4359 matches found
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS
The plugin uses the wrong content type for, and does not properly escape the response from the ai1wmexport action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. "...
WordPress Ping Optimizer < 2.35.1.3.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack http://evil.com aaaa bbbb document.getElementById"test".submit;...
BadgeOS < 3.7.1.3 - Subscriber+ SQLi
The plugin does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections Open the following URL as any authenticated user such as subscriber:...
Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass
The plugin doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. Set HTTPCLIENTIP, HTTPXFORWARDEDFOR or any other header in LoginNoCaptcha::getipaddress which is then checked against the whitelist and...
Tutor LMS < 2.0.9 - Reflected Cross-Site Scripting
The plugin does not escape an URL before outputting it back in an attribute, leading to Reflected Cross-Site Scripting The issue was initially fixed in 1.9.13 but re-introduced in 2.0.0 https://example.com/wp-admin/post.php?post=1369&action=edit&settingstab=general&a'alert/XSS/...
WP Taxonomy Import <= 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting alert/XSS/" /...
WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update
The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow unauthenticated attackers to change them. All settings are affected, example, to change the Thousands Separator one, run the below command in the developer console of the web browser whil...
WBW Currency Switcher for WooCommerce < 1.6.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup In the plugin's settings WooCommerce Settings...
Post SMTP < 2.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfilteredhtml capability is disallowed. Put the following payload in the Post SMTP Settings...
WP Server Health Stats < 1.7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following payload in the "Provide your IP-API Pro key", "Memcached Server Host", "Set the realti...
Classified Listing Pro < 2.0.20 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/all-ads/?"alert/XSS/ https://example.com/all-properties/?"alert/XSS/...
Classima < 2.1.11 - Reflected Cross-Site Scripting
The theme and some of its required plugins do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting https://example.com/all-ads/?q="+onmouseover%3Dalert%281%29+id%3Dx+tabindex%3D0+style%3Ddisplay%3Ablock The XSS will be triggered when the user...
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Deletion
The plugin does not have any authorisation and CSRF checks in place when deleting events which could allow unauthenticated attackers to delete arbitrary events As an unauthenticated user, open the code below, this will delete the event with ID 4 from the calendar with ID 1...
Craw Data <= 1.0.0 - Server Side Request Forgery
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF. When configuring the CrawData addon, the request is as follows GET...
Titan Anti-spam & Security < 7.3.1 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. The function wantispampgetip is vulnerable to IP spoofing because of the general usage of $SERVER'HTTPXFORWARDEDFOR' curl -i -H...
WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup With the web browser inspector, change the input...
Mobile Events Manager < 1.4.8 - Admin+ CSV Injection
The plugin does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. Export events with malicious CSV: 1. Create and save a new Enquiry source and add the following in the name field...
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
The plugin does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. As an...
Affiliates Manager < 2.9.14 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape parameters before outputting them back in pages, which could lead to Reflected Cross-Site Scripting GET /wp-admin/admin.php?page=wpam-settings&b=" HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8...
Affiliates Manager < 2.9.14 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Currency Symbol" settings of the plugin and save: " Other settings...
Affiliates Manager < 2.9.14 - Arbitrary Affiliates & Creatives Deletion via CSRF
The plugin does not have CSRF checks when deleting affiliates and creatives, which could allow attackers to make a logged in admin perform such actions via CSRF attacks Make a logged in admin open - https://example.com/wp-admin/admin.php?page=wpam-affiliates&deleteaid=2 -...
Affiliates Manager < 2.9.14 - Affiliate CSV Injection
The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30 As admi...
Fast Flow < 1.2.12 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting ' https://example.com/wp-admin/admin.php?page=fast-flow&p="...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthorised AJAX Calls
The plugin is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors reporter by the submitter or update arbitrary order status identified by WPScan when verifying the issue for example. Other...
Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts The postid is the ID of a saved layout As a contributor, get a REST nonce via...
Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts The postid is the ID of a saved layout...
WP Database Backup < 5.9 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the Destination FTP Settings: "...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Unauthenticated LFI
The plugin does not validate and sanitise a parameter before using it to include a file via an AJAX action available to both unauthenticated and authenticated users, which could lead to Local File Inclusion POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Multivendor Marketplace Solution for WooCommerce < 3.8.12 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape numerous parameters before outputting them back in admin pages via various AJAX actions, leading to Reflected Cross-Site Scripting With SitePress active, and with more than 1 active language: ' 6458 being a valid Product ID productid' value="6458"/ 16 being...
Directorist < 7.3.1 - Unauthenticated Email Address Disclosure
The plugin discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users https://example.com/wp-admin/admin-ajax.php?action=directoristauthorpagination...
Best Payments Plugin for WP < 4.2.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins As unauthenticated, on a page/post where there is a contact form created via the plugin, put the following payload in the Name,...
Best Payments Plugin for WP < 4.2.1 - Reflected Cross-Site Scripting
The plugin does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting Append the following payload on a page where the is a form from the plugin: a"alert/XSS/ e.g: https://example.com/contact-form/?a"alert/XSS/...
Simple Single Sign On <= 4.1.0 - Authentication Bypass
The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...
Social Slider Feed < 2.0.7 - Admin+ Stored XSS via Feeds
The plugin does not sanitise as well as escape user input in feeds, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in a Instagram Fee...
Photo Gallery < 1.7.1 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the plugin displays a notice: https://example.com/wp-admin/plugins.php?"alert/XSS/...
Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Navigate to style settings:...
Stop Spam Comments <= 0.2.1.2 - Access Token Bypass
The plugin does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request. Collect the name and value of ssckey for the target post and use it on the request. curl...
Leaflet Maps Marker < 3.12.5 - Admin+ SQLi
The plugin does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks. PoC for filter-operator1 parameter: POST...
WP Hide & Security Enhancer < 1.8 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/admin.php?page=wp-hide-cdn&component=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x...
Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure
The plugin is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address https://example.com/wp-json/ssa/v1/users...
Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
The plugin does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers https://example.com/wp-json/wp/v2/sensei-messages/...
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and studen...
Download Manager < 3.2.53 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute of the modal login page only available when users are not logged in, which could lead to Reflected Cross-Site Scripting in old web browsers. On the modal login page from the plugin and using an...
MailChimp for Woocommerce < 2.7.1 - Subscriber+ SSRF
The plugin has an AJAX action that allows any logged in users such as subscriber to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example As any logged in user:...
MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF
The plugin has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example As an admin:...
Anti-Malware Security and Brute-Force Firewall < 4.21.83 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=GOTMLS-settings&GOTMLSdebug=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3B%3E Also possible with th...
WooCommerce PDF Invoices & Packing Slips < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting. This is a re-introduction of CVE-2021-24991 in 2.14.0...
Fluent Support < 1.5.8 - Admin+ SQLi
The plugin does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection vulnerability exploitable by high privilege users With at least one support ticket in the system:...
Social Slider Feed < 2.0.6 - Admin+ Stored XSS via API Key
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the YT API Key settin...
Student Result or Employee Database < 1.8.0 - Unauthorised REST Calls
The plugin has a flawed permission callback in its REST endpoints, allowing unauthenticated attackers to call them and add/edit/delete arbitrary student for example POST /wp-json/v2/ssradddata HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...