4359 matches found
WP Admin Style <= 0.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the CSS settings of the plugin:...
LaTeX for WordPress <= 3.4.10 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping " document.getElementById"test".submit;...
Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and leading to Stored XSS due to the lack of sanitisation and escaping in some of them ok' document.getElementById"test".submit;...
Simple Membership < 4.1.1 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin-ajax.php?action=swpmvalidateemail&fieldId=%22%3Cscript%3Ealert%22XSS%22;%3C/script%3E...
Newsletter < 7.4.5 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the $SERVER'REQUESTURI' before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below...
Change Uploaded File Permissions <= 4.0.0 - File Permission Update via CSRF
Due to missing checks the plugin is vulnerable to CSRF attacks. This can be used to change the file and folder permissions of any folder. This could be problematic when specific files like ini files are made readable for everyone due to this. document.getElementById"test".submit;...
One Click Plugin Updater <= 2.4.14 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable / hide the badge of the available updates and the related check. document.getElementById"test".submit;...
WP-chgFontSize <= 1.8 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping ' document.getElementById"test".submit;...
Private Files <= 0.40 - Protection Disabling via CSRF
The plugin is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public document.getElementById"test".submit; That will also delete the .htaccess...
Like Button Rating < 2.6.45 - Arbitrary e-mail Sending
The plugin allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body As a subscriber, run the below command in the web developer console of the browser fetch"/wp-admin/admin-ajax.php?action=likebtntestvotenotification", "headers":...
RB Internal Links <= 2.0.16 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping ' document.getElementById"test".submit;...
KiviCare < 2.3.9 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajaxpost AJAX action with the getdoctordetails route, leading to SQL Injections exploitable by unauthenticated users With at least one doctor created via the plugin: v 2.3.4 curl...
Genki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings. document.getElementById"test".submit;...
Sideblog <= 6.0 - Arbitrary Settings Update via CSRF to Stored XSS
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping " document.getElementById"test".submit; The XSS will be...
Export any WordPress data to XML/CSV < 1.3.5 - Admin+ SQL Injection
The plugin does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability. 1. Go to the All Export New Export screen in the WordPress admin. 2. Now click on Specific Post Type Posts. 3. Click now on Migrate Posts an...
HC Custom WP-Admin URL <= 1.4 - Unauthenticated Secret URL Disclosure
The plugin leaks the secret login URL when sending a specific crafted request curl -sIXGET -H "Cookie: validloginslug=1" https://example.com/wp-login.php HTTP/2 302 x-redirect-by: WordPress location: secret...
Slideshow CK < 1.4.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Create/edit a Slideshow, add a Slide and put the following payload in the Description The XSS will be...
The School Management < 9.9.7 - Unauthenticated RCE via REST api
The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. curl -d 'blowfish=1' -d "blowf=system'id';" 'https://examples.com/wp-json/am-member/license'...
Member Hero <= 1.0.9 - Unauthenticated RCE
The plugin lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. curl https://example.com/wp-admin/admin-ajax.php?action=memberherosendform&memberherohook=phpinfo...
Webriti SMTP Mail <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit;...
Themify - WooCommerce Product Filter < 1.3.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting ' /...
HC Custom WP-Admin URL <= 1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL document.getElementById"test".submit;...
Carousel CK <= 1.1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Create/edit a Carousel, add a Slide and put the following payload in the Description The XSS will be...
Email Users <= 4.8.8 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users...
MailerLite < 1.5.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting The first digit of the ID must be an existing form ID...
Latest Tweets Widget <= 1.1.4 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit;...
WP-CRM <= 1.2.1 - CSV Injection
The plugin does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. 1. Add new person and put the following CSV calculator payload into the Display Name, Phone Number and Description field and save the entry. payload : =cmd|' /C calc'!'A...
Log WP_Mail <= 0.1 - Email Logs Publicly Accessible
The plugin saves sent email in a publicly accessible directory using predictable filenames, allowing any unauthenticated visitor to obtain potentially sensitive information like generated passwords. curl https://example.com/wp-content/plugins/logwpmail/log/LWPMAIL-20220330-success.log...
OnePress Social Locker <= 5.6.2 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; form id="test"...
Google Places Review < 2.0.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their...
WP Athletics <= 1.1.7 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability. - Log on to the site using a subscriber account. - On the page the shortcode is...
iQ Block Country <= 1.2.18 - Protection Bypass due to IP Spoofing
The plugin does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. curl -i -H 'CF-CONNECTING-IP: 0.0.0.0' https://example.com...
Hot Linked Image Cacher <= 1.16 - Image upload/cache abuse via CSRF
The plugin is vulnerable to CSRF. This can be used to store / cache images from external domains on the server, which could lead to legal risks due to copyright violations or licensing rules. document.getElementById"test".submit;...
Advanced Admin Search < 1.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting. Affected parameters: keyword, user, metaKey, and metaValue https://example.com/wp-admin/admin.php?page=advanced-admin-search&keyword="...
Bestbooks <= 2.6.3 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users Affected parameters: credit and debit curl https://example.com/wp-admin/admin-ajax.php \ --data...
WP Athletics <= 1.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting...
Useful Banner Manager <= 1.6.1 - Modify banners via CSRF
The plugin does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete banners from the plugin by submitting a form. document.getElementById"test".submit;...
Enqueue Anything <= 1.0.1 - Subscriber+ Arbitrary Asset/Post Deletion
The plugin does not have authorisation and CSRF checks in the removeasset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. v1.0.1 added...
FiboSearch < 1.18.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the Woocommerce FiboSearch Autocomplete Products - "No...
WP Born Babies <= 1.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor, create a new Baby item and put the following payload in any of the settings such as Birth Date, Time of Birth etc:...
Throws SPAM Away < 3.3.1 - Comment Deletion via CSRF
The plugin does not have CSRF checks in place when deleting comments either all, spam, or pending, allowing attackers to make a logged in admin delete comments via a CSRF attack To delete all comments document.getElementById"test".submit; document.getElementById"test".submit;...
Discy < 5.2 - Settings Update via CSRF
The theme lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary plugin's settings including payment methods via a CSRF attack...
Discy < 5.2 - Restore Default Settings via CSRF
The theme does not check for CSRF tokens in the AJAX action discyresetoptions, allowing an attacker to trick an admin into resetting the site settings back to defaults...
FormCraft Basic < 1.2.6 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload into a Field Label and save: The XSS will be triggered when accessing the form...
Photo Gallery < 1.6.4 - Admin+ Stored Cross-Site Scripting
The plugin does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Go to Photo Gallery Global Settings Watermark Using the web browser inspector, change the input typ...
LiveSync for WordPress <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.getElementById"test".submit; document.getElementById"test".submit; input...
Video Slider - Slider Carousel < 1.4.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a video from a slider and put the following payload in the Description: , then save/update the vide...
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
The plugin does not validate the filepath parameter of its umshowuploadedfile AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads As a subscriber, submit a dummy image on a page/post with a File Upload...
Files Download Delay < 1.0.7 - Subscriber+ Settings Reset
The plugin does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. https://example.com/wp-admin/admin-ajax.php?action=ddlayrestoredefaults...
WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
The plugin does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form. alert'boo!'" document.getElementById"test".submit;...