4359 matches found
WordPress Forms by Pie Forms < 1.4.9.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Create/edit a form, go to the Form Settings - General Settings and put the following payload in the "Form...
WooCommerce Green Wallet Gateway < 1.0.2 - Reflected Cross Site Scripting in checkout page
The plugin does not escape the errorenvision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability. 1. Enable greenwallet-gateway as a woocommerce payment gateway 2. add something in your cart and visit the checkout page 3. visit...
Database Backup for WordPress < 2.5.2 - Arbitrary Schedule Settings Update via CSRF
The plugin does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. O...
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users curl 'https://example.com/index.php?restroute=/xs-donate-form/payment-redirect/3' \ --data '"id": "SELECT 1 FROM...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via orderby
The plugin does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection https://example.com/wp-admin/admin.php?page=fmwesproducts&orderby=id+AND+SELECT+7394+FROM+SELECTSLEEP5UrUZ...
Easy FAQ with Expanding Text <= 3.2.8.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload in any of the plugin's settings such as Font size, Font Color and save: "...
Quotes llama < 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file Create/edit a quote and put t...
WP Statistics < 13.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise the REQUESTURI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting XSS in web browsers which do not encode characters GET /wp-admin/admin.php?page=wpssettingspage&a=confirm/XSS/ HTTP/1.1 Accept:...
Logo Slider <= 1.4.8 - Admin+ SQLi
The plugin does not sanitise and escape the lspsliderid parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection https://example.com/wp-admin/admin.php?page=manageimages&lspsliderid=1+AND+SELECT+7741+FROM+SELECTSLEEP5hlAf...
Slideshow <= 2.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed As admin, put the following payload in the "Number of seconds the sli...
amtyThumb <= 4.2.0 - Subscriber+ SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user and not just Author+ like the original advisory mention due to the fact that they can execute shortcodes via an AJAX...
Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Put the following payload in the plugin's settings such as "Consumer Key": "...
No Future Posts <= 1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload in any of the plugin's settings such as Exclude posts IDs and save: " autofocus onfocus=alert/XSS///...
Slideshow <= 2.3.1 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Slideshow settings, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks As author and above, create/edit a slideshow and put the following payload in the "Number of seconds the slide takes to slide in",...
HPB Dashboard <= 1.3.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in the plugin's settings: "...
BannerMan <= 0.2.4 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks when the unfilteredhtml is disallowed such as in multisite As administrator, put the following payloads in the mentioned settings of the plugin...
Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed In a form settings, put the following payload in the Actions after submission Action Type Custom Tex...
Call&Book Mobile Bar <= 1.2.2 - Admin+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in any of the plugin's settings: "...
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed As administrator, put the following payload in any of the plugin's settings and save: "alert/XSS/;...
Birthdays Widget <= 1.7.18 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed As admin, create/edit a Birthday and add the following payload in the Name field:...
Five Minute Webshop <= 1.3.2 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection https://example/wp-admin/admin.php?page=fmweseditproduct&id=1+AND+SELECT+6037+FROM+SELECTSLEEP5Uiuu...
User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed An an admin - Create/edit ...
Realty Workstation < 1.0.15 - Agent SQLi
The plugin does not sanitise and escape the transedit parameter before using it in a SQL statement when an agent edit a transaction, leading to an SQL injection As a logged in agent:...
Amazon Link <= 3.2.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. Put the following payload in settings such as the "AWS Public Key": "...
External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. On any post on the affected site, add the following link to a comment: Click here for XSS Click on the link, you should be getting an alert box...
Note Press <= 0.1.10 - Admin+ SQLi via id
The plugin does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections https://example.com/wp-admin/admin.php?page=NotePress-Main-Menu&action=view&id=17+AND+SELECT+3630+FROM+SELECTSLEEP5KdTt...
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update
The plugin does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector curl --url...
External Links in New Window / New Tab < 1.43 - Tabnabbing
The plugin does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. Create an external link, check window.opener in the newly opened tab after clicking the external link...
StaffList < 3.1.7 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in various places in an admin page, leading to a Reflected cross-Site Scripting v v 3.1.7 - https://example.com/wp-admin/admin.php?page=stafflist&search=aa' style=animation-name:rotation onanimationstart=alert/XSS///...
Note Press <= 0.1.10 - Admin+ SQLi via Update
The plugin does not sanitise and escape the Update parameter before using it in a SQL statement when updating a note via the admin dashboard, leading to an SQL injection POST /wp-admin/admin.php?page=NotePress-Main-Menu&action=edit&id=17 HTTP/1.1 Accept:...
CP Image Store with Slideshow < 1.0.68 - Unauthenticated SQLi
The plugin does not sanitise and escape the orderingby query parameter before using it in a SQL statement in pages where the codepeople-image-store is embed, allowing unauthenticated users to perform an SQL injection attack On a page where the codepeople-image-store is embed, append the following...
Note Press <= 0.1.10 - Admin+ SQLi via Bulk Actions
The plugin does not sanitise and escape the ids from the bulk actions before using them in a SQL statement in an admin page, leading to an SQL injection...
JivoChat < 1.3.5.4 - Stored Cross-Site Scripting via CSRF
The plugin does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript. XSS will be triggered when...
Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed The teamcolor field ie "Main color" setting of a team is affected POST /wp-admin/post.php HTTP/1.1 Accept:...
WP 2FA < 2.2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wp-2fa-settings&settingserror=...
Poll Maker < 4.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfilteredhtml is disallowed Put the following payload in any of the Mailchimp integration settings...
Content Mask < 1.8.4.1 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options POST /wp-admin/admin-ajax.php...
Smush < 3.9.9 - Admin+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious...
Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG
The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads As an author or above, upload the below SVG file via the Media library: alert/XSS/; The XSS will be triggered when accessing the file directly, e...
StaffList < 3.1.6 - Reflected Cross-Site Scripting
The plugin does to sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected cross-Site Scripting https://example.com/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
VikBooking < 1.5.9 - Reflected Cross-Site Scripting
The plugin does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/?test%22-alert/XSS/-%22 https://example.com/wp-admin/profile.php?test%22-alert/XSS/-%22...
Nirweb support < 2.8.2 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an SQL injection curl https://example.com/wp-admin/admin-ajax.php --data 'action=answerdticket&idform=1 UNION ALL SELECT NULL,NULL,SELECT userpa...
Check & Log email < 1.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=check-email-settings&tab="...
WP Meta SEO < 4.4.7 - Admin+ Stored Cross-Site Scripting via breadcrumbs
The plugin does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed. As admin, put the following payload in the Breadcrumb...
StaffList < 3.1.5 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injection https://example.com/wp-admin/admin.php?page=stafflist&search=test%'+AND+SELECT+42+FROM+SELECTSLEEP5b+AND+'aa%'='aa...
Tabs Responsive < 2.2.8 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a Tab via the plugin, and put the following payload in a Tab...
WP Contacts Manager <= 2.2.4 - Unauthenticated SQLi
The plugin fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability. curl 'http://127.0.0.1:8080/wp-admin/admin-ajax.php?action=WPContactsManagercall&type=get-contact' \ --data '"id":"1\u002...
WP Subscribe < 1.2.13 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its widgets settings, which could allow high privilege users such as admin to perform Cross-Site Scripting even when unfilteredhtml is disallowed Add the widget of the plugin to a page, and put the following payload in settings such as "Title",...
StaffList < 3.1.6 - Arbitrary Staff Deletion via CSRF
The plugin does not have CSRF check in place when deleting staff members, which could allow attacker to make a logged in admin perform such action and delete arbitrary staff via a CSRF attack https://example.com/wp-admin/admin.php?page=stafflist&s=last&remove=1&p=1...
WP-Invoice <= 4.3.1 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attacker to make a logged in admin update them and change the minimum role allowed to access the plugin's features to subscriber for example, which would make invoices available to any authenticated users...