4359 matches found
Connections Business Directory < 10.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfilteredhtml capability is disallowed. Add an Entry /wp-admin/admin.php?page=connectionsadd and put the following payload in the Address Line...
WP Reactions Lite < 1.3.6 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. Open Global Activation and Click on Customize Now On Step3 StylingTab Enter the XSS payload into "Whats your reaction" field Payload Used :...
AutomatorWP < 1.7.6 - Missing Authorization and Privilege Escalation
The plugin does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. Attack Procedures 1 Run this in Dashboard while logged in as Subscribe...
WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. 1. go to Forms. 2. go to Add New Form 3. In th title put alert"Ehlo"; 4. Save...
Check & Log Email < 1.0.3 - Admin+ SQL Injections
The plugin does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues With the 'Enable Log' settings of the plugin activated: -...
WooCommerce Product Table Lite < 2.4.0 - Reflected Cross-Site Scripting
The plugin does not escape the pricerangemin and pricerangemax parameters before outputting them back in attributes, leading a Reflected Cross-Site Scripting issue On a page where there is a Product Table with a Price filter, append the following payload to the min and max price filters:"alert/XS...
WP Visited Countries Reloaded < 3.1.1 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter in its Countries dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Permalink Manager Lite < 2.2.13.1 - Admin+ SQL Injection
The plugin does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection https://example.com/wp-admin/tools.php?page=permalink-manager&orderby=ID+AND+SELECT+9480+FROM+SELECTSLEEP5EXid...
Wappointment < 2.2.5 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise the name parameter when booking an appointment, leading to a Stored Cross-Site Scripting issue which is triggered when an admin view the Calendar. POST /wp-json/wappointment/v1/services/booking HTTP/1.1 Content-Length: 205 Accept: application/json, text/plain, /...
WP Debugging < 2.11.0 - Unauthenticated Plugin's Settings Update
The plugin has its updatesettings function hooked to admininit and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users. csrf.submit POST /wp-admin/admin-post.php HTTP/1.1 Accept:...
WP Table Builder < 1.3.10 - Reflected Cross-Site Scripting
The plugin does not escape a page parameter before outputting it back in an admin dashboard page, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Add/edit a Quote and put the following payload in the "Quote" and "Author" fields:...
NinjaForms < 3.5.8.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. With the Form Builder "Dev Mode” setting enabled, create a form and a fiel...
Visual Form Builder < 3.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfilteredhtml capability is disallowed Create a new Form via the plugin, fill it with any values. In the next step, change the Form name to...
WP DSGVO Tools (GDPR) < 3.1.24 - Unauthenticated Plugin's Settings Update to Stored Cross-Site Scripting
The plugin is lacking proper authorisation and CSRF checks, makes some functions available to unauthenticated as well as any authenticated users via AJAX hooks. As a result, unauthenticated users could update some of the plugin's settings, and set a Cross-Site Scripting payload in the Matomo Code...
3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
Description The plugin does not have any authorisation and does not check the uploaded file in its p3dlitehandleupload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as...
Ninja Forms < 3.5.8 - Unprotected REST-API to Email Injection
The plugin is vulnerable to arbitrary email sending via the triggeremailaction function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the...
Easy Media Download < 1.1.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Affected argument: url, text, target, rel and class easymediadownload url="/" text='" onerror="alert/XSS///http' easymediadownlo...
Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure
The plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the...
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise
The plugin does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password to an arbitrary value of any user knowing only their ID, and gain access to their account. User registration must be enabled or you mu...
Cookie Bar <= 1.8.8 - Admin+ Stored Cross-Site Scripting
The plugin doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Add the following payload in the "Cookie Bar Message" setting of the plugin...
WP HTML Author Bio <= 1.2.0 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against...
Special Text Boxes <= 5.9.109 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. Put the following payload in any of the field in the 'Basic Settings' section of the plugin's setting...
jQuery Reply to Comment <= 1.31 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. Put the following payload in the 'Quote String' or 'Reply String' settings of...
Allow REL= and HTML in Author Bios <= .1- Author+ Stored Cross-Site Scripting
The plugin does not sanitise the allowed HTML in Bio, allowing user with a role as low as author to perform Cross-Site Scripting attack against users viewing their posts As Author, put a JS payload such as alert/XSS/ in your Biographical Info via your Profile, then access any public posts made by...
Frontend Uploader <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly In a page/posts where the fu-upload-form shortcode is embed, simp...
WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access
The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked to admininit. As a result, unauthenticated users can call them and access arbitrary post data, including password protected or private ones. Access an...
WP Mega Menu < 1.4.1 - Subscriber+ Arbitrary Post Access
The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked as AJAX actions and available to any authenticated users. As a result, low privilege authenticated users such as subscribers can call them and access...
Responsive WordPress Slider <= 2.2.0 - Reflected Cross-Site Scripting
The plugin does not escape the id parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue. Timeline: August 11th, 2021 - Details sent to vendor August 12th, 2021 - Vendor working on a patch August 24th, 2021 - Ticket put as 'solved' on vendor side due ...
Responsive WordPress Slider <= 2.2.0 - Subscriber+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, su...
Request a Quote < 2.3.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfilteredhtml capability is disallowed. As admin, put the below payloads in the related vulnerable field/s and save them there i...
St Daily Tip <= 4.7 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to ...
Game Server Status <= 1.0 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the Game Server data, which could allow high privilege users such as admin to perform Cross-Site Scripting even when the unfiletredhtml is disallowed Create/Edit a Game Server and add the following payload as Server name: Test"alert/XSS/...
Video Gallery - Vimeo and YouTube Gallery < 1.1.5 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues Add the following payload in the Title or Description of a Video added in a List/Gallery: "onmouseover=alert/XSS/// Then view the...
Fetch Tweets <= 2.6.4 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes in an admin page, leading to Reflected Cross-Site Scripting issues alert/XSS-page/' / alert/XSS-tab/' /...
Game Server Status <= 1.0 - Admin+ SQL Injection
The plugin does not validate or escape the serverid parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page sqlmap -u "https://example.com/wp-admin/admin.php?page=grohsfabian-add-game-servers&serverid=1" -p serverid --dbms mysql --cookie your cookie...
Game Server Status <= 1.0 - Contributor+ SQL Injection
The plugin does not validate or escape the server id shortcode attribute before using it in a SQL statement, allowing any user with a role as low as contributor to perform SQL Injection attacks As a contributor or above, put the below shortcode in a page/post and view/preview it game-servers...
Polo Video Gallery <= 1.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
StreamCast < 2.1.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
Html5 Audio Player < 2.1.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
WP Cookie Choice <= 1.1.0 - CSRF to Stored Cross-Site Scripting
The plugin is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack...
LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltredhtml capability is disallowed When adding new courses, the following fields can have XSS payloads like "alert1...
BetterDocs < 1.9.0 - Reflected Cross-Site Scripting
The plugin does not escape the tagID before outputting it back in the edit category page of the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/term.php?taxonomy=doccategory&tagID=147"alert/XSS/...
Easy Twitter Feed < 1.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode Log in as contributor and add the following shortcode i...
Multiple Plugins from CatchThemes - Unauthorised Plugin's Setting Change
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctpswitch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin's configurations. 1 Turn off "Turn On Catch Themes & Catch Plugin tabs" jQuery.postajaxurl,...
MainWP Child Reports < 2.0.8 - Admin+ SQL Injection
The plugin does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue https://example.com/wp-admin/options-general.php?page=mainwp-reports-page&order=+AND+SELECT+7332 FROM+SELECTSLEEP5qiXg - the web page freezes f...
Gutenberg PDF Viewer Block < 1.0.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks...
GamePress <= 1.1.0 - Reflected Cross-Site Scripting
The plugin does not escape the opedit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues Affected pages: op=engines, op=perspectives, op=modes, op=genres, op=themes, op=platforms alert'xss'" document.test.submit;...
Sociable <= 4.3.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfilteredhtml capability is disallowed Put the following payload in the "Background...
WP Ticket < 5.10.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Navigate to WP Ticket Forms edit layout of "Open a Ticket" or "Search Tickets"...