4359 matches found
Permalink Manager < 2.2.15 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue https://example.com/index.php?p=%3Cimg%20src%20onerror=alert/XSS/%3E&debugurl=1...
Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin POST /wp-json/contact-form-7/v1/contact-forms/1337/feedback HTTP/2 Content-Type: multipart/form-data;...
Popup | Custom Popup Builder < 1.3.1 - Unauthenticated Denial of Service
The plugin autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog 1 Create a popup as admin and access the popup page as unauthenticated 2 Send data on the form and intercept t...
Complianz - GDPR/CCPA Cookie Consent < 6.0.0 - Reflected Cross-Site Scripting
The plugin does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=cmplz-proof-of-consent&s=%22+style%3Danimation-name%3Ashine+onanimationstart%3Dalert%281%29+x%3D...
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks in the ppomsettingspanelaction AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues 1. Use the new settings panel framewor...
Coming Soon & Maintenance Plugin by NiteoThemes < 4.0.19 - Unauthenticated Arbitrary CSS Update
The plugin allows any user, even not logged in, to arbitrarily change the coming soon page layout. wget 127.0.0.1:8001...
RSVP and Event Management < 2.7.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=rsvp-top-level&s="alert/XSS-s/&pagesize="alert/XSS-pagesize/...
Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure
The plugin allows any logged in user, such as subscriber, to extract any other user's email address. fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded" , "body": new URLSearchParams"action": "dilazmbqueryselect", "q": "@gma",...
Themify Portfolio Post < 1.1.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the numofpages parameter before outputting it back the response of the themifycreatepopuppagepagination AJAX action available to any authenticated user, leading to a Reflected Cross-Site Scripting alert/XSS/;'...
Ad Invalid Click Protector (AICP) < 1.2.6 - Authenticated SQL Injection
The plugin is affected by a SQL Injection in the id parameter of the delete action. http://127.0.0.1:8001/wp-admin/admin.php?page=aicpbanneduserdetails&action=delete&id=0%20OR%201=1%20--%20k...
XootiX Plugins - Various Versions CSRF to Arbitrary Options Update
The plugins Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce are all vulnerable to cross-site request forgery due to a missing nonce check that would make it possible for attackers to update arbitrary options on a vulnerable WordPress site...
SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue. Note: Vendor decided to close the plugin and it won't be...
NewStatPress < 1.3.6 - Reflected Cross-Site Scripting
The plugin does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=nspsearch&what1=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+x...
Mitsol Social Post Feed <= 1.10 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them back in attributes, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Access Token User access...
WP Ultimate CSV Importer < 6.4.1 - Subscriber+ Arbitrary File Upload
The plugin does not have authorisation and CSRF checks when uploading zip files via the zipupload AJAX call, and does not perform any check on the files to be extracted. As a result, any authenticated user, such as subscriber could upload an archive with PHP files in it, leading to RCE As any...
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting
The plugin does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?sibpageform&action=edit&id=1&pid=xxxxx%22+accesskey%3DX+onclick%3Dalert%281%29+test%3D%22...
PowerPack Lite for Beaver Builder < 1.2.9.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/options-general.php?page=ppbb-settings&tab=%22%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
Remove Footer Credit < 1.0.11 - Admin+ Stored Cross-Site Scripting
The plugin does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. In the plugin's settings, put the following values: - In "Step 1: Enter text/HTML to remove one per line" field: powered - In "Step 2:...
Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks in the ivesavegeneralsettings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. Note: v1.1.4.7 added CSRF check, authorisation...
Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the REQUESTURI before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-content/plugins/adaptive-images/adaptive-images-script.php/%3Cimg/src/onerror=alert/XSS/%3E/?debug=true...
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting
The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Go to settings page available under the "Calculato...
Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Go to the AJAX settings of a Form and put the following payload in the "Minimum number of characters required...
Store Toolkit for WooCommerce < 2.3.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=woost&tab=%3Cimg+src+onerror%3Dalert%281%29%3E...
SEUR Oficial < 1.7.2 - Admin+ Arbitrary File Download
The plugin creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. Navigate to...
Cluevo < 1.8.1 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed On the Learning Management page /wp-admin/admin.php?page=cluevo-lms, click Add Course, then put the followi...
GTranslate < 2.9.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the body parameter in the urladdon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCESALT and NONCEKEY alert/XSS/" / var form1 =...
All-in-one Floating Contact Form < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to reflected XSS on the my-sticky-elements-leads admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=my-sticky-elements-leads&search-contact=xxxx%22%3E%3Cimg+src+onerror%3Dalert%281%29+x...
WooCommerce – Store Exporter < 2.7.1 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a Reflected Cross-Site Scripting XSS vulnerability in the wooce admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=wooce&failed=1&message=%3Cscript%3Ealert1;%3C/script%3E...
Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection
The plugin does not escape the discountcode in one of its REST route available to unauthenticated users before using it in a SQL statement, leading to a SQL injection https://example.com/?restroute=/pmpro/v1/checkoutlevel&levelid=3&discountcode=%27%20%20union%20select%20sleep1%20--%20g...
RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read
The plugin does not have proper authorisation, CSRF checks and validation of the rvmuploadregionsfilepath parameter in the rvmimportregions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server As a subscriber, open...
Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update
The plugin does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example To add a product: fetch"https://example.com/wp-admin/admin-ajax.php",...
IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF
The plugin does not have CSRF check in the ip2locationcountryblockersaverules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend. Make an admin open a page with the following code in it, whi...
IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban
The plugin does not have authorisation and CSRF checks in the ip2locationcountryblockersaverules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. v2.26.5 added...
IP2Location Country Blocker < 2.26.5 - Ban Bypass
The plugin bans can be bypassed by using a specific parameter in the URL https://example.com/?admin-ajax=hehe...
SupportCandy < 2.2.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue Note: the ticket-creation page is the one with the wpsccreateticket shortcode embed...
Contact Form & Lead Form Elementor Builder < 1.7.0 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/Edit a form and put the following payload in a Filed Name or Default...
SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion
The plugin does not have authorisation and CRSF checks in its wpsctickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction. Other actions may be affected as well. POST /wp-admin/admin-ajax.php HTTP/1....
SupportCandy < 2.2.7 - CSRF to Cross-Site Scripting
The plugin does not have CSRF check in the wpsctickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter stored in their cookies with an XSS payloa...
SupportCandy < 2.2.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks supportcandy page="init';alert/XSS///"...
SupportCandy < 2.2.7 - Arbitrary Ticket Deletion via CSRF
The plugin does not have CRSF check in its wpsctickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the setdeletepermanentlybulkticket settingaction...
Rearrange Woocommerce Products < 3.0.8 - Subscriber+ SQL Injection
The plugin does not have proper access controls in the saveallorder AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content for example with an XSS...
WPLegalPages < 2.7.1 - Subscriber+ Arbitrary Settings Update to Stored XSS
The plugin does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting Run the below command in...
Amazon Affiliate < 3.17.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the tab parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=aawp-settings&tab=%22onclick%3Dprompt%288%29%3E%3Csvg%2Fonload%3Dprompt%288%29%3E%22%40x.y...
Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion
The plugins do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example Execute the below command in the web developer console of the web browser when being logged in as...
Futurio Extra < 1.6.3 - Authenticated SQL Injection
The plugin is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting XSS against logged in admins by making send open a malicious link Using SQLi to extract database variables:...
Document Embedder < 1.7.5 - Unauthenticated Arbitrary Private/Draft Post Title Disclosure
The plugin contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. https://example.com/wp-json/doc/v1/single/509 509 being the ID of a private/draft Post...
Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting via AJAX Action
The plugin does not sanitise and escape POSted parameters sent to the wpassetcleanupfetchactivepluginsicons AJAX action available to admin users, leading to a Reflected Cross-Site Scripting issue alert/XSS/" / var form1 = document.getElementById'hack'; form1.submit;...
Asset CleanUp < 1.3.8.5 - Reflected Cross-Site Scripting
The plugin does not escape the wpacuselectedsubtabarea parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue...
Document Embedder < 1.7.9 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure
The plugin contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts. As any authenticated user 1764 being the ID of a private/draft post...
Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the wyppagetype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue...