < 21.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. As the plugin does not validate the allowed file type, this could lead to attackers making admins allowing PHP file to be uploaded by any...
Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/Edit a Course, add a new Topic and put the following...
Helpful < 4.5.26 - Information Disclosure
The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings After an admin export logs via...
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Subscription Form
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put the following shortcode in a post/page pumsubform namefieldtype="fullname" labelname="Name"...
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a user with the Contributor or above, create a new Popup in Popup Maker menu with "content" field containing...
WP Custom Cursors < 3.0.1 - Arbitrary Cursor Deletion via CSRF
The plugin does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack. Make a logged in admin open a page with the following JS code: fetch'https://example.com/wp-admin/admin.php?page=wpcustomcursors',...
WP Custom Cursors <= 3.0.1 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin As admin, open...
WP Custom Cursors < 3.0.1 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored...
We’re Open! < 1.42 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Settings We're Op...
Import all XML, CSV & TXT into WordPress < 6.5.8 - Admin+ SQLi
The plugin does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin With the additional https://wordpress.org/plugins/polylang/ plugin installed, import a CSV with the following payload in...
Search Logger <= 0.9 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users ------------------------------------------------- Go to Search Logger Logs Select Delete ------------------------------------------------...
Memberpress Downloads < 1.2.6 - Subscriber+ Arbitrary File Upload
The plugin does not properly check user capabilities in its file uploading AJAX endpoint, relying on WordPress nonces to do so. Unfortunately, the nonce can be leaked by any logged-in users, like subscribers. Since the Uploader library they use does not check file extensions at all, this may lead...
Social Rocket < 1.3.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Logged in the backend of Wordpress as Administrato...
Booster for WooCommerce - Subscriber+ Order Status Update
The plugins allow users to update their own order status via a settings defined by admins when the My Account module is enabled, however does not ensure that the status set is allowed. As a result, users could set arbitrary status to their own orders, making them paid without actually paying for...
Simple File List < 4.4.13 - Page Creation via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack...
Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. Create a new download on:...
Simple File List < 4.4.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup First Stored XSS - HTTP Request POST...