4359 matches found
reSmush.it Image Optimizer < 0.4.6 - Admin+ Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfilteredhtml is disallowed. POST /wp-admin/options.php HTTP/1.1 Accept:...
Top Bar < 3.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the...
Advanced Comment Form < 1.2.1 - Admin+ Authenticated Stored XSS
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In the settings of the plugin, add the following payload to the text before the form:...
TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
The plugin does not validate and sanitise task's attachments, which could allow any authenticated user such as subscriber creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file Create a SVG with the following content: alertdocument.cookie; As any authenticated...
Slider, Gallery, and Carousel by MetaSlider < 3.27.9 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add an image to a Gallery via...
Multiple Plugins from Viszt Peter - Multiple CSRF
The plugins are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license With the woo-billingo-plus plugin installed, make a logged in user with the editshoporders capabilit...
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example When replacing the file, select "Replace the file, use new file name and update...
Soledad < 8.2.5 - Reflected Cross-site Scripting
The theme does not sanitise the id,datafiltertype,... parameters in its pencimoreslistpostajax AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability. A threat actor can collect the nonce value on the main webpage by searching for it on the ajaxvarmore call: var ajaxvarmore =...
DSGVO All in one for WP < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Go the DSGVO AIO Settings Cookie Notice settings a...
Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...
Donation Thermometer < 2.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the Settings...
Goolytics - Simple Google Analytics < 1.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following payloads in Settings Goolytics Google Analytics ID field and save: "...
Frontend File Manager < 21.3 - Unauthenticated File Renaming
The plugin allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server curl -i -s -k -X 'POST' --data-binary...
Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload
The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE 1. Navigate to the page where ffmwp shortcode is included as Subscriber 2. Uploa...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made As unauthenticated, make a reservation ie on a page where the reservationform is embed and...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Blind SQLi
The plugin does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks As unauthenticated, fill the reservation form it's on a page where the reservationform is embed, intercept the...
WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Activate the Share Icons feature of the...
BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access
The plugin is affected by a Directory Traversal attack, allowing unauthenticated attackers to access arbitrary files on the web server, starting in version 8.5.8.0. Install BackupBuddy v8.5.8.0 through v8.7.4.1. curl...
Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. Create or edit a Slide and put the following payload in the Name field: " onfocus=alert/XSS/ autofocus=" The XSS will be triggered when editing the slide again...
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
The plugin does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address POST / HTTP/1.1...
NinjaForms < 3.6.13 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. To simulate a gadget chain, put the following code in a plugin class Evil public...
WP Popup Builder < 1.3.0 - Subscriber+ Arbitrary Popup Deletion
The plugin does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup fetch'/wordpress/wp-admin/admin-ajax.php?action=deletepopup', method: 'POST',headers:"content-type":"application/x-www-form-urlencoded", body:...
Post SMTP < 2.1.7 - Admin+ Blind SSRF
The plugin does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. Navigate to https://example.com/wp-admin/admin.php?page=postman%2Fporttest Inside "Outgoing Mail Server Hostname"...
CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. Activate PHP extension: - Log in and go to "CM Downloads" "Settings" "General". -...
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
The plugin does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file POST /wp-admin/admin-ajax.php...
Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal
The plugin does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory 1. Navigate to settings page /wp-admin/edit.php?posttype=wpdmpro&page=settings 2. In the “File Browser Root:” setting,...
SEO Smart Links <= 3.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Whitelisted...
Ldap WP Login / Active Directory Integration < 3.0.2 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputing them in attrubutes, leading to Reflected Cross-Site Scripting Make a logged in admin open https://example.com/wp-admin/admin.php?page=LDAP+authentication+intergrating+with+AD&a"alert/XSS/...
Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Make a logged in admin open a page containing the HTML code below input type="text" name="ip11" value="...
Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass
The plugin does not have any authorisation and CSRF checks when updating it's settings which are hooked to the init action, allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authenticatio...
WP Popup Builder < 1.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting The custom-popup parameter needs to be the ID of an existing popup https://example.com/wp-admin/admin.php?page=wppb&pos-name=xxx"alert%2FXSS%2F%3B&custom-popup=1...
Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS
The plugin does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Open a page...
Bitcoin / Altcoin Faucet <= 1.6.0 - Settings Update to Stored XSS via CSRF
The plugin does not have any CSRF check when saving its settings, allowing attacker to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Make a logged in admin open a page...
Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5" 2 - Click on "Contact - Add new...
Wordlift < 3.37.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. - Go to publisher and select Create a New Publisher - Add publisher name " - Click on Save Changes - Now...
Restricted Site Access < 7.3.2 - Access Bypass via IP Spoofing
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based limitations in certain situations. Set HTTPCFCONNECTINGIP or any of the other headers in getclientipaddress to spoof the IP address...
Simple File List < 4.4.12 - Reflected Cross-Site Scripting
The plugin does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=ee-simple-file-list&tab="style=animation-name:rotation+onanimationstart=alert/XSS///...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Title
The plugin does not sanitise and escape post/page Title, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks Create a post using the plugin editor and add the following payload in the Title: " The XSS will be triggered when editing the post again...
Gettext override translations < 2.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a translation and put the following...
Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Slickr Flickr <= 2.8.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Open the plugin and intercept the request using burpsuite. Give the below payload in the parameter...
Visual Composer Website Builder < 45.0.1 - Authenticated Stored XSS via Text Block
The plugin does not sanitise and escape its Text Block fields, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks Create a post using the plugin editor, add a Text Block and put the following payload in its content: The XSS will be triggered when...
Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS
The plugin does not have proper authorisation even when the Require Authorisation for REST API Requests is enabled in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform...
Site Offline < 1.5.3 - Access Bypass
The plugin prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature. https://example.com/?admin...
Form Builder CP < 1.2.32 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a form and put the following...
Zephyr Project Manager < 3.2.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=zephyrprojectmanagerprojects&projectspage=--...
Alphabetic Pagination < 3.0.8 - Unauthenticated Arbitrary Option Update
The plugin does not have any proper authorisation in place when updating some settings via a REST endpoint, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary option from the blog and allow registration with a...
Ajax Load More < 5.5.4.1 - Admin+ Arbitrary File Read
The plugin does not properly validates paths generated with user input in the almrepeatersexport function, which could allow high privilege users to read arbitrary files form the server even when they should not be able to have access to any, for example in multisite setup This is due to an...
Float to Top Button <= 2.3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Text for the button" or "URL ...
Scroll To Top < 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Text" settings of the plugin...