4359 matches found
SP Project & Document Manager < 4.58 - Sensitive File Disclosure
The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. 1. Upload a file using the plugin. 2. On another browser, access the newly uploaded file via:...
Request a Quote <= 2.3.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Misc No Access Message setting of the plugin: alert/XSS/; The X...
Request a Quote <= 2.3.7 - CSV Injection
The plugin does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it On a page with a Quote Request form, upload the following CSV as an attachment: "First Name","Last...
W-DALIL <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Add/edit a Dali Item and put the following payload in one...
Advanced Database Cleaner < 3.1.1 - Reflected Cross-Site Scripting
The plugin does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=advanceddbcleaner&aDBctab=cron&aDBccat=all&"alert/XSS/ Other pages are affected...
Contact Form 7 Captcha < 0.1.2 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers https://example.com/wp-admin/options-general.php?page=cf7sredit&"alert/XSS/...
miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=mo2fatwofa&a"alert/XSS/...
Page Generator Plugin < 1.6.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Got to Page Generator - Keywords - Add Keyword and put the following payload in the "Terms" field then...
Woo Discount Rules < 2.4.2 - Reflected Cross-Site Scripting
The plugin does not escape a parameter before outputting it back in an attribute of the plugin's discount rule page, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=woodiscountrules&name="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Download Manager < 3.2.44 - Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=wpdmpro&page=wpdm-stats&type=history&userids=1&"alert/XSS/...
Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like defaultrole, userscanregister via a CSRF attack...
OAuth Single Sign On < 6.22.6 - Authentication Bypass
The plugin doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. POST / HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Simple Page Transition <= 1.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Ignored Download Link...
Insights from Google PageSpeed < 4.0.7 - Multiple CSRF
The plugin does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks...
Page Generator Plugin < 1.6.6 - Arbitrary Keywords Deletion/Duplication via CSRF
The plugin does not have CSRF check in place when deleting and duplicating keywords, which could allow attackers to make a logged in admin delete and duplicate arbitrary keywords via CSRF attacks https://example.com/wp-admin/admin.php?page=page-generator-keywords&cmd=delete&id=3...
Download Manager < 3.2.44 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not escape a generated URL before outputting it back in an attribute of the login page made by the plugin, leading to Reflected Cross-Site Scripting, which is only exploitable against unauthenticated users On the login page from the plugin ie where the wpdmloginform is embed, appe...
Simple Post Notes < 1.7.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Notes placeholder" settings of the plugin: alert/XSS/...
Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Go to Settings - Loading Page, in the "Display loading screen in" settings, select either "specific pages" or "specif...
404s < 3.5.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a new 404 via the plugin and put the following payload in the "Please enter the 40...
LearnPress < 4.1.6.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting Fixed in 4.1.6.6 - https://example.com/wp-admin/admin.php?page=learn-press-settings&tab=emails§ion=new-order-emails&a"alert/XSS/ Fixed in 4.1.6.7 - With a lesson attached ...
Data Tables Generator by Supsystic < 1.10.20 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Create/edit a table, go to its settings, enabled...
Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the 'Insert URL' field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient As a contributor, create/edit a download and pu...
Best Contact Management Software <= 3.7.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "No Access Message" settings...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element Content
The plugin does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks As a contributor or above, create a post using Brizy editor and: - Add a Text Element then put the following payload:...
OAuth 2.0 client for SSO < 1.11.4 - Authenticated Bypass
The plugin allows attackers to login as any user by just knowing their email address POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded option=mooauth&[email protected]...
Import CSV Files <= 1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting history.pushState'', '', '/' function submitRequest var xhr = new XMLHttpRequest;...
Very Simple Breadcrumb <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Breadcrumb css class name" settings of the plugin: "alert/XSS/...
CDI < 5.1.9 - Reflected Cross-Site-Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting...
LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Client ID" settings: "/...
Brizy Page Builder < 2.4.2 - Contributor+ Stored Cross-Site Scripting via Element URL
The plugin does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks As a contributor or above, create a post using Brizy editor, add an Icon or Button element and put the following payload in the "Link...
Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting
The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltredhtml is disallowed Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text"...
Cache Images < 3.2.1 - Image Upload / Import via CSRF
The plugin does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. Allows import of any images with any user level. document.getElementById"test".submit; document.getElementById"test".submit; document.getElementById"test".submit;...
WP Opt-in <= 1.4.1 - Arbitrary Settings Update via CSRF
The plugin is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. Bad e-mail address." Failed sending to e-mail address." " " " document.getElementById"test".submit;...
Give < 2.21.0 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=giveforms&page=give-tools&a"alert/XSS/...
WooCommerce PDF Invoices & Packing Slips < 2.16.0 - Reflected Cross-Site Scripting
The plugin doesn't escape a parameter on its setting page, making it possible for attackers to conduct reflected cross-site scripting attacks. https://example.com/wp-admin/admin.php?page=wpowcpdfoptionspage&preview=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22...
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles Go to WooCommerce - Settings - Payments tab, enable BAC Bank Account Transfers and edit the title in the setup dialog. HTML can be injected there, and will be rendered both for...
Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF
The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. The following PoC codes are f...
WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Navigate to Settings -Duplicate Page - Duplicate Page Settings and enter the XSS payload into the...
WP Event Manager < 3.1.28 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting Against any authenticated user: https://example.com/event-dashboard/?searchkeywords=aaaa"...
Analytify < 4.2.1 - Reflected Cross-Site Scripting
The plugin does not escape the current URL before outputting it back in a 404 page when the 404 tracking feature is enabled, leading to Reflected Cross-Site Scripting When 404 tracking is enabled: https://example.com/aa404bb?aalert/XSS/...
WP Maintenance Mode & Coming Soon < 2.4.5 - Subscribed Users Deletion via CSRF
The plugin is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack document.getElementById"test".submit;...
Bold Page Builder < 4.3.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Navigate to Settings - Bold Builder - Bold Builder Settings and enter "alert'XSS'" into the "Color...
WP OAuth Server ( Login with WordPress ) < 4.0.1 - Authentication Bypass
The plugin is affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the client’s...
WP Championship < 9.3 - Multiple CSRF
The plugin is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site...
Rename wp-login.php <= 2.6.0 - Secret URL Update via CSRF
The plugin does not have CSRF check in place when updating the secret login URL, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
Comment License < 1.4.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
WP Paginate < 2.1.9 - Admin+ Stored Cross-Site Scripting
The plugin does not escape one of its settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload on the Preset settings of the plugin: '+accesskey="X"+onclick="alert1"'...
Pricing Deals for WooCommerce < 2.0.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...
Shortcut Macros <= 1.3 - Subscriber+ Arbitrary Settings Update
The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. Open the following HTML code while being logged in as a subscriber, or make any logged in user open it via a CSRF attack...
FoxyShop < 4.8.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/edit.php?posttype=foxyshopproduct&page=foxyshoptools&updatetemplate=error&error=...