4359 matches found
Sassy Social Share < 3.3.61 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, put the below...
WP Advanced Search <= 1.1.6 - Admin+ SQL Injection
Description The plugin does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations. 1. Log in as an administrator 2. Visit...
AGCA – Custom Dashboard & Login Page < 7.2.2 - Admin+ Stored XSS via Image URL
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate AGCA, and select the "Adm...
Strong Testimonials < 3.1.12 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed Setup as...
WooCommerce Customers Manager < 29.8 - Reflected XSS
Description The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the HTML page/URLs below...
Better Comments < 1.5.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. From the WordPress menu on the left...
Better Comments < 1.5.6 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks. 1. From the menu on the left, go into "Users" and edit Subscriber user. 2. Upload a new avatar image and click "Updat...
Floating Chat Widget < 3.1.9 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Chaty New Widget" 2. Create ...
Import WP < 2.13.1 - Admin+ Server-side Request Forgery
Description The plugin does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations. 1. As an admin, create a new importer in /wp-admin/tools.php?page=importwp 2. Visit /wp-admin/admin-ajax.php?action=rest-nonce and...
Save as PDF by Pdfcrowd < 3.2.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Save as Image" 2...
WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure
Description The plugin does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name As a subscriber, open the following URL:...
Tickera < 3.5.2.5 - Ticket leakage through IDOR
Description The plugin does not prevent users from leaking other users' tickets. After a user has bought a ticket, an example of a ticket would look like https://www.website.com/?downloadticket=1&orderkey=1234567890&downloadticketnonce=ab903b7c71, but due to missing validation, the URL can be...
Genesis Blocks < 3.1.3 - Contributor+ Stored XSS
Description The plugin does not properly escape data input provided to some of its blocks, allowing using with at least contributor privileges to conduct Stored XSS attacks. As a contributor, put the below code in a post while in Code Editor mode The XSS will be triggered when viewing/previewing...
Otter Blocks < 2.6.6 - Contributor+ Stored XSS
Description The plugin does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks. As a contributor, put the following payload in a post while in Code Editor mode The XSS will be triggered when...
Salon Booking System < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the...
coreActivity < 2.1 - Unauthenticated IP Spoofing
Description The plugin retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value As unauthenticated: curl 'https://example.com/attacker' -H 'X-FORWARDED: 127.0.0.1' Then view the logs and note that the plugin display...
WP Staging (Free < 3.4.0, Pro < 5.4.0) - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "WP Staging Backup & Migratio...
Easy Social Feed < 6.5.6 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
Salon booking system < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'smsprefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...
Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Ultimate Social Media Icons"...
My Sticky Bar < 2.6.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup You should click on "My Sticky Bar" an...
Responsive Gallery Grid < 2.3.11 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Navigate to "RGG Gallery" and scrol...
Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload
Description The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup 1. Go to the plugin setting and in the "Restore" section upload...
WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
Description The plugin does not prevent users with at least the contributor role from leaking products they shouldn't have access to. e.g. private, draft and trashed products 1. ADMIN: Install WooCommerce 2. ADMIN: Add products of various visibility and statuses including Publish, Draft, Private,...
Carousel Slider < 2.2.7 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add a new slider at "Carousel Slide...
Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure
Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. 1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on...
Top Bar < 3.0.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Top Bar" in WP Admin 2. Save...
Super Socializer < 7.13.64 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed When creating a new widget, insert the following payload in the "FaceBook URL" field -...
NPS computy < 2.7.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings NPS Monitoring" 2...
Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open a page with the code below where is an existing button:...
Fancy Product Designer < 6.1.81 - Admin+ Cross Site Scripting via Product Title
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Note: This requires WooCommerce to be...
WP User Profile Avatar <= 1.0.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Enter the following shortcode in...
Testimonial Slider < 2.3.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Testimonial Shortcode" 2. Ad...
WooCommerce Customers Manager < 29.7 - Subscriber+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role. Note: v29.5 added authorisation, however the injection was not fixed and still exploitable by users with the managewoocommerce...
Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS
Description The plugin does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site...
Responsive Tabs < 4.0.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Go to "Tab Sets Add New" in W...
Jetpack < 13.2.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks When the "Let visitors subscribe...
Ultimate Noindex Nofollow Tool II < 1.3.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Ultimate Noindex" 2...
NPS computy < 2.7.6 - Results Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open the following: The result is that all existing poll responses are deleted...
Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control
Description The plugin does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions While logged as a subscriber, paste the following in your browser's console: fetch'/wp-admin/admin-ajax.php', method:...
WP Customer Reviews < 3.7.1 - Malicious Redirect via HTTP-EQUIV Injection
Description The plugin does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL 1 Create a new post 2 In the "Bussness Name" field enter the payload: 0;http://smth.me/" HTTP-EQUIV="refresh" a="a 3 Save the post and view it. You will see that you are...
Smart Forms < 2.6.94 - Edit Entries via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk. CSRF PoC CSRF PoC input type="hidden" name="elementOptions"...
Advance Search <= 1.1.6 - Shortcode Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make a logged in admin open the following HTML replace FORMID with a valid ID: The security field isn't validated and the shortcode is...
Shortcodes Ultimate < 7.0.5 - Contributor+ Stored XSS
Description The plugin does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks. sunote notecolor='123"onmouseover="alert/XSS/"' textcolor='1' radius='1' class='1' id="1"No...
Inline Related Posts < 3.6.0 - Subscriber+ Password Protected Post Read
Description The plugin does not ensure that post content displayed via an AJAX action are accessible to the user, allowing any authenticated user, such as subscriber to retrieve the content of password protected posts When logged in as a subscriber, open the following URL and note that the conten...
Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing
Description The Avada theme for WordPress is vulnerable to Sensitive Information Exposure via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. Access t...
The Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS
Description The plugin does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks As a contributor, get...
WordPress Ping Optimizer <= 2.35.1.3.0 - Log Clearing via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as clearing logs. Make a logged in admin open the URL below...
Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access
Description The plugin does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts Open one of the below URL as an unauthenticated user and note that password protected posts are disclosed in ...
Everest Forms < 2.0.8 - Unauthenticated Server-Side Request Forgery via font_url
Description The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery via the 'fonturl' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify...