4359 matches found
Insert Pages < 3.7.0 - Contributor+ Stored Cross-Site Scripting
The plugin adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields. - Create a page A - Add a custom field containing JS in...
Helpful < 4.4.59 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the System Miscellaneous Custom Timezone setting of the plugin: " The XSS...
WP Performance Score Booster < 2.1 - Settings Change via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. csrf.submit...
SEO Redirection < 8.2 - Subscriber+ SQL Injection
The importFromRedirection AJAX action of the plugin, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Stream < 3.8.2 - Admin+ SQL Injection
The plugin does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. https://example.com/wp-admin/admin.php?page=wpstream&order=+AND+SELECT+9940+FROM+SELECTSLEEP5vqNl...
Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue. insert page='pageslug' display='all' Where pagesl...
My Tickets < 1.8.31 - Unauthenticated Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins As unauthenticated, book a ticket, fill the purchase form with dum...
MouseWheel Smooth Scroll < 5.7 - Plugin's Setting Update via CSRF
The plugin does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack...
Speed Booster Pack < 4.3.3.1 - Admin+ SQL Injection
The plugin does not escape the sbpconverttablename parameter before using it in a SQL statement to convert the related table, leading to an SQL injection https://example.com/wp-admin/admin-ajax.php?action=sbpdatabaseaction&sbpaction=converttables&sbpconverttablename=SQLi&nonce=b2d6208254 The nonc...
WordPress + Microsoft Office 365 < 15.4 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise error descriptions before outputting them in the log notice, which could allow unauthenticated users to perform Cross-Site Scripting attacks against a logged in administrator POST / HTTP/1.1 Content-Length: 242 Content-Type: application/x-www-form-urlencoded...
Colorful Categories < 2.0.15 - Arbitrary Colors Update via CSRF
The plugin does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack csrf.submit...
Testimonial Builder < 1.6.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfilteredhtml capability is disallowed As admin, create/edit a testimonial and put the following payload in the Testimonial User Name field: "...
WP Cloudy < 4.4.9 - Admin+ SQL Injection
The plugin does not escape the postid parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue The first digits of the post parameter must be a valid Post ID Weather post or not...
WooCommerce Products Table < 1.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise or escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting issues https://example.com/?woot-remote-page=alert/XSS-page/&anchor=1&width=alert/XSS-width/ https://example.com/?woot-remote-page=1&anchor=1&arbitrary=...
Discounts Manager for Products < 3.4.5 - Reflected Cross-Site Scripting
The plugin does not escape the wcdptab parameter before outputting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting issue v alert/XSS/ v 3.4.5 - https://example.com/wp-admin/admin.php?page=wcwcdp&wcdptab=a';alert/XSS/;//...
Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution
The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment ie with DISALLOWFILEEDIT, DISALLOWFILEMODS and DISALLOWUNFILTEREDHTML set to true via the 'widgetrrmsimilarpostscondition' widget setting of the plugin. Vendor was notified in July 2021, the issue was...
YITH WooCommerce Multi Vendor < 3.8.1 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=yithvendorcommissions&message=error&text=alert/XSS/ fixed in 3.8.0 Below fixed in 3.8.1 alert/XSS/' /...
404 to 301 < 3.0.9 - Logs Deletion via CSRF
Description The plugin does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack https://example.com/wp-admin/admin.php?page=jj4t3-logs&action=bulkclean...
Quiz Tool Lite <= 2.3.15 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. When creating a new Question Pot, you can inject ...
Post Expirator < 2.6.0 - Contributor+ Arbitrary Post Schedule Deletion
The plugin does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. Run on "Posts" page: jQuery.postajaxurl, nonce: config.ajax.nonce, action:"managewppostsusingbulkquicksavebulkedit", postids:783,...
Affiliate Manager < 2.8.7 - Admin+ SQL injection
The plugin does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue POST /wp-admin/admin.php?page=wpam-affiliates&tab=exportdata&orderby=if&order=0,1,SLEEP10 HTTP/1.1 Accept:...
Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure
The theme allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request. POST /wp-json/csco/v1/more-posts Accept:...
Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
The plugin has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username /pie-register-login/ is the login page of the plugin, ie the one with pieregisterlogin v 3.7.1.5 POST /pie-register-login/ HTTP/1....
Loco Translate < 2.5.4 - Authenticated PHP Code Injection
The plugin mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. 1. Using a User with the translator role, navigate...
Pie Register < 3.7.1.6 - Unauthenticated SQL Injection
The plugin does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. POST /wp-json/pie/v1/login HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding:...
MAZ Loader < 1.3.3 - Contributor+ SQL Injection
The plugin does not validate or escape the loaderid parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection. As a user with a role as low as Contributor, put the following shortcode in a page/post and view/preview it to get the login...
Header Footer Code Manager < 1.1.14 - Admin+ SQL Injections
The plugin does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections...
Coupon Affiliates for WooCommerce < 4.11.3.4 - Arbitrary Referral Visits Deletion via CSRF
The plugin does not have any CSRF in place when deleting Referral Visits, which could allow attackers to make a logged in admin delete them via a CSRF attack...
wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF
The plugin does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary...
Multiple Plugins from Avirtum - Reflected Cross-Site Scripting
Most plugins both free and premium from the Avirtum author do not escape a page parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues. The issues were reported to the vendor on August 4th, 2021 Example in ipanorama-360-virtual-tour-builder-lite plugin...
WP SEO Redirect 301 < 2.3.2 - Redirect Deletion via CSRF
The plugin does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack https://example.com/wp-admin/admin.php?page=wp-seo-redirect-301/seoredirectlist.php&deleteid=12&deleteurl=https://example.com/yolo deleteid is the po...
Multiple Plugins from WPPlugin - Reflected Cross-Site Scripting via page Parameter
The plugins do not escape a page parameter before outputting it back in an attribute in various admin pages, leading to Reflected Cross-Site Scripting issues. The issues were reported to the vendor on August 10th, 2021 Example in easy-paypal-donation alert/XSS/' / alert/XSS/' /...
3D Print Lite < 1.9.1.6 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape some user input before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=p3dlitematerials&materialtext="alert/XSS/...
WCFM - Frontend Manager for WooCommerce < 6.5.12 - Customer/Subscriber+ SQL Injection
The plugin, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawalvendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection...
Print-O-Matic < 2.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the "Pause Before Print" settings of the plugin: ...
Storefront Footer Text <= 1.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed. The plugin requires the Storefront theme Go to Appearance Customize /wp-admin/customize.ph...
Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue https://example.com/forum/?subscribetopic=1%20union%20select%201%20and%20sleep10...
WP Header Images < 2.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=wphi&t=5"alert/XSS/...
Qwizcards < 3.62 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Within Settings Qwizcards Qwizcardsa Option, put the following payload in the Qwizcards-content HTML...
Inline Related Posts < 3.0.5 - Admin+ Cross-Site Scripting
Multiple parameters are vulnerable to stored Cross-site Scripting. The vulnerabilities require admin privileges to exploit. In each case the script will execute for every user viewing a post that contains one of the inline references. POST /wp-admin/options-general.php?page=intelly-related-posts...
G Auto-Hyperlink <= 1.0.1 - Admin+ SQL Injection
The plugin does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection https://plugins.trac.wordpress.org/browser/g-auto-hyperlink/trunk/g-auto-hyperlink.phpL271 Open the...
Unlimited PopUps <= 4.5.3 - Author+ SQL Injection
The plugin does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection https://plugins.trac.wordpress.org/browser/unlimited-popups/trunk/popuplist.phpL16...
Chameleon CSS <= 1.2 - Subscriber+ SQL Injection
The plugin does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, removecss, also does not sanitise or escape the cssid POST parameter before using it in a SQL...
Schreikasten <= 0.14.18 - Author+ SQL Injections
The plugin does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author...
Support Board < 3.3.5 - Agent+ Stored Cross-Site Scripting
The plugin allows Authenticated Agent+ users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed. POST /supportboard/include/ajax.php HTTP/1.1 Cookie: Agent+ Accept: ...
Wow Forms <= 3.1.3 - Admin+ SQL Injection
The plugin does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection https://plugins.trac.wordpress.org/browser/mwp-forms/trunk/admin/partials/main.phpL13 As admin,...
Post Content XMLRPC <= 1.0 - Admin+ SQL Injections
The plugin does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections https://example.com/wp-admin/admin.php?page=pcxaddsites&mode=add&id=1%20AND%20SELECT%207953%20FROM%20SELECTSLEEP5AgUn...
SpiderCatalog <= 1.7.3 - Admin+ SQL Injection
The plugin does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category https://plugins.trac.wordpress.org/browser/catalog/trunk/Categories.phpL320 POST...
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit a form, add the following payload to a Field Label: alert/XSS/ The XSS will be triggered when...
Age Gate < 2.16.4 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape the 'Additional content' setting of its 'Messaging' page, which could allow users having access to such setting by default admin, but the plugin has a feature to change this and allow access to lower privileged users to perform Cross-Site Scripting attacks...