Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
added 2022/02/14 12:0 a.m.146 views

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode

The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks wordpressfileupload widths='title:1;animation-nametwentytwentyone-close-button-transition" onanimationend="alert/XSS-widths/'...

5.4CVSS2.4AI score0.0077EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.113 views

WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Go to "Field Editor" page. Put the following XSS payload into the "Placeholder / Options"...

4.8CVSS0.1AI score0.00588EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.135 views

LoginPress < 1.5.12 - Reflected Cross-Site Scripting

The plugin does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...

6.1CVSS1.4AI score0.00788EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.591 views

Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure

The plugin does not have authorisation in its vczapigetwpusers AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog Open the following URL as a subscriber: https://example.com/wp-admin/admin-ajax.php?action=vczapigetwpuse...

4.3CVSS1.8AI score0.0099EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.121 views

WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG

The plugin allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks 1. As a contributor or above add the following shortcode to a post: wordpressfileupload...

5.4CVSS0.5AI score0.0077EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.501 views

Smart Forms < 2.6.71 - Subscriber+ Form Data Download

The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. Execute the below command in the web develop...

6.5CVSS6.3AI score0.00973EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.570 views

WP Visitor Statistics (Real Time Traffic) < 5.6 - Subscriber+ SQL Injection

The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection https://example.com/wp-admin/admin-ajax.php?action=refUrlDetails&id=sleep1%20--%20g...

8.8CVSS2.3AI score0.01297EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.103 views

YOP Poll < 6.3.5 - Author+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of the settings available to users with a role as low as author before outputting them, leading to a Stored Cross-Site Scripting issue As author, put the following payload in the Settings Integration Use Google reCaptcha Yes Site Key: v v 6.3.5 - "...

5.4CVSS5.3AI score0.00595EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.616 views

UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override

The plugin is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. - Right click the thumbnail of another user and copy the image URL. It will be something like:...

4.3CVSS0.4AI score0.00644EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/11 12:0 a.m.353 views

Email Subscribers & Newsletters < 5.3.2 - Subscriber+ Blind SQL injection

The plugin does not correctly escape the order and orderby parameters to the ajaxfetchreportlist action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to tri...

8.8CVSS2.4AI score0.04184EPSS
Exploits3
wpexploit
wpexploit
added 2022/02/11 12:0 a.m.211 views

Email Subscribers & Newsletters < 5.3.2 - Unauthenticated arbitrary option update

The plugin lacks both authentication and nonce checks in its esdismissadminnotice function, allowing an external attacker to set arbitrary plugin options to "yes". https://example.com/?optionname=userroles&esdismissadminnotice=1 This will set the option igesuserroles to "yes"...

3.3AI score
Exploits0
wpexploit
wpexploit
added 2022/02/10 12:0 a.m.133 views

WP Statistics < 13.1.5 - Unauthenticated Blind SQL Injection

The plugin is vulnerable to unauthenticated SQL Injection via the exclusionreason parameter due to missing parameterization and escaping in the SQL query found on line 88 of the /includes/class-wp-statistics-exclusion.php file when the Record Exclusions feature is enabled. Step 1: Insert "aaaa"...

9.8CVSS0.8AI score0.5346EPSS
Exploits3References1
wpexploit
wpexploit
added 2022/02/09 12:0 a.m.117 views

E2Pdf < 1.16.45 - Admin+ Stored Cross-Site Scripting (XSS)

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Refer to https://mikadmin.fr/tech/XSS-Stored-E2Pdf-798ef69b0e13c36acf5446358d57c965Dx90666bNvCw98.pdf...

4.8CVSS1.8AI score0.01262EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/09 12:0 a.m.462 views

Ditty (formerly Ditty News Ticker) < 3.0.15 - Reflected Cross-Site Scripting (XSS)

The plugin is affected by a Reflected Cross-Site Scripting XSS vulnerability. http://127.0.0.1:8001/wp-admin/edit.php?posttype=ditty&page=dittysettings&tab=%22%3E%3Cimg+src+onerror%3Dalert%281%29%3E...

6.1CVSS1.3AI score0.01857EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.144 views

Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the wmussourceblog and wmusrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-sourceblog/' / alert/XSS-record/' /...

6.1CVSS0.00788EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.426 views

White Label MS < 2.2.9 - Reflected Cross-Site Scripting

The plugin does not sanitise and validate the wlcmslogincustomjs parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue In v...

6.1CVSS6.1AI score0.0812EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.198 views

AdRotate < 5.8.22 - Admin+ SQL Injection

The plugin does not sanitise and escape the adrotateaction before using it in a SQL statement via the adrotaterequestaction function available to admins, leading to a SQL injection Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotatenonce ...

7.2CVSS1.1AI score0.01255EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.749 views

Catch Themes Demo Import < 2.1.1 - Admin+ Remote Code Execution

The plugin does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog ie DISALLOWUNFILTEREDHTML, DISALLOWFILEEDIT and DISALLOWFILEMODS constants set to true Author : qerogram import...

7.2CVSS0.6AI score0.0142EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.940 views

All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE

The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin-...

7.2CVSS0.01687EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.100 views

Multisite Content Copier/Updater < 2.1.0 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the wmcccontenttype, wmccsourceblog and wmccrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-contenttype/' / alert/XSS-source/' / alert/XSS-record/' /...

6.1CVSS0.00788EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/07 12:0 a.m.124 views

WordPress Real Cookie Banner < 2.14.2 - Settings Reset via CSRF

The plugin does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack https://example.com/wp-admin/admin.php?page=real-cookie-banner-component&rcb-reset-all=1...

6.5CVSS4AI score0.00523EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/04 12:0 a.m.91 views

IP2Location Country Blocker < 2.26.9 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, enable Frontend Blocking and put the following payload in the Display page when visitor is blocked U...

0.4AI score
Exploits0References2
wpexploit
wpexploit
added 2022/02/03 12:0 a.m.78 views

Ad Inserter < 2.7.11 - Admin+ RCE / Stored XSS

The plugin does not make any security checks regarding the PHP and JS code in blocks, allowing high privilege users such as admin to execute commands on the underlying OS as well as perform Stored Cross-Site Scripting attacks even in multisite blogs and hardened ones. 1. Go to Settings - Ad...

0.7AI score
Exploits0
wpexploit
wpexploit
added 2022/02/03 12:0 a.m.53 views

EasyJobs < 1.4.8 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the job-id parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting https://example.com/wp-content/plugins/easyjobs/admin/partials/easyjobs-candidates-display.php?job-id=%22%3E%3Cimg/src/onerror=alert/XSS/%3E...

0.9AI score
Exploits0References1
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.103 views

WP Time Slots Booking Form < 1.1.63 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a new calendar with the following Name: alert'XSS' The XSS will be triggered when editing or publishing the...

0.4AI score0.00588EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.97 views

Advanced iFrame < 2022 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the aiconfigid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue alert/XSS/;" / var form1 = document.getElementById'hack'; form1.submit;...

6.1CVSS0.3AI score0.00788EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.139 views

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

The plugin does not escape custom fields before outputting them, which could allow Contributor+ v Preferences Panels and enable the Custom Fields, such as testxss with a value of alert/XSS/ Then add the following shortcode to the post field testxss and view/preview it to trigger the XSS...

0.1AI score0.00595EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.155 views

Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure

The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords fixed in 3.2.24 and files Master Keys fixed in 3.2.25. Expose plaintext passwords fix...

7.5CVSS7.5AI score0.01493EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.99 views

CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payloads in the "License ID" setting of the plugin and save: "alert/XSS/...

4.8CVSS0.0632EPSS
Exploits5
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.119 views

Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access

The field shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved With the...

1.2AI score0.00782EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.136 views

Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI

The plugin does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion attacks as PHP files will be executed. Please note...

0.3AI score0.00435EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.959 views

NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection

The plugin does not sanitise and escape the nxid parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection time wget 'https://example.com/?restroute=/notificationx/v1/analytics' --post-data="nxid=sleep2 -- x" -q -O-...

9.8CVSS2.2AI score0.34359EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.132 views

Conversios.io < 4.6.2 - Subscriber+ SQL Injection

The plugin does not sanitise, validate and escape the syncprogressivedata parameter for the tvcajaxproductsyncbantchwise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. Note: The vendor was notified multiple times since November 6t...

8.8CVSS0.5AI score0.01297EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.101 views

Cost Calculator < 1.6 - Contributor+ Stored Cross-Site Scripting

The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator Price Settings which gets injected on the edit page as well as any page that embeds the calculator using the shortcode, as well as the Text...

5.4CVSS5.3AI score0.00595EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.129 views

Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF

The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash https://example.com/wp-admin/edit.php?posttype=easy-pricing-table&page=ept3-list&action=trash&post=1...

6.5CVSS4.7AI score0.00523EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.101 views

Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update

The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings PoC POST Request ON/OFF Captcha: POST /wp-admin/admin-ajax.php HTTP/2 Cookie: any authenticated user User-Agent: Mozilla/5.0 Content-Type:...

0.7AI score0.0053EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.191 views

Page Views Count < 2.4.15 - Unauthenticated SQL Injection

The plugin does not sanitise and escape the postids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks...

9.8CVSS3AI score0.14783EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.98 views

MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation

The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin The nonce value of the stmlmsregister request must be retrieved from the ajax page. for this you should check the home page POST...

9.8CVSS0.9AI score0.84943EPSS
Exploits8References1
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.108 views

Cost Calculator <= 1.8 - Authenticated Local File Inclusion

The plugin allows authenticated users Contributor+ in versions 1.5, and Admin+ in versions = 1.8 to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout As a contributor, create a Cost Calculator post, set the Layout to...

6.5CVSS0.2AI score0.03EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/01 12:0 a.m.125 views

Product Feed PRO for WooCommerce < 11.2.3 - Reflected Cross-Site Scripting

The plugin does not escape the rowCount parameter before outputting it back in an attribute via the wooseacategoriesdropdown AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting...

5.4CVSS0.3AI score0.00742EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.72 views

Crazy Bone <= 0.6.0 - Unauthenticated Stored XSS

The plugin does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting curl 'https://example.com/wp-login.php' --data-raw 'log=a&pwd=x&wp-submit=Log+In' The XSS will be trigged in...

0.6AI score0.01374EPSS
Exploits2
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.136 views

Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending

The plugin does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues...

6.1CVSS0.01469EPSS
Exploits2
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.77 views

Superforms < 6.0.4 - Reflected Cross-Site Scripting

The plugin does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user...

0.8AI score0.00313EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.561 views

WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS

The plugin does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping...

5.4CVSS0.5AI score0.00516EPSS
Exploits2
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.689 views

Better Notifications for WP < 1.8.7 - Email Address Disclosure

The plugin does not have authorisation and CSRF check in its bnfwsearchusers AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes finding the first letter, then the second one, then the third one etc.. import sys import string import urllib.parse import...

4.3CVSS0.6AI score0.00423EPSS
Exploits2
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.691 views

Logo Showcase with Slick Slider < 2.0.1 - Arbitrary Media Title/Description/Alt Text/URL Update via CSRF

The plugin does not have CSRF check in the lswsssaveattachmentdata AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media. jQuery.postajaxurl, action: "lswsssaveattachmentdata", attachmentid: 564, formdata:...

4.3CVSS3.3AI score0.00464EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.369 views

TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection

The plugins do not sanitise and escape the itemid parameter before using it in a SQL statement via the wishlist/removeproduct REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks time wget...

9.8CVSS2AI score0.73998EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.104 views

Blackhole for Bad Bots < 3.3.2 - Arbitrary IP Address Blocking via IP Spoofing

The plugin uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abuse...

9.1CVSS0.2AI score0.01645EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.90 views

WP User < 7.0 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape some parameters in pages where the wpuser shortcode is used, leading to Reflected Cross-Site Scripting issues PAGEWITHSHORTCODE is a page with the wpuser shortcode embed https://example.com/?pageid=PAGEWITHSHORTCODE&formid="alert/XSS/...

0.2AI score0.00788EPSS
Exploits2
wpexploit
wpexploit
added 2022/01/31 12:0 a.m.502 views

WP Review Slider < 11.0 - Admin+ SQL Injection

The plugin does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks Create a Twitter Source, copy it via the 'Copy' button, then change the pid parameter in the URL to 1000 UNION ALL SELECT...

7.2CVSS0.7AI score0.01445EPSS
Exploits2References1
Total number of security vulnerabilities4359