4359 matches found
Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
Typebot < 1.4.3 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the 'Publish ID or Full URL" setting and save: "...
MOLIE <= 0.5 - Reflected Cross-Site Scripting
The plugin does not escape the courseid parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=moliecoursecheck&courseid=alert/XSS/...
CorreosExpress <= 2.6.0 - Sensitive Information Disclosure
The plugin generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses https://example.com/wp-content/plugins/correos-express/log/logcronfunction.txt...
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Template data before outputting it in various pages such as admin dashboard and frontend. Due to the lack of authorisation and CSRF checks in the wpdmsavetemplate AJAX action, any authenticated users such as subscriber is able to call it and perform...
Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection
The plugin does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue error-based SQLI: orderby=id AND EXTRACTVALUE4795,CONCAT0x5c,0x717a627871,SELECT ELT4795=4795,1,0x7176707071 time-based...
MOLIE <= 0.5 - Authenticated SQL Injection
The plugin does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection https://example.com/wp-admin/post.php?post=validpostid+and+SLEEP%285%29&action=edit https://example.com/wp-admin/admin-post.php?action=edit&post=1+and+SLEEP%285%29...
WP RSS Aggregator < 4.19.3 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprssdismissaddonnotice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and se...
WP Mail Logging < 1.10.0 - Outdated Redux Framework
The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues CVE-2021-38312 and CVE-2021-38314, and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314 The first endpoint we can identify is gathered...
IDPay for Contact Form 7 <= 2.1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the idpayerror parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting Append the following payload on a page where a form with an idPay payment interface is embed: &idpayerror=alert/XSS/ Example:...
HTML5 Responsive FAQ <= 2.8.5 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the "Text size of answer in pixels" settings: alert'XSS'; The XSS will be...
Gwolle Guestbook < 4.2.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the gwollegbuseremail parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in an admin page alert/XSS/;' / var form1 = document.getElementById'hack'; form1.submit;...
Tickera < 3.4.8.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins. As unauthenticated, book an Event, and put the following payload ...
Paid Memberships Pro < 2.6.6 - Reflected Cross-Site Scripting
The plugin does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=pmpro-discountcodes&s=s"+style=animation-name:rotation+onanimationstart=alert/XSS///...
WPFront User Role Editor < 3.2.1.11184 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting...
Kudos Donations < 3.1.2 - Arbitrary Items Deletion via CSRF
The plugin has a logic flaw in its CSRF checks when deleting items such as Donors, Transactions, Subscriptions etc, allowing attackers to make a logged in admin delete them https://example.com/wp-admin/admin.php?page=kudos-transactions&action=delete&id=1...
Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
The getquery function of the plugin, used by the niwoocosajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber POST...
Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks 1 Make a new carousel /wp-admin/post-new.php?posttype=splcshortcodes 2 Set "Logo Margin" of the Style Setting to the...
WP Guppy < 1.3 - Sensitive Information Disclosure
The plugin does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user !/bin/bash Exploit Title: Wordpress...
Blog2Social < 6.8.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=blog2social&b2sShowByDate="alert/XSS/...
Everest Forms < 1.8.0 - Reflected Cross-Site Scripting
The plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue The formid needs to be a valid one...
WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks...
Logo Carousel < 3.4.2 - Unauthorised Private Post Access
The plugin allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature 1 Go to Logo Carousel - Shortcode Generator. 2 If there is no carousel, create one. 3 Copy URL of the "Duplicate" link under the carouse...
WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection
The wcfmajaxcontroller AJAX action of the plugin, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections v 3.4.11 POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Icegram < 2.0.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the messageid parameter of the getmessageactionrow AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit; The XSS will be triggered when moving the...
Child Theme Generator <= 2.2.7 - Reflected Cross-Site Scripting
The plugin does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard alert/XSS/;" / var form1 = document.getElementById'hack'; form1.submit;...
WP User Frontend < 3.5.25 - Admin+ SQL Injection
The plugin does not validate and escape the postid parameter from the Subscribers list before using in a SQL statement, leading to an SQL injection https://example.com/wp-admin/edit.php?posttype=wpufsubscription&page=wpufsubscribers&postID=1+AND+%28SELECT+42+FROM+%28SELECT%28SLEEP%285%29%29%29b%2...
Preview E-mails for WooCommerce < 2.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to reflected XSS via the searchorder parameter found in the /views/form.php file. alert1" /...
Login/Signup Popup < 2.2 - Reflected Cross-Site Scripting
The plugin does not escape its tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=xoo-el-fields&tab="alert/XSS/...
SportsPress < 2.7.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape its matchday parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=spevent&matchday=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22...
Mortgage Calculator / Loan Calculator < 1.5.17 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks mlcalc schedule="month';alert/XSS///"...
Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload
The plugin was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. This vulnerability was seen actively exploited by Sucuri in the wild for ransomware attacks. 1. Authenticate as any user. 2. Paste below HTML...
Ultimate NoFollow <= 1.4.8 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks Affected shortcodes: nf, nofo, nofol, nofollow, relnofollow As a contributor, put the below shortcode in a post/page nf...
Pixel Cat Lite < 2.6.2 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks alertdocument.domain;" / var form1 = document.getElementById'hack';...
Pixel Cat Lite < 2.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the Google Product Category setting of the plugin at wp-admin/admin.php?page=fcapcsettingspage in...
Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to. include-page allowtype="post" allowstatus="draft" id="131" include-page...
ToTop Link <= 1.7.1 - Unauthenticated PHP Object Injection
The plugin passes base64 encoded user input to the unserialize PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain. https://example.com/wp-content/plugins/totop-link/trunk/totop-link.css.php?vars=base64encodedpayload...
WP System Log < 1.0.21 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. POST /wp-login.php HTTP/1.1 Accept:...
Security Audit <= 1.0.0 - Admin+ Stored Cross Site Scripting
The plugin does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Data ID setting of the plugin...
StopBadBots < 6.67 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection GET / HTTP/1.1 User-Agent: Zongbot' where id = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'-- - Accept:...
Mediamatic < 2.8.1 - Subscriber+ SQL Injection
The mediamaticAjaxRenameCategory AJAX action of the plugin, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Filter Portfolio Gallery <= 1.5 - Arbitrary Gallery Deletion via CSRF
The plugin is lacking Cross-Site Request Forgery CSRF check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. https://example.com/wp-admin/admin.php?page=phoenfiltergallery&deleteid=1...
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
The plugin does not sanitise and escape the time parameter before using it in a SQL statement in the mecloadsinglepage AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue...
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting
The plugin does not escape the data parameter of the ppgetformsbybuildertype AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
Inspirational Quote Rotator <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfilteredhtml capability is disallowed Add/edit a quote...
Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the currentmonthdivider parameter of its meclistloadmore AJAX call available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue...
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The plugin does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The deletecf7data would lead to arbitrary metadata deletion, as well ...
Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
The plugin does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them jQuery.post"https://example.com/wp-admin/index.php", "wtlwp-nonce": "foo", // Not validated tlwpsettingsdata: defaultrole: "editor",...
Display Post Metadata < 1.5.0 - Contributor+ Stored Cross-Site Scripting
The plugin adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks - Login as contributor+ - Create a custom field containing XSS payload eg. alert1 - Add this...
WP Limits <= 1.0 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values...