4359 matches found
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
The plugin does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack...
Modern Events Calendar Lite < 6.4.7 - Reflected Cross-Site Scripting
The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting On a page where the Total Booking widget is displayed, append the following payload: &a"alert/XSS/...
Page Security & Membership <= 1.5.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Force Public Pages" settings of the plugin...
Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF
The plugin is lacking CSRF checks in various AJAX actions, such as ecadminajaxsavedesignsettings, which could allow attackers to make a logged in admin update arbitrary settings To disable the Live Design Editor To set the custom CSS setting to body background-color: red;...
Text Hover < 4.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the text to hover, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, put the following in the plugin's settings: test = "alert/XSS/ Tick the "Enable text hover in...
Good & Bad Comments <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the plugin's settings: "...
Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Create/edit a Download and put the following payload in the File Name field: Download the...
Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read
The plugin does not validate the path parameter given to readfile, which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique...
Safe SVG < 1.9.10 - SVG Sanitisation Bypass
The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending on further use of uploaded SVG...
Amministrazione Aperta < 3.8 - Admin+ LFI
The plugin does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file generates a fatal error when accessed directly and the affected...
Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
The plugin does not sanitise and escape the month parameter before using it in a SQL statement via the getmonthlytimetable AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection curl 'https://example.com/wp-admin/admin-ajax.php' --data...
Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Go to Hummingbird's Settings Configs edit the "Name and Description" and put the following...
Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call
The plugin does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or o...
WP Downgrade < 1.2.3 - Admin+ Stored Cross-Site Scripting
The plugin only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed Access the settings of the...
Ad Injection <= 1.2.0.19 - Admin+ Stored Cross-Site Scripting & RCE
The plugin does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user Admin+ to inject arbitrary HTML or javascript even with unfilteredhtml disallowed, leading to a stored cross-site scripting XSS vulnerability. Further it is also possible to inje...
Loco Translate < 2.6.1 - Authenticated Stored Cross-Site Scripting
The plugin does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin Translator and Administrator by default to add arbitrary javascript payloads to the source...
Ninja Forms < 3.6.8 - Unauthenticated Email Address Disclosure
The plugin does not delete the temporary files created when exporting submissions, which could allow unauthenticated attackers to download them and get sensitive information such as the email address of users who submitted a form given that the file is publicly accessible, and with a guessable na...
Easy Smooth Scroll Links < 2.23.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any text field settings of the plugin for example Scroll Speed and...
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files such as PHP even when FILEMODS and FILEEDIT are disallowed Access Tools Import One Click Demo Import Run Importer and import dummy XML file can be empty Intercept the request made...
Easy Social Icons < 3.2.1 - Unauthenticated Arbitrary Icon Deletion
The plugin does not have authorisation and CSRF checks when deleting icons, allowing unauthenticated user to delete arbitrary icons https://example.com/?cnss-delete=&id=1...
Podcast Importer SecondLine < 1.3.8 - Admin+ SQLi
The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file Put the XML below on a web server replacing the PAYLOAD with the correct one, then import a podcast...
Favicon by RealFaviconGenerator < 1.3.23 - Reflected Cross-Site Scripting
The plugin does not properly sanitise and escape the jsonresulturl parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue...
Easy Social Icons < 3.2.1 - Admin+ Stored Cross-Site Scripting in add icon
The plugin does not properly escape the imagefile field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfilteredhtml capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the...
Advanced Booking Calendar < 1.7.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue...
Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Media Optimole...
Advanced Booking Calendar < 1.7.1 - Admin+ SQLi
The plugin does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks Edit an existing Seasons & Calendars /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars and tamper the id...
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data Make a booking to get a customer account Login via API and get access token: curl...
Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure
The plugin does not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. Although the API only retur...
LearnPress < 4.1.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the lp-dismiss-notice before outputting it back via the lpbackgroundsingleemail AJAX action, leading to a Reflected Cross-Site Scripting...
iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process,...
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbotsgravafingerprint AJAX action, available to unauthenticated users, leading to a SQL injection curl -i 'https://example.com/wp-admin/admin-ajax.php' --data...
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. ?php // The full timestamp fro...
Sassy Social Share < 3.3.40 - Reflected Cross-Site Scripting
The plugin does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled which is the default setting, leading to a Reflected Cross-Site Scripting issue. Note: Vendor was notified on September 14th, 2021...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via keyword
The plugin does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form Append the following payload on a page containing a Post Grid with a search form:...
NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality
An unprivileged user could use the functionality of the plugin to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain. Search for a vulnerable domain with the dork:...
GridKit Portfolio < 2.1.0 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages...
Post Grid < 2.1.16 - Reflected Cross-Site Scripting via post_types
The plugin does not sanitise and escape the posttypes parameter before outputting it back in the response of the postgridupdatetaxonomiestermsbyposttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting " name="posttypes"...
Easy Social Icons < 3.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its saved settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed. 3.1.3 added some escaping, but data was output elsewhere Put the...
Mark Posts < 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the 'Add new markers' settings of the plugin: "autofocus onfocus=alert/XSS/ b=...
MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
The plugin allows a high privileged user to bypass the DISALLOWFILEEDIT and DISALLOWFILEMODS settings and upload arbitrary files to the site through the "ajaxsave" function. The file is written relative to the current theme's stylesheet directory, and a .php file extension is added. No validation...
Dropdown Menu Widget <= 1.9.7 - Subscriber+ Arbitrary Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks when saving its settings, allowing low privilege users such as subscriber to update them. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues Open the following URL as a subscriber:...
KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them Create profile: fetch"https://example.com/wp-admin/admin-ajax.php?action=kccreateprofile", "headers":...
Members List < 4.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters in various pages before outputting them back, leading to Reflected Cross-Site Scripting issues https://example.com/wp-content/plugins/members-list/admin/view/user.php?page=%22%3E%3Cimg/src/onerror=alert/XSS/%20x...
Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion
The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues CVE-2021-32682, and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, a...
Amelia < 1.0.48 - Customer+ SMS Service Abuse and Sensitive Data Disclosure
The plugin does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerabilit...
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. 1. Make a booking to become customer ...
Ad Inserter < 2.7.12 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the REQUESTURI before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters In a browser which does not encode characters:...
Material Design for Contact Form 7 <= 2.6.4 - Subscriber+ Arbitrary Settings Update leading to DoS
The plugin does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7mddismissnotice action, allowing any logged in user with roles as low as Subscriber to set arbitrary options to true, potentially leading to Denial of...
WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) - Contributor+ Stored Cross-Site Scripting
Description Post authors are able to bypass KSES restrictions in WordPress = 5.9 and or Gutenberg = 9.8.0 due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks As a user without the UNFILTEREDHTML capability, create a post containing the...
UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the updraftinterval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting XSS vulnerability. https://example.com//wp-admin/options-general.php?page=updraftplus&updraftinterval"confirm1...