4359 matches found
Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues function submitRequest var xhr = new XMLHttpRequest...
Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending
The plugin does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues...
WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
The plugin does not escape the dataraw parameter in the weuselectedusers1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks. As any authenticated user such as subscriber, the request below will display all users email addresses...
Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI
The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE...
WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/options-general.php?page=cc-ce-bridge-cp&error=%3Cimg%20src%20onerror=alert1%3E...
WP Google Map < 1.8.4 - Arbitrary Post Deletion and Plugin's Settings Update via CSRF
The plugin does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack Removing post: fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/?wahi=JzthbGVydCgxKTsvLw==...
StatCounter < 2.0.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Project ID or Secure Code settings...
Add Subtitle <= 1.1.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the sub-title field available only with classic editor when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks The classic editor plugin is needed to see the sub-title field - Create a post a...
LearnPress < 4.1.5 - Arbitrary Image Renaming
Users of the plugin can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request,...
WP Responsive Menu < 3.1.7.1 - Subscriber+ Settings Update to Stored XSS
The plugin does not have capability and CSRF checks in the wprliveupdate AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visito...
Embed Swagger <= 1.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the /swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0...
WP Ultimate CSV Importer < 6.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones either intentionnaly or not and lead to Stored Cross-Site Scripting issues Import the following CSV as comment:...
WP RSS Aggregator < 4.20 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the id parameter in the wprssfetchitemsrowaction AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting Save the HTML below to a file with the .html extension, then open it in Firefox, while being authenticated in...
WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting
The checkprivacysettings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript...
AP Custom Testimonial < 1.4.8 - Admin+ SQL Injection
The plugin does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection https://example.com/wp-admin/admin.php?page=apcttestimonialedit&id=1+AND+SELECT+42+FROM+SELECTSLEEP5b...
Simple Membership < 4.0.9 - Arbitrary Member Deletion via CSRF
The plugin does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=simplewpmembership&action=bulkdelete&members%5B0%5D=1&members%5B1%5D=2...
AP Custom Testimonial < 1.4.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the id parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting https://example.com/wp-admin/admin.php?page=apcttestimonialedit&id=1"alert/XSS/...
Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS
The plugin does not have any authorisation and has a flawed CSRF check in the wpdevartduplicatepostparametrssaveindb AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of...
Catch Web Tools < 2.7.1 - Subscriber+ Arbitrary Catch IDs Activation/Deactivation
The plugin does not have authorisation and CSRF check in its catchwebtoolscatchidsswitch AJAX action, allowing any authenticated users, such as subscriber to activate/disable Catch IDs fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
WP Dependency Installer < 4.3.1 - Arbitrary Plugin Installation from Dependency via CSRF
The wp-dependency-installer library, used in the plugins, does not have CSRF check in its dependencyinstaller AJAX action with the install method, which could allow attackers to make a logged in admin install plugins defined in the wp-dependencies.json via a CSRF attack. The slug has to be presen...
Coming soon and Maintenance mode < 3.6.8 - Arbitrary Email Sending to Subscribed Users via CSRF
The plugin does not have CSRF check in its comingsoonsendmail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
Ad Inserter < 2.7.10 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the htmlelementselection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting "...
Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users
The plugin does not have authorisation and CSRF checks in its comingsoonsendmail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
Anti-Malware Security and Brute-Force Firewall < 4.20.94 - Admin+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user...
WP Dependency Installer < 4.3.1 - Subscriber+ Arbitrary Plugin Activation
The wp-dependency-installer library, used in the plugins does not have authorisation and CSRF checks in its dependencyinstaller AJAX action with the activate method, allowing any authenticated users, such as subscriber to activate arbitrary plugin installed on the blog. Furthermore, despite havin...
Database Backup for WordPress < 2.5.1 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue https://example.com/wp-admin/?fragment=select%20updatexml1,concat0x7e,select%20user,0::2.txt&wpnonce=7347278aca The nonce can be...
Popup Builder < 4.0.7 - Admin+ SQL Injection
The plugin does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection...
Float Menu < 4.3.1 - Arbitrary Menu Deletion via CSRF
The plugin does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=float-menu&info=delete&did=1...
Advanced Database Cleaner < 3.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape $GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=advanceddbcleaner&aDBctab=options&aDBccat=all&'alert/XSS-key/=alert/XSS-value/...
Popup Builder < 4.0.7 - LFI to RCE
The plugin does not validate and sanitise the sgpbtype parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR Create a zip archiv...
WordPress Download Manager < 3.2.34 - Authenticated SQL Injection to Reflected XSS
The plugin does not sanitise and escape the packageids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue...
AnyComment < 0.2.18 - Comment Rating Increase/Decrease via Race Condition
The plugin is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower the rating of other users https://www.youtube.com/watch?v=0IqZL-slt00 1. Make a new comment 2. Like your comment and intercept it using...
AnyComment < 0.2.18 - Arbitrary HyperComments Import/Revert via CSRF
The plugin does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack Go to https://example.com/wordpress/wp-admin/admin.php?r=import%2Fhypercomments&url=http://, and you will see a get request in yo...
WOOCS < 1.3.7.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the woocsinordercurrency parameter of the woocsgetproductspricehtml AJAX action available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting...
Shield Security < 13.0.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payload as an Admin Note Shield Security Tools Admin Notes: alert/XSS/;...
FeedWordPress < 2022.0123 - Reflected Cross-Site Scripting (XSS)
The plugin is affected by a Reflected Cross-Site Scripting XSS within the "visibility" parameter. https://example.com/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=%22%3E%3Cimg+src%3D2+onerror%3Dalert%28origin%29%3E...
Image Photo Gallery Final Tiles Grid < 3.5.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard As a contributor, create/edit a gallery and add the following...
Give < 2.17.3 - Reflected Cross-Site Scripting via Donation Forms Dashboard
The plugin does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting...
Give < 2.17.3 - Reflected Cross-Site Scripting via Import Tool
The plugin does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting var form1 = document.getElementById'hack'; form1.submit;...
Translation Exchange <= 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Authenticated Stored Cross-Site Scripting XSS within the Project Key text field found in the plugin's settings. 1. Click on Use on translation exchange connector 2. In Basic Settings,insert following payload in Project Key text field. "alert55 3. Click Save Changes...
Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS
The plugin does not have any authorisation and CSRF in its bpfwpwelcomeaddcontactpage and bpfwpwelcomesetcontactinformation AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting...
The Buffer Button <= 1.0 - Authenticated Stored Cross Site Scripting (XSS)
The plugin was vulnerable to Authenticated Stored Cross Site Scripting XSS within the Twitter username to mention text field. 1. Insert below payload in the Twitter username to mention text field "alert44 2. Click on Save Changes...
Give < 2.17.3 - Unauthenticated Reflected Cross-Site Scripting
The plugin does not sanitise and escape the formid parameter before outputting it back in the response of an unauthenticated request via the givecheckoutlogin AJAX action, leading to a Reflected Cross-Site Scripting As an unauthenticated user: alert/XSS/' / var form1 =...
WP-Appbox < 4.3.18 - Authenticated Local File Inclusion
The plugin does not validate user input before using it to create a local path then passed to an includeonce statement, leading to a Local File Inclusion issue https://example.com/wp-admin/options-general.php?page=wp-appbox&tab=advanced%2F..%2F...
MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting
The plugin does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting https://example.com/?mappiframe=1&mapid=--%3E%3Cimg%20src%20onerror=alert/XSS/%3E...
Magee Shortcodes < 2.0.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in AJAX actions available to both unauthenticated and authenticated users, leading to Reflected Cross-Site Scripting issues...
Noptin < 1.6.5 - Open Redirect
The plugin does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue https://example.com/?noptinns=emailclick&to=https://wpscan.com...
WP Ultimate CSV Importer < 6.4.2 - Subscriber+ Arbitrary Option Deletion
The plugin does not have authorisation and CSRF checks when deleting options via the disablemainmode AJAX action, and does not ensure that the option to be delete belong to the plugin. As a result, any authenticated user, such as subscriber, could delete arbitrary options from the blog POST...