4359 matches found
User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
The plugin registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes As a contributor, put the following shortcod...
Single Post Exporter <= 1.1.1 - Plugin's Settings Update via CSRF
The plugin does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page such as...
Quotes Collection <= 2.5.2 - Admin+ SQL Injection
The plugin does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection https://example.com/wp-admin/admin.php?page=quotes-collection&s=&wpnonce=6e21e0a8b6&action=makepublic&paged=1&bulkcheck=1%20and%20sleep10--%20-&action2=makepublic...
WP Admin Logo Changer <= 1.0 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. csrf.submit...
NEX-Forms <= 7.9.4 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. In Global Setting Preferences Validation, put the following...
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ppressccdata parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue alert/XSS/' / var form1 = document.getElementById'hack'; form1.submit;...
All-In-One-Gallery < 2.5.0 - Admin+ Local File Inclusion
The plugin does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue https://example.com/wp-admin/admin.php?page=all-in-one-video-gallery&tab=..%2F..%2F..%2F..%2F..%2Findex...
Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting
The plugin does not have any authorisation and CSRF in place when saving a template wpbtnsavetemplate function hooked to the init action, nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored...
Auto Featured Image < 3.9.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the postid parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. https://example.com/wp-admin/upload.php?page=menu-media-apt&postid=alert/XSS/...
Flex Local Fonts <= 1.0.0 - Admin+ Stored Cross-Site-Scripting
The plugin does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add a new font Tools -- Local Fonts -- Add Font, need to have at least one font for the 'Add...
Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access
The plugin does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. As a contributor, add the...
SEO Booster < 3.8 - Admin+ SQL Injection
The plugin allows for authenticated SQL injection via the "fnmyajaxifieddataloaderajax" AJAX request as the $REQUEST'order'0'dir' parameter is not properly escaped leading to blind and error-based SQL injections. Install SEO Booster, then click on the "Incoming Keywords" link in the Wordpress...
Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters, such as formid, status, enddate, order, orderby and search before outputting them back in the admin page...
GRAND FlaGallery <= 6.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a gallery and put the following payload in the "Back Button Text" setting, then...
Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure
The plugin does not have any authorisation and CSRF checks in the likebtnexportvotes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. fetch"http://example.com/wp-admin/admin-ajax.php",...
Caldera forms < 1.9.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a form, and put the following payload in the Form Name via th...
Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS
The plugin does not have capability and CSRF checks in the mekssavebusinessselectedaccount AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site...
Error Log Viewer Plugin <= 1.1.1 - Admin+ Arbitrary File Clearing
The plugin does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder Click the "Log Monitor" available under Error Log Viewer menu item. Choose a log file to clear. Intercept the reques...
Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access
The plugin allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. customfield field="fieldname" postid="ID" e.g customfield field="ctctverifykey" postid="23"...
LearnPress < 4.1.4 - Admin+ SQL Injection
The plugin does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues Id needs to start with a valid course/lesson/quiz/question ID:...
Get Custom Field Values < 4.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor, create a custom field in a post, with the following payload: alert1 Then add the following shortcode to...
Bookly < 20.3.1 - Staff Member Stored Cross-Site Scripting
The plugin does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue As a Staff Member, put the following payload in your Full Name Booklyn -- Profile -- Edit -- Full Name: alert/XSS/ The XSS will be triggered when an...
Backup and Restore <= 1.0.3 - Admin+ Arbitrary File Deletion
The plugin does not sanitise and validate the foldername parameter when deleting a report, which could allow high privilege users to delete arbitrary files on the web server, including those outside of the WordPress folder POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language:...
Email Log < 2.4.8 - Reflected Cross-Site Scripting
The plugin does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=email-log&d="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
The plugin does not escape the sccpid parameter of the ayssccpresultsexportfile AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an SQL injection...
Tawk.to Live Chat < 0.6.0 - Subscriber+ Visitor Monitoring & Chat Removal
The plugin does not have capability and CSRF checks in the tawktosetwidget and tawktoremovewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users including simple subscribers to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-i...
PDF.js Viewer < 2.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks pdfjs-viewer searchterm='" onload="alert/XSS/' pdfjs-viewer viewerwidth=0 viewerheight=800 url=undefined...
LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the rulloginurl and rullogouturl parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue var form1 = document.getElementById'hack'; form1.submit;...
WooCommerce Currency Switcher < 1.3.7.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the key parameter of the woocsupdateprofilesdata AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected cross-Site Scripting issue " / var form1 = document.getElementById'hack'; form1.submit; POST...
Registrations for the Events Calendar < 2.7.6 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the eventid in the rtecsendunregisterlink AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL injection. The below request will send an email to [email protected] wi...
WP Data Access < 5.0.0 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the backupdate parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion POST /wp-admin/admin.php?page=wpdataaccess&tab=repository HTTP/1.1 Accept:...
WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting
The plugin does not escape the googlefontajaxname and googlefontajaxfamily parameter of the googlefontaction AJAx action available to any authenticated user before outputing them in attributes, leading Reflected Cross-Site Scripting issues var form1 = document.getElementById'hack'; //form1.submit...
WooRockets Nitro <= 1.7.9 - Unauthenticated Arbitrary Plugin Installation
The theme does not have authorisation in some of its AJAX actions, and relied on CSRF checks for it. As one of the action allowed for nonces to be disclosed under a specific circumstance, unauthenticated users could then use them to install and active arbitrary plugins via a zip file, as well as...
Email Tracker < 5.2.6 - Reflected Cross-Site Scripting
The plugin does not escape user input before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Options Reset
The plugin has two AJAX actions, mepwlajaxlicenseactivate and mepwlajaxlicensedeactivate, which are available to both unauthenticated and authenticated users, and are lacking any authorisation, CSRF as well as checks to ensure that the options to be updated belong to the plugin. As a result,...
Event Manager for WooCommerce < 3.5.3 - Unauthenticated Arbitrary Elementor Template Import
The mepimportajaxtemplate AJAX action of the plugin, available to both unauthenticated and authenticated users, is lacking any authorisation and CSRF checks. As a result, unauthenticated user can import arbitrary Elementor template to the blog Legit template:...
Cost Calculator <= 1.4 - Contributor+ Local File Inclusion
The plugin allows users with a role as low as Contributor to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout As a contributor, create a Cost Calculator post, set the Layout to /../../../../../../../../../../file assuming the file to...
ARForms Form Builder < 1.5 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the From/Replyto Name field at ARForms Lite General Settings Email Settings: "alert/X...
Ivory Search < 4.8 - Contributor+ Stored Cross-Site Scripting
The plugin dos not escape the id argument of its shortcode, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor or above, put the following shortcode in a post/page ivory-search title="Some Form" id='1" onmouseover="alert/XSS/'...
WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfilteredhtml capability is disallowed. 1. Add a new Import at "New Import", upload a random.txt...
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Add/edit a product and put the following payload in the Product Affiliate URL, Custom Button Text fields...
Contest Gallery < 13.1.0.7 - Subscriber+ Email Address Disclosure
The plugin does not have any proper access controls when exporting users from a gallery, which could allow any authenticated users such as subscriber to list all users from the blog, disclosing their username and email address POST...
myCred < 2.3 - Subscriber+ SQL Injection
The plugin does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user any authenticated user...
Ibtana - Ecommerce Product Addons < 0.2.4 - Reflected Cross-Site Scripting
The plugin does not escape some user input before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues. v alert/XSS/ v 0.2.4 - https://example.com/wp-admin/admin.php?page=ibtana-custom-post-type&posttypeid="+style=animation-name:rotation+onanimationstart=alert/XSS/...
Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS
The plugin does not have any authorisation and CSRF checks on some of its AJAX actions available to authenticated users, which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users d...
Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting
The plugin does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting With the "Enable Logs" setting activated: https://example.com/wp-admin/admin.php?page=check-email-logs&d="+style=animation-name:rotation+onanimationstart=alert/XSS///...
GenerateBlocks < 1.4.0 - Contributor+ Stored Cross-Site Scripting
The plugin does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. Add the following code in a post/page while in code editor mode with an Contributor account: Then view/preview th...
WP RSS Aggregator < 4.19.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues. Add an URL to Blacklist RSS Aggregator Tools Blacklis...
My Calendar < 3.2.18 - Subscriber+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter of the mcpostlookup AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue...
BSK PDF Manager < 3.1.2 - Admin+ SQL Injection
The plugin does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue With at least one BSK PDF Category: https://example.com/wp-admin/admin.php?page=bsk-pdf-manager&order=and+sleep5...