4359 matches found
Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download
The plugin is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher. As contributor, navigate to https://target/blog/wp-admin/post-new.php?posttype=lanadownload Inside "File URL:" input, fill the file you want to download, for...
Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds
The plugin does not have authorisation and CSRF check in place when adding and editing a Feed, and does not sanitise as well as escape user input. As a result, users with a role as low as subscriber could add arbitrary feeds, with Stored Cross-Site Scripting payloads in them. As any authenticated...
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS
The plugin does not have authorisation and CSRF check in place when saving the YouTube API Key, and does not sanitise as well as escape it. As a result, users with a role as low as subscriber could change it, including setting it with Stored Cross-Site Scripting payloads in it As any authenticate...
Multiple Plugins from Puvox.software - Reflected Cross-Site Scripting
The plugins do not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wp-phpmyadmin-extension&tab=errors-logreset&a"alert/XSS/...
Download Manager < 3.2.50 - Bypass IP Address Blocking Restriction
The plugin prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass IP-based download blocking restrictions. When downloading a file, add an X-Forwarded-For header that contains a random IP address to your request...
Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing
The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes. curl https://example.com/wp-content/uploads/wpjobboard Search for this path / folder in search engines to find...
WP Edit Menu < 1.5.0 - Unauthenticated Arbitrary Post Deletion
The plugin does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog https://example.com/wp-admin/admin-ajax.php?action=filtermenu&val=post-id...
WP phpMyAdmin < 5.2.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "phpMyAdmin on hosting" settings...
Simple Job Board < 2.10.0 - Resume Disclosure via Directory Listing
The plugin is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations. curl https://example.com/wp-content/uploads/jobpost Search for this path / folder in search engines to find uploaded resumes...
WP Sticky Button < 1.4.1 - Unauthenticated Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...
Better Search and Replace < 1.4.1 - Admin+ SQLi
The plugin does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks POST /wp-admin/tools.php?page=better-search-replace&bsr-ajax=processsearchreplace HTTP/1.1 Accept: application/json,...
Student Result or Employee Database < 1.7.5 - Stored Cross Site Scripting via CSRF
The plugin does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting alert/XSS/'...
NEX-Forms < 7.9.7 - Authenticated SQLi
The plugin does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin setting...
Duplicator < 1.4.7 - Unauthenticated Backup Download
The plugin discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. Find the URL of the actual installer scrip...
LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. document.getElementById"test".submit;...
WP Edit Menu <= 1.5.0 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack...
Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
The plugin allows unauthenticated users to upload files allowed in a default WP configuration so PHP is not possible if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release. By default WordPress does not allow uploading o...
Duplicator < 1.4.7.1 - Unauthenticated System Information Disclosure
The plugin does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. 1. curl 'http://example.com/wp-content/backups-dup-lite/dup-installer/main.installer.php?view=1' 2. curl -d view...
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary Feed Deletion
The plugin does not have authorisation and CSRF check in place when deleting feeds, allowing ay authenticated users, such as subscriber to delete arbitrary feeds As any authenticated user, such as subscriber. Or via CSRF against them...
Fast Flow < 1.2.13 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a dashboard with an HTML widget...
VR Calendar <= 2.3.4 - Admin+ LFI
The plugin does not validate user input before using it in a require statement, which could allow high privilege users to perform LFI attacks. The attack could also be performed via a CSRF vector by making a logged in admin open a malicious link...
VR Calendar < 2.3.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/plugins.php?vrcmsg=&vrcmsgtype="...
WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion
The plugin contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Both can be used against authenticated and unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=ftsrefreshtokenajax&accesstoken=...
Rezgo Online Booking < 4.1.8 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file Direct call:...
Automations By Autonami < 2.1.2 - Subscriber+ Automation Creation
The plugin does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations var data = new FormData data.append'file',new...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Against any authenticated user: https://example.com/wp-admin/admin-ajax.php?action=ftsencrypttokenajax&accesstoken=%3Cimg%20src=x%20onerror=alert/XSS/%3E...
Transposh WordPress Translation <= 1.0.8 - Admin+ SQL Injection
The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection https://example.com/wp-admin/admin.php?page=tpeditor&action=filter-by&order=+AND+SELECT+42+FROM+SELECTSLEEP5b...
Simple Banner < 2.12.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payloads in the "Simple Banner Text" settings of the plugin: Firefox...
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "method": "POST", "body":...
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid coupon...
WP Coder < 2.5.3 - Code Deletion via CSRF
The plugin does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack https://example.com/wp-admin/admin.php?page=wp-coder&info=del&did=1...
Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls
The plugin exposes a couple of sensitive actions such has “tpreset” under the Utilities tab /wp-admin/admin.php?page=tputils, which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and...
Coming Soon - Under Construction <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed As admin, put the following payload in the "More text information" settings of the plugin: The XSS will be triggered...
Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion
The plugin has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
The plugin does not ensure that users making. alive search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink...
WP-DBManager < 2.80.8 - Admin+ Remote Command Execution
The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should. Use any WordPress plugin that allows the users to upload files with extension - ".php" is not required - for example: .jpg usually many...
Translatepress Multilinugal < 2.3.3 - Admin+ SQLi
The plugin is vulnerable to an authenticated SQL injection. By adding a new language via the settings page containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected. To exploit the vulnerability, someone must send a...
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
The plugin lets any user execute arbitrary PHP functions on the site. https://example.com/wp-admin/admin-post.php?vrccmd=phpinfo...
GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
The plugin does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution RCE. Version 1.2.5 added CSRF checks Sen...
Digital Publications by Supsystic < 1.7.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Create new publication, name it whatever 2. Click the "Custom Page" tab to add a new page: - name it...
Duplicate Page and Post Plugin < 2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Duplicate Post Suffix" or "Duplicate Link Text" settings: "alert/XSS/...
Elementor Contact Form DB < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting When there is at least one submission: https://example.com/wp-admin/edit.php?posttype=elementorcfdb&page=sbelemcfd&formid="...
Easy Student Results <= 2.2.8 - Sensitive Information Disclosure via REST API
The plugin lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc When the "Enable API for Mobile Apps" settings...
Easy Student Results <= 2.2.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=rpsresultbatch&edit=%3Cscript%3Ealert/XSS/%3C/script%3E...
E Unlocked - Student Result <= 1.0.4 - Arbitrary File Upload via CSRF
The plugin is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST",...
Inspiro Premium < 7.2.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description. Steps to reproduce: 1 As a Contributor, go to portfolio on the dashboard and add new item. 2 on the editing page that comes up, scroll dow...
Google Maps Anywhere <= 1.2.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the plugin settings:...
Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF
The plugin does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin...
Crowdsignal Polls & Ratings < 3.0.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting var form1 = document.getElementById'hack'; form1.submit;...