4359 matches found
Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure
The plugin requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability. When a guest make a booking via sending "action:...
WP HTML Mail < 3.1.3 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/options-general.php?page=wp-html-mail&tab=advanced&a"alert/XSS/...
WP Block and Stop Bad Bots < 6.88 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue GET / HTTP/1.1 User-Agent: '+SLEEP5-- g Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language:...
Ninja Forms File Uploads Extension < 3.3.1 - Unauthenticated Arbitrary File Upload
The plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code...
Google Pagespeed Insights < 4.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting...
FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in...
Easy Social Icons < 3.1.4 - Admin+ SQL Injection
The plugin does not sanitize the selectedicons attribute to the cnsswidget before using it in an SQL statement, leading to a SQL injection vulnerability. Author : Qerogram import requests from bs4 import BeautifulSoup BASEURL = "http://localhost:8000" id = "wordpress" pw = "wordpress" def loginid...
Interactive Medical Drawing of Human Body < 2.6 - Admin+ Stored XSS
The plugin does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Link settings of a body party and save the change: "alert/XSS-link/...
Wow Countdowns <= 3.1.2 - Admin+ SQLi
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. https://example.com/wp-admin/admin.php?page=mwp-countdown&info=del&did=1+AND+SELECT+5382+FROM+SELECTSLEEP5PpNt...
Title Experiments Free < 9.0.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpextitles&id=1 AND SELECT 3...
Plezi < 1.0.3 - Unauthenticated Stored XSS
The plugin has a REST endpoint allowing unauthenticated users to update the plzconfigurationtrackerenable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue curl -X POST...
Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
The plugin does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to...
Akismet Privacy Policies <= 2.0.1- Reflected Cross-Site Scripting
The plugin does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...
Popup Builder < 4.1.1 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a...
Menu Image, Icons made easy < 3.0.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggere...
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS
The plugin allows SVG files to be uploaded by default via the dndcodedropzupload AJAX action, which could lead to Stored Cross-Site Scripting issue POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip,...
SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the dkspeakoutsendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users Create a new email petition /wp-admin/admin.php?page=dkspeakoutaddnew, check x Do not send email onl...
Conference Scheduler < 2.4.3 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/edit.php?posttype=confworkshop&page=confscheduleroptions&tab="...
Coupon Affiliates < 4.16.4.5 - Unauthenticated Stored XSS
The plugin does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. curl https://example.com/wp-admin/admin-ajax.php --data...
Limit Login Attempts (Spam Protection) < 5.1 - Unauthenticated SQLi
The plugin does not sanitise and escape some parameters before using them in SQL statements via AJAX actions available to unauthenticated users, leading to SQL Injections order and columns parameters are affected curl 'https://example.com/wp-admin/admin-ajax.php' --data...
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise from data, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a form and put the following payload in the Form Code textarea: The XSS will be triggered whe...
Multilist Subscribe for Sendy <= 1.6.1 - Subscriber+ Arbitrary Options Update
The plugin is using an outdated version of the Freemius library 1.2.2.9, which is known to be affected by a security issue allowing any authenticated users, such as subscriber to set arbitrary blog options As any authenticated user: Enable new user registrations:...
Delete Old Orders <= 0.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the date parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=woo-delete-old-orders&step=3&date="...
OSMapper <= 2.1.5 - Unauthenticated Arbitrary Post Deletion
The plugin contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result,...
dTabs <= 1.4 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/options-general.php?page=dtabs.php&action=edit&tab="...
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. 1. Create a booking with user01 2. Create...
WPC Smart Wishlist for WooCommerce < 2.9.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the key parameter before outputting it back in the wishlistquickview AJAX action's response available to any authenticated user, leading to a Reflected Cross-Site Scripting alert/XSS/;' The source and destination should use the https:// protocol for the...
Database Peek <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=ab-database-peek&table=wpusers&match="...
Bank Mellat <= 1.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=bank-mellat&orderId="...
Mapping Multiple URLs Redirect Same Page <= 5.8 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the mmurspid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=mmursp-list&view=edit&mmurspid="...
Folders Disclosure via Outdated jQueryFileTree Library
The plugins are using the admin-page-framework framework which is shipped with the outdated and no longer maintained library jQueryFileTree known to be affected by a path traversal issue, allowing unauthenticated attackers to disclose the folder structure of the web server curl...
WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE
The plugin allows users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution. As a contributor or above, add the...
Sermon Browser <= 0.45.22 - Arbitrary File Upload via CSRF
The plugin does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST",...
Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
The plugin fails to validate and sanitize the libpath parameter before it is passed into a call to require via the narnoodistributorlibrequest AJAX action available to both unauthenticated and authenticated users which results in the disclosure of arbitrary files as the content of the file is the...
Bulk Creator <= 1.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the posttype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=bulk-creator&posttype="...
Formcraft3 < 3.8.28 - Unauthenticated SSRF
The plugin does not validate the URL parameter in the formcraft3get AJAX action, leading to SSRF issues exploitable by unauthenticated users https://example.com/wp-admin/admin-ajax.php?action=formcraft3get&URL=https://wpscan.com...
Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection
The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection 1. Install the vulnerable plugin...
AP Pricing Tables Lite < 1.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=ap-pricing-tables-lite-add-new&postid=1'...
Unauthorised AJAX Calls via Freemius
Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...
SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting
The plugin does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...
Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting
The plugin does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, create/edit an Event, add the following payload in a "Hourly Schedule" title, as well as any of...
Unauthorised AJAX Calls via Freemius
Description The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in...
AP Mega Menu < 3.0.8 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/admin.php?page=wpmm-add-theme&wpnonce="...
miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in...
Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcldupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection curl https://example.com/wp-admin/admin-ajax.php --data...
3D FlipBook < 1.12.1 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site Scripting payloads in all pages with a 3d flipbook. As a subscriber:...
BookingPress < 1.0.11 - Unauthenticated SQL Injection
The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection - Create a new "category" and associate i...
NotificationX < 2.3.12 - Unauthenticated SQLi
The plugin does not validate and escape the id parameter in its notificationx/v1/notification REST endpoint before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL Injection attacks. The apikey is the md5 of the homeurl either with http or https protocol...
Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
The plugin does not validate and escape the postid parameter before using it in a SQL statement via the qcopdupvoteaction AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL Injection curl 'http://example.com/wp-admin/admin-ajax.php' --data...
Simple Membership < 4.1.0 - Arbitrary Transaction Deletion via CSRF
The plugin does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack https://example.com/wp-admin/admin.php?page=simplewpmembershippayments&action=deletetxn&id=1 will delete the transaction...