4359 matches found
NextScripts: Social Networks Auto-Poster < 4.3.25 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack https://example.com/wp-admin/admin.php?page=nxssnap-reposter&item=1&action=delete...
TrustMate.io integration for WooCommerce < 1.8.12 - Subscriber+ Arbitrary Plugin's Settings Update
The plugin does not have any CSRF and authorisation checks in the savecheckbox AJAX action, available to any authenticated users, allowing any authenticated user, such as subscriber to update arbitrary settings from the plugin. Due to the lack of escaping, it could lead to Stored Cross-Site...
TrustMate.io integration for WooCommerce < 1.7.1 - Subscriber+ Arbitrary Blog Option Update
The plugin does not have any CSRF and authorisation checks in the savecheckbox AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update arbitrary...
Wicked Folders < 2.18.10 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the folderid parameter before using it in a SQL statement in the wickedfolderssavesortorder AJAX action, available to any authenticated user. leading to an SQL injection As a subscriber:...
Contact Form 7 Skins < 2.5.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=cf7skins&tab=%27%3E%3Cimg+src+onerror%3Dalert%281%29%3E requires the Contact Form 7 plugin to be installed...
NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS
The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue curl -H 'x-tomato: alert/XSS/;' 'https://example.com/?nxs-cronrun=yes' The XSS will be triggered in the Log/History...
SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. With the Advanced Mode enabled, put the following payload in the...
WP Photo Album Plus < 8.0.10 - Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Stored Cross-Site Scripting XSS. Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel. http://127.0.0.1:8001/?search-submit=img%20src%20onerror=alert1 Then the admin neds...
Link Library < 7.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting...
Custom Dashboard & Login Page < 7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Note: v6.9.5 made the settings only available to admin with the unfilteredhtml capability, however existing payloads were...
Link Library < 7.2.8 - Library Settings Reset via CSRF
The plugin does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack https://example.com/wp-admin/admin.php?page=link-library-settingssets&settings=1&reset=1...
Link Library < 7.2.8 - Unauthenticated Arbitrary Links Deletion
The plugin does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request https://example.com/?posttype=linklibrarylinks&ll60reupdate=1...
Error Log Viewer < 1.1.2 - Arbitrary Text File Deletion via CSRF
The plugin does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. On Web Servers other than Windows, the /wp-content/plugins/error-log-viewer/savedlogs/...
Learning Courses < 5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Visit to Paypal Setting Under Learning Plugin Enter the XSS payload " in Email PDT...
Orange Form <= 1.0 - SQL Injection via CSRF
In the plugin, the processbulkaction function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter $id. Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers...
Orange Form <= 1.0.1 - Unauthenticated Arbitrary Post Deletion
The plugin does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure...
WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the woofredrawelements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin-ajax.php?action=woofdrawproducts&woofredrawelements=%3Cimg%20src%20onerror=alert/XSS/%3E...
LabTools <= 1.0 - Subscriber+ Arbitrary Publication Deletion
The plugin does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication The PoC will be displayed once the issue has been remediated...
Insight Core <= 1.0 - Subscriber+ PHP Object Injection & Stored XSS
The plugin does not have any authorisation and CSRF checks in the insightcustomizeroptionsimport available to any authenticated user, does not validate user input before passing it to unserialize, nor sanitise and escape it before outputting it in the response. As a result, it could allow users...
UpdraftPlus < 1.16.69 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the updraftrestore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting...
Dynamic Widgets <= 1.5.16 - Reflected Cross-Site Scripting
The plugin does not escape the prefix parameter before outputting it back in an attribute when using the termtree AJAX action available to any authenticated users, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
Domain Check < 1.0.17 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=domain-check-profile&domain=alert/XSS/...
Ultimate FAQ < 2.1.2 - Subscriber+ Arbitrary FAQ Creation
The plugin does not have capability and CSRF checks in the ewdufaqwelcomeaddfaq and ewdufaqwelcomeaddfaqpage AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions...
Qubely < 1.7.8 - Subscriber+ Arbitrary Post Deletion
The plugin does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts Note: v1.7.7 added capability check, CSRF che...
Orders Tracking for WooCommerce < 1.1.10 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the fileurl before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&fileurl=%3Cimg+src+onerror%3Dalert%281%29%3E&viwoterror=2...
Code Snippets < 2.14.3 - Reflected Cross-Site Scripting
The plugin does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue...
WP Cookie User Info < 1.0.9 - Admin+ SQL Injection
The plugin does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection...
Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting
The plugin does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...
Tutor LMS < 1.9.12 - Subscriber+ Stored Cross-Site Scripting
The plugin does not escape the 'Job Title" field of user's profile, which could allow any authenticated users to set a Cross-Site Scripting payload in it, which will be triggered when an admin edit the related profile As a subscriber, edit your profile and add the following payload in the Job Tit...
WP Post Page Clone < 1.2 - Unauthorised Post Access
The plugin allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. Go to All Posts, find the post to clone, click "Click to Clone" then edit the cloned post to see its content...
AF Companion 1.1.0 - 1.1.2 - Arbitrary Plugin Installation & Activation via CSRF
The plugin has a flawed CSRF check, allowing attackers to make logged in admin installs and activate arbitrary plugins from the WP repository...
Tutor LMS < 1.9.12 - Reflected Cross-Site Scripting
The plugin does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=tutorannouncements&search=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D...
WP Extra File Types < 0.5.1 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks var form1 = document.getElementById'hack'; form1.submit;...
WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
The plugin does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting...
myCred < 2.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/users.php?page=mycreddefault-history&s=%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
Registrations for the Events Calendar < 2.7.10 - Reflected Cross-Site Scripting
The plugin does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting...
WebP Converter for Media < 4.0.3 - Unauthenticated Open redirect
The plugin contains a file passthru.php which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue https://example.com/wp-content/plugins/webp-converter-for-media/includes/passthru.php?src=https://wpscan.com...
Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
The plugin does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue https://example.ocm/wp-admin/options-general.php?page=acfe-options&orderby=1%20and%20sleep0.02%23...
Mobile Events Manager < 1.4.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Payload used: alert/XSS/ - Put the payload in the TMEM Events Settings Events Event prefix field, then Creat...
Spreadsheet Integration < 3.6.0 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape some parameters before outputting them back in the admin dashboard, leading to reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wpgsi&action=edit&id=1%22%3E%3Cimg+src+onerror%3Dalert%28%2FXSS%2F%29%3E POST...
Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. As unauthenticated: wget "https://example.com/?wpamid=1"...
Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue which will be triggered in the admin dashboard due to the lack of escaping. v10.9.1 added a CSRF check, however...
WP125 < 1.5.5 - Arbitrary Ad Deletion via CSRF
The plugin does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=wp125addedit&deletead=1...
Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.25 - Reflected XSS
The plugin does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
The plugin does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request v 3.6 - https:/example.com/wp-content/plugins/protect-wp-admin/lib/pwa-deactivate.php?disablepwa...
Event Tickets < 5.2.2 - Open Redirect
The plugin does not validate the tribeticketsredirectto parameter before redirecting the user to the given value, leading to an arbitrary redirect issue https://exampel.com/wp-admin/admin.php?page=wpajaxrsvp-form&tribeticketsredirectto=https://wpscan.com...
Smart SEO Tool < 3.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting With the "TDK optimization" setting enabled 7th page, first one: https://example.com/?s=123456"alert/XSS...
Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion
The plugin does not have capability and CSRF checks in the deleteleadsbackend AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber could delete arbitrary Leads. Attackers could also make any logged in users delete leads via a CSRF attack POST...
Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the fieldname and fieldtype parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS-fieldname/' / alert/XSS-fieldtype/' / var form1 = document.getElementById'hack'; form1.submit;...
Shortcode Addons < 3.1.0 - Unauthenticated Arbitrary Option Update
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. POST /wp-json/ShortCodeAddonsUltimate/v2/addonssettings HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate...