4359 matches found
Access Demo Importer < 1.0.7 - Subscriber+ Arbitrary File Upload
Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback functionfound in the /inc/demo-functions.php file along wi...
WP All Export < 1.3.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed 1. Create a new export via "New Export" page. 2. Go to "Manage Exports...
Genie WP Favicon <= 0.5.2 - Arbitrary Favicon Change via CSRF
The plugin does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack // 32x32 white png const buf =...
Phoenix Media Rename < 3.4.4 - Author Arbitrary Media File Renaming
The plugin does not have capability checks in its phoenixmediarename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own. As an Author, go to the page to edit one of your own Media ie /wp-admin/post.php?post=1993&action=edit,...
Redirect 404 Error Page to Homepage or Custom Page with Logs < 1.7.9 - Log Deletion via CSRF
The plugin does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack csrf.submit...
Visitor Traffic Real Time Statistics < 3.9 - Subscriber+ SQL Injection
The plugin does not validate and escape user input passed to the todaytrafficindex AJAX action available to any authenticated users before using it in a SQL statement, leading to an SQL injection issue POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
Perfect Survey < 1.5.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape multiple parameters id and filterssessionid of singlestatistics page, type and message of importexport page before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues...
TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Unauthenticated Arbitrary Admin Account Creation
The tcpregisterandloginajax AJAX action of the plugin allows unauthenticated users to create accounts with an arbitrary role such as admin POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5...
Perfect Survey < 1.5.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue jQuery.postdata: psquestions:1:"1", action:"savequestiondata", ID:"765",...
WP-Recall < 16.24.48 - Reflected Cross-Site Scripting
The plugin does not escape some filters parameters before outputting them back in attributes when the Commerce add-on is active, leading to Reflected Cross-Site Scripting issues Activate the Commerce Add-On of the plugin and open the below URL...
Two Way Chat < 3.1.5 - Multiple CSRF
The plugin does not have CSRF checks in place in some of its functions, allowing attacker to make logged in admin perform unwanted actions, such as update the plugin's settings...
WP Survey Plus <= 1.0 - Subscriber+ AJAX Calls
The plugin does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues To create a survey wi...
Perfect Survey < 1.5.2 - Unauthorised AJAX Call to Stored XSS / Survey Settings Update
The plugin does not have proper authorisation nor CSRF checks in the saveglobalsetting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which wi...
World Travel Information <= 1.0.0 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'PHPSELF' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=ti-info...
Simple Download Monitor < 3.9.6 - Unauthenticated Log Access
The plugin saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames...
Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal
The plugin allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download. jQuery.postajaxurl, action: "sdmremovethumbnailimage", postiddel: 613 // not owned by the user POST /wp-admin/admin-ajax.php HTTP/1.1...
MStore API < 3.4.5 - Unauthenticated PHP File Upload
The api/flutterwoo/configfile REST endpoint of the plugin, does not have proper authorisation in place only checking if the plugin has a license, nor enough validation against the config file sent in the request. As a result, unauthenticated users could use such endpoint to upload a PHP file,...
Simple Download Monitor < 3.9.6 - Unauthorised Log Reset
The sdmresetlog AJAX action of the plugin does not have any capability and CSRF checks, which could allow any authenticated user such as subscriber, or an attacker performing a CSRF attack against a logged in admin to reset the log entries...
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
The plugin does not escape the 1 sdmactivetab GET parameter and 2 sdmstatsstartdate/sdmstatsenddate POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues PoC 1: This requires Firefox due to onclick+accesskey trick on hidden input. There is...
Translate WordPress - Google Language Translator < 6.0.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Floating Widget Settings Custom text fo...
Perfect Survey < 1.5.2 - Unauthenticated SQL Injection
The plugin does not validate and escape the questionid GET parameter before using it in a SQL statement in the getquestion AJAX action, allowing unauthenticated users to perform SQL injection. The questionid must start with an existing post ID...
Simple Download Monitor < 3.9.5 - Contributor+ Stored Cross-Site Scripting via File Thumbnail
The plugin does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could ma...
Booking.com Banner Creator < 1.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Open the plugin's add new banner page B.com Banner - Add New Banner The form field named "Banner...
Two Way Chat < 3.1.5 - Admin+ Local File Inclusion
The plugin does not properly sanitise and validate user input before using in require statements, leading to Local File Inclusion issues https://example.com/wp-admin/admin.php?page=TWCHsettings&tab=../../index https://example.com/wp-admin/admin.php?page=TWCHsettings&tab=Float&sT=../../index...
Booking.com Product Helper < 1.0.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed When creating a "New product shortcode" you can inject XSS payloads like --! i...
Batch Cat <= 0.3 - Subscriber+ Arbitrary Categories Add/Set/Delete to Posts
The plugin defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user including simple subscribers can add/set/delete arbitrary categories to posts. Set the category 107 to the post 1537: POST /wp-admin/admin-ajax.php...
Far Future Expiry Header < 1.5 - Plugin's Settings Update via CSRF
The plugin does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. csrf.submit...
Events Made Easy < 2.2.24 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add/Edit a Custom Field /wp-admin/admin.php?page=eme-formfields and put the following payload in the Field Name:...
Cardinity Payment Gateway for WooCommerce < 3.0.7 - Reflected Cross-Site Scripting
The plugin does not escape various parameter before outputting them in attributes, leading to Reflected Cross-Site Scripting issues Vulnerable parameters: amount, country, currency, orderid, description, returnurl, projectid, signature...
Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update
The plugin allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. - As Editor, go to Logo Showcase - Shortcode Generator - Run...
BP Better Messages < 1.9.9.41 - Multiple CSRF
The plugin does not check for CSRF in multiple of its AJAX actions: bpbettermessagesleavechat, bpbettermessagesjoinchat, bpmessagesleavethread, bpmessagesmutethread, bpmessagesunmutethread, bpbettermessagesaddusertothread, bpbettermessagesexcludeuserfromthread. This could allow attackers to make...
Easy PayPal Buy Now Button < 1.7.3 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check in place when saving its settings, and does not sanitise as well as escape them when output in the page. As a result, an attacker could make a logged in admin change them via. CSRF attack and perform Cross-Site Scripting attacks. The plugin also fixed a Reflect...
Themify Builder < 5.3.2 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes and tags in an admin page, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=themify-global-styles&status="alert/XSS/...
Coming Soon, Under Construction & Maintenance Mode By Dazzler < 1.6.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue Via the plugin's settings: - Enable the...
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 2.4.2 - Multiple Admin+ Cross Site Scripting
The plugin does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks 1 Add playlist with "Optional Call to Action"'s "Label" set to: " style="animation-name:twentytwentyone-close-button-transition"...
Image Source Control < 2.3.1 - Contributor+ Arbitrary Post Meta Value Change
The plugin allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts even those they should not be able to edit Run while in the Post/Page editor as a contributor jQuery.postajaxurl, action: "iscsavemeta", nonce: iscData.nonce, id:781, key:...
Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion
The plugin provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts...
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
The plugin offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output i...
BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
The plugin sanitise with sanitizetextfield but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/chat-rooms/?subject=asd%22%20%22%20onmouseover=javascript:alert1;%20test=%22&new-message=asd...
Ivory Search < 4.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the post parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue. The data parameter was also affected, although it was not reported...
JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation
The jsjobsajax AJAX action of the plugin available to both authenticated and unauthenticated users does not have proper authorisation and CSRF checks, in particular when using the installPluginFromAjax and activatePluginFromAjax, which could allow unauthenticated attackers to install arbitrary...
Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. Go to Setting Tab Under Calendar Lite Plugin Under Setting tab Click on Slugs/Permalinks tab Enter the XSS payload into Main Slug and Category Slug both. Both fields are vulnerable...
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload
The plugin does not perform capability checks in its spluploadserimg AJAX action available to authenticated users, which could allow any authenticated users, such as subscriber, to upload arbitrary images...
WPeMatico RSS Feed Fetcher < 2.6.12 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/edit a campaign and add the following feed URL:...
Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload
The plugin does not perform capability checks in its spluploadserimg AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload images. v6.9.0 removed the unauthenticated hook, however, no capability and CSRF checks were implemented,...
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfilteredhtml capability is disallowed - Create a new Download, add the following payload in the "Version" and "Link Label" fields from the 'Package...
Cool Tag Cloud < 2.26 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the style attribute of the cooltagcloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. cooltagcloud style='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert/XSS/'...
Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting
The plugin does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload triggered either in the frontend or backend depending on the payload The CSRF was...
Flat Preloader < 1.5.5 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the "Alt text" setting of the plugin, then view...
Restaurant Menu by MotoPress < 2.4.2 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Click on "Add New" under Restaurant Menu Plugin. Give any random title like...