4359 matches found
Visual Form Builder < 3.0.8 - Entries Deletion/Restoration via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks Single entry trash: https://example.com/wp-admin/admin.php?page=vfb-entries&action=trash&entry=2 Since entry permanent deletion:...
Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting
The plugin does not properly sanitize the $GET'imageurl' variable, which is reflected back to the users when executing the editimagebwg AJAX action. var form1 = document.getElementById'hack'; form1.submit;...
Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update
The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the userscanregister and defaultrole,...
Adrotate < 5.8.23 - Admin+ XSS via Group Name
The plugin does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a group and put the following payload in the Name field: " style=animation-name:rotation...
Multiple Shipping Address Woocommerce < 2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Import WP < 2.4.6 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files such as PHP, leading to RCE Import a PHP file via an URL Tools Import WP Add Importer put any name, and post template Create Importer Remote File select any file typ...
HubSpot < 8.8.15 - Contributor+ Blind SSRF
The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the editposts capability by default contributor and above to perform SSRF attacks As an authenticated user with the editposts capability, get REST nonce via...
Visual Form Builder < 3.0.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a form and put the following payload in the 'E-mail To' field: " The XSS will be...
Content Egg < 5.3.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting alert/XSS/;'...
Tipsacarrier <= 1.4.4.2 - Unauthenticated Orders Disclosure
The plugin does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL Vendor was notified on November 26th, 2021, did not reply nor fix the...
Documentor <= 1.5.3 - Unauthenticated SQLi
The plugin fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users. curl https://example.com/wp-admin/admin-ajax.php --data 'action=docsearchresults&term=&docid=1 AND SELECT 628...
Event List < 0.8.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfilteredhtml is disallowed Put the following payload in the "iCal link text" Feed Settings of the plugin...
Ad Invalid Click Protector (AICP) < 1.2.7 - Reflected Cross-Site Scripting
The plugin does not have sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting alert/XSS/' /...
Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. Create a new download, add a file and put the followi...
Ad Invalid Click Protector (AICP) < 1.2.7 - Arbitrary Ban Deletion via CSRF
The plugin does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans https://example.com/wp-admin/admin.php?page=aicpbanneduserdetails&action=delete&id=1...
Tipsacarrier <= 1.4.4.2 - Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements, and is lacking authorisation checks in some calls as well, leading to SQL Injection issues Vendor was notified on November 26th, 2021, did not reply nor fix the issue Affected files:...
Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it As unauthenticated: wget "https://example.com/?p=1" --header "Referer: " -O- The XSS will be...
LifterLMS PayPal < 1.4.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/purchase/confirm-payment/?order=order-xxxxxxx&PayerID=aa"...
Weblizar Pin It Button On Image Hover And Post < 3.4 - Subscriber+ Arbitrary Settings Update
The plugin does not have authorisation and proper CSRF check when saving its settings, allowing any authenticated users, such as subscribers to update them fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "body": new...
Menubar < 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action available to any authenticated users, leading to a Reflected Cross-Site Scripting " /...
Amr Users < 4.59.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Name of list" field in the User Lists Overview ...
Social comments by WpDevArt < 2.5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in any of the plugin's text field settings such as Title , Title font-size etc: "svg...
Quick Adsense < 2.8.2 - Subscriber+ Post Stats Reset
The plugin does not have authorisation and CSRF checks in some of its AJAX actions allowing any authenticated users, such as subscribers to call them and reset Posts stats for example fetch"/wp-admin/admin-ajax.php", "headers": "accept": "/", "accept-language": "en-US,en;q=0.9", "content-type":...
ULeak Security & Monitoring <= 1.2.3 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when updating its settings, and is also lacking sanitisation as well as escaping in some of them, which could allow any authenticated users such as subscriber to perform Stored Cross-Site Scripting attacks against admins viewing the settings ...
Page Restriction WordPress < 1.2.7 - Admin+ Stored Cross-Site Scripting
The plugin allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. In Page/Post Access tab, Use XSS Payload as "alert'XSS' in any of the pages available. XSS wi...
ThirstyAffiliates < 3.10.5 - Subscriber+ unauthorized image upload + CSRF
The plugin lacks authorization checks in the tainsertexternalimage action, allowing a low-privilege user with a role as low as Subscriber to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the...
ThirstyAffiliates Affiliate Link Manager < 3.10.5 - Subscriber+ Arbitrary Affiliate Links Creation
The plugin does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website fetch"/wp-admin/admin-ajax.php", "headers":...
Donorbox < 7.1.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed Put the following payload in the Campaign URL settings of the plugin: "...
Clipr <= 1.2.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed Put the following payload in the API Key settings of the plugin: 'alert/XSS/ The XSS will be...
Videos sync PDF <= 1.7.4 - Unauthenticated LFI
The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues https://example.com/wp-content/plugins/video-synchro-pdf/reglages/MenuPlugins/tout.php?p=LFI...
Cab fare calculator < 1.0.4 - Unauthenticated LFI
The plugin does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues. Despite what the original advisory claims, the issue is not exploitable by accessing the file directly as a fatal error is triggered before the vulnerable...
Animate It! < 2.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin has flawed validations and does not escape its shortcode argument, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks via a malicious shortcode v 2.3.8 edsanimate animation="attacker" delay='1"...
LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Proof of Concept PoC: ======================= 1. The stored XS...
Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Custom DB Prefix settings of the plugin: BooksnPapers" style=animation-name:rotati...
DW Question & Answer Pro <= 1.3.4 - Multiple CSRF
The plugin does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified...
Donations <= 1.8 - Unauthenticated SQLi
The plugin does not sanitise and escape the nddonationsid parameter before using it in a SQL statement via the nddonationssinglecauseformvalidatefieldsphpfunction AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection Create a new "Cause" and fill out the form...
5 Stars Rating Funnel < 1.2.53 - Unauthenticated SQLi
Description The plugin does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using...
DW Question & Answer Pro <= 1.3.4 - Arbitrary Comment Edition via IDOR
The plugin does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments. Vendor was notified via Envato on September 28th, 2021, but did not properly fix the issue and was notified numerous times since. As any authenticated user, post a...
Nimble Page Builder < 3.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting v ' v...
Users Ultra <= 3.1.0 - Unauthenticated SQL Injection
The plugin fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection. curl...
Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection
The plugin does not escape the artID parameter before using it in a SQL statement in the apvcresetcountart AJAX action, available to any authenticated user, leading to a SQL injection v = 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvcresetcountart&artID=sleep10 v 6.1.6 -...
uDraw < 3.3.3 - Unauthenticated Arbitrary File Access
The plugin does not validate the url parameter in its udrawconverturltobase64 AJAX action available to both unauthenticated and authenticated users before using it in the filegetcontents function and returning its content base64 encoded in the response. As a result, unauthenticated users could re...
Master Elements <= 8.0 - Unauthenticated SQLi
The plugin does not validate and escape the metaids parameter of its removepostmetacondition AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL Injection As unauthenticated:...
English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
The plugin does not validate the admincustomlanguagereturnurl before redirecting users o it, leading to an open redirect issue https://example.com/wp-admin/admin-ajax.php?action=heartbeat&admincustomlanguagetoggle=1&admincustomlanguagereturnurl=https://wpscan.com...
Anti-Malware Security and Brute-Force Firewall < 4.20.96 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the QUERYSTRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters GET /wp-admin/admin.php?page=GOTMLSViewQuarantine&a=" HTTP/1.1 Cache-Control: max-age=0...
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover
The plugin injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flocustomtableprefix cookie to an arbitrary value. On any website where flo-launch is active create cookie "flocustomtableprefix" with any string value to...
Tatsu < 3.3.12 - Unauthenticated RCE
The plugin addcustomfont action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover,...
Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting
The plugin does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting The issue is only exploitable when there are no forms created yet...
SearchIQ < 3.9 - Unauthenticated Stored XSS
The plugin contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siqajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter Once the plugin is configur...
Thank Me Later <= 3.3.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add/Edit a message and put the following...