4359 matches found
DW Promobar <= 1.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the plugin settings...
WPDating <= 7.1.9 - Multiple SQL Injection Issues
The plugin does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities. http://vulnerable-site.tld/wp-content/plugins/dspdating/m1/postone.php?senderid=senderidsleep10&receiverid=senderidsleep10...
Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any text field settings of...
YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well. v2.2.1 fixed the authorisation issue but not the escaping...
WP DS Blog Map <= 3.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the settings...
Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
The plugin allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. 1. Craft a custom zip file...
Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when adding/editing names, and is also lacking sanitisation as well as escaping in some of the fields, which could allow attackers to make a logged in admin edit arbitrary names and put XSS payloads in them. ' / " / ' /...
Website File Changes Monitor < 1.8.3 - Admin+ SQLi
The plugin does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manageoptions capability by default admins, leading to an SQL injection A user with manageoptions permission can exploit the vulnerability with the following request :...
Thinkific Uploader <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks against other administrators. Put the following payload in any of the settings: "...
mTouch Quiz <= 3.1.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the delimiter...
YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the From Email or From Nam...
WP Comments Fields < 4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a Comment Fields Comments Comment Fields and put the following payload in the Error Message setting: "autofocus...
Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title
The plugin does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfilteredhtml capability is disabled. An incomplete fix was introduced ...
User Private Files < 1.1.3 - Subscriber+ Arbitrary File Upload
The plugin does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded. 1 Create a file named exploit.php, which contains: ?php phpinfo; 2 Find the upfajaxnonce on the site's front page. 2 Run the following cURL request, curl --ur...
Discy < 5.0 - Subscriber+ Broken Access Control to change settings
The theme lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change the theme options by sending a crafted POST request. POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. On the dashboard navigate to weForms All Forms Add Form Choose Contact Form; Click Create Form Settings...
GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Get a REST nonce logged in as admin:...
Event Timeline <= 1.1.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a Timeline, put the following payload in the "Text" field at the bottom: alert/XSS/ Click save...
Featured Image from URL < 4.0.0 - Arbitrary Settings Update to Stored XSS via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues All settings...
CAPTCHA 4WP < 7.1.0 - Local File Inclusion via CSRF
The plugin lets user input reach a sensitive requireonce call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server. 1 Create a malicious PHP script $ echo ' shell.php 2 Add it to a fake .doc file, who will...
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them Install the plugin and configure any mailer other than Default. Access the wp-admin area with a Subscriber+ user an...
YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure
The plugin does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin @author : 0xshdax Rafshanzani Suhada @usage : python3 script.py http://localhost import requests, sys, re, json Setup here url = sys.argv1 headers =...
GiveWP < 2.21.3 - DoS via CSRF
The plugin does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to...
Featured Image from URL < 4.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup POST...
Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF
The plugin is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks https://example.com/wp-admin/admin.php?page=counter-box&id=1&action=activate...
Shortcode For Current Date < 2.1.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the some of its shortcode's attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks currentdate format='d/m/Y' size="10px;position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px'...
Copyright Proof <= 4.16 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled. To make it easier to verify the vulnerability without the nee...
Microsoft Advertising Universal Event Tracking < 1.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Due to the nature of this plugin, well crafted XSS can also leak into the frontpage. Put the following...
Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
The plugin allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Note: This only affects membership from the plugin, not the WordPress role The request contains the levelidentifier parameter with the md52 value, where 2 is the...
Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add the following payload to a new quote:...
Simple Membership < 4.1.3 - Membership Privilege Escalation
The plugin does not properly validate the membershiplevel parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request. Note: This only affects membership from the plugin, not the WordPress role To increase the level, the attacker nee...
Login with phone number < 1.3.8 - Multiple Admin+ Stored XSS
The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Plugin settings Style Settings button border radius or other field put to input field: alert'XSS'; Text &...
Invitation Based Registrations <= 2.2.84 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "After Register Redire...
WordPress Popup <= 1.9.3.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup On...
Advanced WordPress Reset < 1.6 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting - Completely reset the site using the plugin - Visit https://example.com/wp-admin/tools.php?page=advancedwpreset&"alert1...
Ivory Search < 5.4.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the plugin displays the usage notice: https://example.com/wp-admin/plugins.php?"alert/XSS/...
Unyson < 2.7.27 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=fw-extensions&sub-page=extension&extension=feedbackalert/XSS/...
Shareaholic < 9.7.6 - Information Disclosure
The plugin does not have proper authorisation check in one of the AJAX action, available to unauthenticated in v 9.7.5 and author+ in v9.7.5 users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc...
Popup Anything < 2.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting On a post/page where the paocdetails display="keyxxx" shortcode is embed, append the following payload: ?xxx=11111%3Cscript%3Ealert/XSS/%3C/script%3E e.g:...
Booster for WooCommerce < 5.6.2 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting v alert/XSS/ v alert/XSS/...
Name Directory < 1.25.4 - Arbitrary Directory/Name Deletion via CSRF
The plugin does not have CSRF checks in place when deleting Directories and Names, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=name-directory&deletedir=2...
NextScripts: Social Networks Auto-Poster < 4.3.26 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=nxssnap&a"alert/XSS/...
Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. function submitRequest var xhr = new XMLHttpRequest;...
Name Directory < 1.25.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well alert/XSS/" /...
Header Footer Code Manager < 1.1.24 - Reflected Cross-Site Scripting
The plugin does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=hfcm-list&'alert/XSS/...
Yellow Yard Searchbar <= 2.7.27 - Reflected Cross-Site Scripting
The plugin does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting /?searchjob="...
WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE As an admin upload a php file containing the palyload zipped along with a valid XML...
Gallery for Social Photo < 1.0.0.29 - Arbitrary Post Duplication via CSRF
The plugin does not have CSRF check in place when duplicating a post or page, which could allow attackers to make a logged in a admin duplicate them via a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=gifeedduplicatefeed&post=12...
WordPress Popular Posts < 6.0.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting When the plugin displays a performance notice: https://example.com/wp-admin/plugins.php?"alert/XSS/...
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
The plugin does not have proper authorisation in one of its REST endpoint, allowing unauthenticated users to update the "Toggle thecontent filter" setting POST /wp-json/yikes/cpt/v1/settings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...