4359 matches found
Email Before Download < 6.8 - Admin+ SQL Injection
The plugin does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues...
My Calendar < 3.2.18 - Subscriber+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter of the mcpostlookup AJAX action available to any authenticated user before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue...
URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF
The plugin does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack. https://example.com/wp-admin/admin.php?page=uslinks&action=bulkdelete&linkids=1...
Contact Form by Supsystic < 1.7.20 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape fields label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create/edit a field in a form, and put the following payload in the label:...
WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header
The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. curl --referer "something" -sIXGET https://example.com/wp-admin/options.php HTTP/2 302 ... location:...
Registrations for The Events Calendar < 2.7.5 - Reflected Cross-Site Scripting
The plugin does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar&tab=registrations&v="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Bulk Datetime Change < 1.12 - Missing Authorisation
The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. Run on "Bulk Datetime Change" page: jQuery.post"https://example.com/wp-admin/admin.php?page=bulkdatetimechange",...
About Author Box < 1.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. With a role as low as Contributor, put the following payloads in one of the Social Profi...
Ninja Forms < 3.6.4 - Admin+ SQL Injection
The plugin does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5...
Ninja Tables < 4.1.8 - Admin+ Stored Cross-Site Cross-Site Scripting
The plugin does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create a table, add a column with the following payload " as Name, then add data with the followin...
Reviews Plus < 1.2.14 - Subscriber+ Reviews DoS
The plugin does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page Enable reviews for post/pages, and enable the "Show...
MAZ Loader < 1.4.1 - Arbitrary Loader Deletion via CSRF
The plugin does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack The vendor has been notified on August 24th, 2021, as well as escalated to the WP plugins team 3 times, no fix was made despite two new versions being released...
Video Lessons Manager - Admin+ Stored Cross-Site Scripting
The plugins do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks Open the CM Video Lesson Plugin's Settings page. Click on Label Tab Enter payload like "alert1 into the "channel" or "channels" field...
WP Spell Check < 9.3 - Reflected Cross-Site Scripting
The plugin does not escape the page and wpsc-scan-tab parameters before outputting them back in attributes, leading Reflected Cross-Site Scripting issues alert/XSS/' / alert/XSS/' /...
eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting
The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue...
EditableTable <= 0.1.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create a new EDTB and put the following payload in the Table Name, Column Name or Column...
MainWP Child < 4.1.8 - Admin+ SQL Injection
The plugin does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed POST / HTTP/1.1 Accept:...
Ecommerce - Two Factor Authentication < 1.0.5 - Reflected Cross-Site Scripting
The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue v alert/XSS/ v 1.0.5: https://example.com/wp-admin/users.php?page=reset&action=resetedit&user="...
Falang multilanguage for WordPress < 1.3.18 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site scripting issue alert/XSS/' /...
Slideshow Gallery < 1.7.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Create/edit a Slide /wp-admin/admin.php?page=slideshow-slides and put the...
Duplicate Post < 1.2.0 - Authenticated SQL Injection
The plugin does not properly sanitise and escape the id parameter passed to the cdpactionhandling AJAX action, which could allow user having access to the plugin by default admins to perform SQL Injection attacks POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 229 Accept: / X-Requested-Wit...
Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtnl capability is disallowed. https://drive.google.com/file/d/1ZXIS-q2fzZhRhTyHpHEzxcZ2Shl4Up2/view?usp=sharing Put the...
Logo Showcase with Slick Slider < 1.2.5 - Subscriber+ Arbitrary Media Title/Description/Alt Text/URL Update
The plugin does not have CSRF and authorisation checks in the lswsssaveattachmentdata AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. jQuery.postajaxurl, action: "lswsssaveattachmentdata", attachmentid...
Core Tweaks WP Setup <= 4.1 - Arbitrary Admin Account Creation / Admin Email Update via CSRF
The plugin allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks...
Pie Register < 3.7.2.4 - Open Redirect
The plugin passes unvalidated user input to the wpredirect function, without validating it, leading to an Open redirect issue https://example.com/?piereglogouturl=true&redirectto=https://wpscan.com...
Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to a missing capability check in the importconfig function found in the /admin/class-sassy-social-share-admin.php file along with the implementation...
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. Go to Plugin's Settings page, in "Tool" tab, import a CSV file with Betterlinks option. Put a simple XSS payload into "linktitle" colu...
Responsive Image Slider, Photo Gallery And Carousel < 1.3.6 - Subscriber+ Arbitrary Post Access
The plugin does not have proper authorisation check in the sfimageid AJAX action, which could allow any authenticated, such as subscriber, to view the content and title of arbitrary posts, for example private, draft and password protected ones. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: /...
Download Monitor < 4.4.5 - Admin+ SQL Injection
The plugin does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue There need to be at least one log for the payload to trigger...
Forminator < 1.15.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed As an admin, create or edit a Forminator form, add an email field and put the following payload in the label...
Easy Digital Downloads < 2.11.2.1 - Reflected Cross-Site Scripting
The plugin does not escape the start-date and end-date parameters in the payment history dashboard before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues...
Tutor LMS < 1.9.11 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue https://example.com/student-registration/?userlogin="alert/XSS/...
Images to WebP < 1.9 - Multiple Cross Site Request Forgery (CSRF)
The plugin does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion The PoC varies based on the endpoint targeted. Here is one example that will modify the...
Logo Showcase with Slick Slider < 1.2.4 - Author+ Stored Cross Site Scripting
The plugin does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. 1 Create a Logo Showcase 2 Set display type to Logo Grid 3 Set number of grid to 1"...
Relevanssi - A Better Search < 4.14.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape user searches before outputting them in the related admin dashboard when the feature is enabled Enable the logging of user query, then was unauthenticated user /?s= The XSS will be triggered when an admin will view the User Searches dashboard at...
Images to WebP < 1.9 - Authenticated Local File Inclusion
The plugin does not validate or sanitise the tab parameter before passing it to the include function, which could lead to a Local File Inclusion issue Assuming WordPress installed at C:\xampp\htdocs\wordpress,...
Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
The plugin does not have capability and CSRF checks in the dpwappluginactivate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. v 1.5.9 - jQuery.postajaxurl, action:"dpwappluginactivate", dpwapurl:"hello.php" v 1.6.0 -...
Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the plugin's settings with a text input: - v alert/XSS/ - v...
Support Board < 3.3.6 - Arbitrary File Deletion via CSRF
The plugin does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files...
Email Log < 2.4.7 - Admin+ SQL Injection
The plugin does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections https://example.com/wp-admin/admin.php?page=email-log&orderby=sentdate+AND+SELECT+3025...
QR Redirector < 1.6.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. As a contributor, create/edit a "QR Redirect" and set the following fields: "URL to Redirect to": https://example.com/"...
TableOn < 1.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting issues https://example.com/?tableon-remote-page=alert/XSS-page/&anchor=1&width=alert/XSS-width/...
Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/Edit a Button and put the following payload in the Amount Menu Name field...
QR Redirector < 1.6 - Subscriber+ Arbitrary QR Redirect Response Status Update
The plugin does not have capability and CSRF checks when saving bulk QR Redirector settings via the qrsavebulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects jQuery.postajaxurl, qrredirectresponse: 30...
Shared Files < 1.6.61 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Download Counter Text settings and tick the Show Downlo...
Client Invoicing by Sprout Invoices < 19.9.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in one of the vulnerable fields in the General Settings of the plugin...
Responsive Image Slider, Photo Gallery And Carousel < 1.3.2 - Slider Clone/Save/Delete via CSRF
The plugin has a logic flaw in its CSRF checks in the sfcloneslider, sfsaveslider and sfremoveslider AJAX actions, which could allow an attacker to make a logged in user call them via a CSRF attack. To delete a slider: To create a slider /bod...
Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF
The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. The following HTML code can be used...
IMPress for IDX Broker < 3.0.6 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the leadID parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue https://examle.com/wp-admin/admin.php?page=edit-lead&leadID="alert/XSS/...
MouseWheel Smooth Scroll < 5.7 - Plugin's Setting Update via CSRF
The plugin does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack...