4359 matches found
WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode
The plugin does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks wordpressfileupload widths='title:1;animation-nametwentytwentyone-close-button-transition" onanimationend="alert/XSS-widths/'...
WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Go to "Field Editor" page. Put the following XSS payload into the "Placeholder / Options"...
LoginPress < 1.5.12 - Reflected Cross-Site Scripting
The plugin does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting...
Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure
The plugin does not have authorisation in its vczapigetwpusers AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog Open the following URL as a subscriber: https://example.com/wp-admin/admin-ajax.php?action=vczapigetwpuse...
WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG
The plugin allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks 1. As a contributor or above add the following shortcode to a post: wordpressfileupload...
Smart Forms < 2.6.71 - Subscriber+ Form Data Download
The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. Execute the below command in the web develop...
WP Visitor Statistics (Real Time Traffic) < 5.6 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection https://example.com/wp-admin/admin-ajax.php?action=refUrlDetails&id=sleep1%20--%20g...
YOP Poll < 6.3.5 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the settings available to users with a role as low as author before outputting them, leading to a Stored Cross-Site Scripting issue As author, put the following payload in the Settings Integration Use Google reCaptcha Yes Site Key: v v 6.3.5 - "...
UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
The plugin is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. - Right click the thumbnail of another user and copy the image URL. It will be something like:...
Email Subscribers & Newsletters < 5.3.2 - Subscriber+ Blind SQL injection
The plugin does not correctly escape the order and orderby parameters to the ajaxfetchreportlist action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to tri...
Email Subscribers & Newsletters < 5.3.2 - Unauthenticated arbitrary option update
The plugin lacks both authentication and nonce checks in its esdismissadminnotice function, allowing an external attacker to set arbitrary plugin options to "yes". https://example.com/?optionname=userroles&esdismissadminnotice=1 This will set the option igesuserroles to "yes"...
WP Statistics < 13.1.5 - Unauthenticated Blind SQL Injection
The plugin is vulnerable to unauthenticated SQL Injection via the exclusionreason parameter due to missing parameterization and escaping in the SQL query found on line 88 of the /includes/class-wp-statistics-exclusion.php file when the Record Exclusions feature is enabled. Step 1: Insert "aaaa"...
E2Pdf < 1.16.45 - Admin+ Stored Cross-Site Scripting (XSS)
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Refer to https://mikadmin.fr/tech/XSS-Stored-E2Pdf-798ef69b0e13c36acf5446358d57c965Dx90666bNvCw98.pdf...
Ditty (formerly Ditty News Ticker) < 3.0.15 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting XSS vulnerability. http://127.0.0.1:8001/wp-admin/edit.php?posttype=ditty&page=dittysettings&tab=%22%3E%3Cimg+src+onerror%3Dalert%281%29%3E...
Multisite User Sync/Unsync < 2.1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wmussourceblog and wmusrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-sourceblog/' / alert/XSS-record/' /...
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and validate the wlcmslogincustomjs parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue In v...
AdRotate < 5.8.22 - Admin+ SQL Injection
The plugin does not sanitise and escape the adrotateaction before using it in a SQL statement via the adrotaterequestaction function available to admins, leading to a SQL injection Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotatenonce ...
Catch Themes Demo Import < 2.1.1 - Admin+ Remote Code Execution
The plugin does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog ie DISALLOWUNFILTEREDHTML, DISALLOWFILEEDIT and DISALLOWFILEMODS constants set to true Author : qerogram import...
All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE
The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations. To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin-...
Multisite Content Copier/Updater < 2.1.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wmcccontenttype, wmccsourceblog and wmccrecordperpage parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-contenttype/' / alert/XSS-source/' / alert/XSS-record/' /...
WordPress Real Cookie Banner < 2.14.2 - Settings Reset via CSRF
The plugin does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack https://example.com/wp-admin/admin.php?page=real-cookie-banner-component&rcb-reset-all=1...
IP2Location Country Blocker < 2.26.9 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. As admin, enable Frontend Blocking and put the following payload in the Display page when visitor is blocked U...
Ad Inserter < 2.7.11 - Admin+ RCE / Stored XSS
The plugin does not make any security checks regarding the PHP and JS code in blocks, allowing high privilege users such as admin to execute commands on the underlying OS as well as perform Stored Cross-Site Scripting attacks even in multisite blogs and hardened ones. 1. Go to Settings - Ad...
EasyJobs < 1.4.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the job-id parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting https://example.com/wp-content/plugins/easyjobs/admin/partials/easyjobs-candidates-display.php?job-id=%22%3E%3Cimg/src/onerror=alert/XSS/%3E...
WP Time Slots Booking Form < 1.1.63 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a new calendar with the following Name: alert'XSS' The XSS will be triggered when editing or publishing the...
Advanced iFrame < 2022 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the aiconfigid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue alert/XSS/;" / var form1 = document.getElementById'hack'; form1.submit;...
Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting
The plugin does not escape custom fields before outputting them, which could allow Contributor+ v Preferences Panels and enable the Custom Fields, such as testxss with a value of alert/XSS/ Then add the following shortcode to the post field testxss and view/preview it to trigger the XSS...
Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure
The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords fixed in 3.2.24 and files Master Keys fixed in 3.2.25. Expose plaintext passwords fix...
CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payloads in the "License ID" setting of the plugin and save: "alert/XSS/...
Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access
The field shortcode included with the plugin, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved With the...
Custom Content Shortcode < 4.0.2 - Authenticated Arbitrary File Access / LFI
The plugin does not validate the data passed to its load shortcode, which could allow Contributor+ v 4.0.1 or Admin+ v 4.0.2 users to display arbitrary files from the filesystem such as logs, .htaccess etc, as well as perform Local File Inclusion attacks as PHP files will be executed. Please note...
NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
The plugin does not sanitise and escape the nxid parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection time wget 'https://example.com/?restroute=/notificationx/v1/analytics' --post-data="nxid=sleep2 -- x" -q -O-...
Conversios.io < 4.6.2 - Subscriber+ SQL Injection
The plugin does not sanitise, validate and escape the syncprogressivedata parameter for the tvcajaxproductsyncbantchwise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. Note: The vendor was notified multiple times since November 6t...
Cost Calculator < 1.6 - Contributor+ Stored Cross-Site Scripting
The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator Price Settings which gets injected on the edit page as well as any page that embeds the calculator using the shortcode, as well as the Text...
Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF
The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash https://example.com/wp-admin/edit.php?posttype=easy-pricing-table&page=ept3-list&action=trash&post=1...
Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update
The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings PoC POST Request ON/OFF Captcha: POST /wp-admin/admin-ajax.php HTTP/2 Cookie: any authenticated user User-Agent: Mozilla/5.0 Content-Type:...
Page Views Count < 2.4.15 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the postids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks...
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin The nonce value of the stmlmsregister request must be retrieved from the ajax page. for this you should check the home page POST...
Cost Calculator <= 1.8 - Authenticated Local File Inclusion
The plugin allows authenticated users Contributor+ in versions 1.5, and Admin+ in versions = 1.8 to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout As a contributor, create a Cost Calculator post, set the Layout to...
Product Feed PRO for WooCommerce < 11.2.3 - Reflected Cross-Site Scripting
The plugin does not escape the rowCount parameter before outputting it back in an attribute via the wooseacategoriesdropdown AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting...
Crazy Bone <= 0.6.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting curl 'https://example.com/wp-login.php' --data-raw 'log=a&pwd=x&wp-submit=Log+In' The XSS will be trigged in...
Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending
The plugin does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues...
Superforms < 6.0.4 - Reflected Cross-Site Scripting
The plugin does not escape the bobczypanstwasprawazostalarozwiazana parameter before outputting it back in an attribute via the superlanguageswitcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user...
WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS
The plugin does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping...
Better Notifications for WP < 1.8.7 - Email Address Disclosure
The plugin does not have authorisation and CSRF check in its bnfwsearchusers AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes finding the first letter, then the second one, then the third one etc.. import sys import string import urllib.parse import...
Logo Showcase with Slick Slider < 2.0.1 - Arbitrary Media Title/Description/Alt Text/URL Update via CSRF
The plugin does not have CSRF check in the lswsssaveattachmentdata AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media. jQuery.postajaxurl, action: "lswsssaveattachmentdata", attachmentid: 564, formdata:...
TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection
The plugins do not sanitise and escape the itemid parameter before using it in a SQL statement via the wishlist/removeproduct REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks time wget...
Blackhole for Bad Bots < 3.3.2 - Arbitrary IP Address Blocking via IP Spoofing
The plugin uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abuse...
WP User < 7.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters in pages where the wpuser shortcode is used, leading to Reflected Cross-Site Scripting issues PAGEWITHSHORTCODE is a page with the wpuser shortcode embed https://example.com/?pageid=PAGEWITHSHORTCODE&formid="alert/XSS/...
WP Review Slider < 11.0 - Admin+ SQL Injection
The plugin does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks Create a Twitter Source, copy it via the 'Copy' button, then change the pid parameter in the URL to 1000 UNION ALL SELECT...