4359 matches found
Page Generator < 1.5.9 - Reflected Cross-Site Scripting
The plugin does not properly escape user input before outputting it back in attributes, leading to reflected Cross-Site Scripting issues alert/XSS/' /...
WordPress to Hootsuite (< 1.3.9) & Buffer (< 3.7.5) - Reflected Cross-Site Scripting
The plugins do not properly sanitise and escape user input before outputting it back in pages and attributes, which could lead to reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wp-to-buffer-log&s=alert/XSS/...
YITH WooCommerce Product Add-Ons < 2.1.0 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in the edit addon page in the admin dashboard, leading to Reflected Cross-Site Scripting issues v alert/XSS-id/&addontype=html"alert/XSS-type/ v 2.1.0...
One User Avatar < 2.3.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks avatar link="javascript:alertorigin" avatar target='" style="animation-name:twentytwentyone-close-button-transition"...
One User Avatar < 2.3.7 - Avatar Update via CSRF
The plugin does not check for CSRF when updating the Avatar in page where the avatarupload shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack Click...
Scroll Baner <= 1.0 - CSRF to RCE
The plugin does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE via a file upload as well as XSS function submitRequest var xhr = new...
WP Import Export Lite < 3.9.5 - Subscriber+ Extensions Update
The plugin does not have any CSRF and authorisation checks done in wpieextsaveextensions AJAX action. This could allow any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF to set the extensions to be used by the plugin, as well as disable all of them To disabled al...
WP Import Export Lite < 3.9.5 - Subscriber+ Arbitrary Blog Options Update
The plugin does not have any CSRF and authorisation checks done in the wpieextsaveextensiondata AJAX action, nor do perform any validation on the option to be updated. As a result, any authenticated user such as subscriber, or an unauthenticated attacker via a CSRF could update any of the blog...
YITH WooCommerce Product Add-Ons < 2.1.0 - Authenticated Local File Inclusion
The plugin does not validate user input before using it to generate a local path passed to include, which could lead to a Local File Inclusion issue on Windows Web Servers https://example.com/wp-admin/admin.php?page=yithwapopanel&tab=blocks&blockid=1&addonid=1&addontype=html%2F..%2Fhello...
BetterDocs 1.9.0-1.9.1 - Reflected Cross-Site Scripting
The plugin does not escape the daterange parameter before outputting it back in the All docs admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=betterdocs-admin&daterange="alert/XSS/...
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. Put the following payload in the QR setting: "alert/XSS/ The XSS will be triggered in the plugin's...
Tutor LMS < 1.9.9 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Plugin's Settings General "Error message for...
BulletProof Security < 5.2 - Sensitive Information Disclosure
The plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible /dbbackuplog.txt file which grants attackers the full path of the site, in addition to the path of database backup files...
Find My Blocks < 3.4.0 - Private Post Titles Disclosure
The plugin does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. Create a private post with at least one Gutenburg paragraph block and go to https://example.com/wp-json/find-my-blocks/blocks/?name=core/paragraph...
PDF Light Viewer < 1.4.12 - Authenticated Command Injection
The plugin allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. 1 Go to Import PDF. 2 Select PDF file. 3 Set compression as 60 | calc | echo 4 Toggle import the first checkbox 5 Publish or update 6 Command executes...
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfilteredhtml is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue. Timeline July 12th, 2021 - Vendor...
Dflip Lite < 1.7.10 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks dflip class='"...
Compact WP Audio Player < 1.9.7 - Setting Change via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. csrf.submit...
SEO Redirection < 7.9 - Arbitrary Redirect Deletion via CSRF
The plugin does have CSRF in place, allowing attackers to make logged in admin delete arbitrary Custom and Post Redirects via a CSRF attack. v...
Compact WP Audio Player < 1.9.7 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. scembedplayer fileurl='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alertorigin//'...
Podcast Subscribe Buttons < 1.4.2 - Contributor+ Stored XSS
The plugin allows users with any role capable of editing or adding posts to perform stored XSS. Add the below payload as a shortcode block: podcastsubscribe alignment='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alertorigin//'...
Shared Files < 1.6.57 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. Put the following payload in the "Folder for new files" and "Maximum size of uploaded file" settings of the plugin: "alert/XSS/...
SEO Redirection < 7.4 - Reflected Cross-Site Scripting
The plugin does not escape the tab parameter before outputting it back in JavaScript code, leading to a Reflected Cross-Site Scripting issue " / " /...
Quiz And Survey Master < 7.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Quiz Url Slug setting: "alert/XSS/ Create ...
Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF
The delreistereddomains AJAX action of the plugin does not have any CSRF checks, and is vulnerable to a CSRF attack https://example.com/wp-admin/admin-ajax.php?action=delreistereddomain&id=1...
Affiliate Power < 2.3.0 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter in its Affiliate Power Sales dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection
The plugin allows unauthenticated users to perform SQL injection via the aysfinishpoll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. This requires a valid nonce, which can be obtained by going to a...
EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution
The plugin does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code As a contributor, create/edit a post and put the below code while in Code Editor mode: \naa\n Save or Preview the page,...
Avada < 7.4.2 - Reflected Cross-Site Scripting
Description The theme does not properly escape bbPress searches before outputting them back as breadcrumbs, leading to a Reflected Cross-Site Scripting issue. https://theme-fusion.com/forums/search/z--FAIL/...
Simple Social Media Share Buttons < 3.2.4 - Authenticated Stored Cross-Site Scripting
The plugin does not escape the Share Title settings before outputting it in the frontend pages or posts depending on the settings used, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Sha...
Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Timeline: May 18th, 2021 - Vendor...
Download from files <= 1.48 - Unauthenticated Arbitrary File Upload
The downloadfromfiles617fileupload AJAX action f the plugin, available to both unauthenticated and authenticated users does not properly restrict the files to be uploaded, which could allow unauthenticated users to upload PHP4 files for example POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Coming Soon and Maintenance Mode < 3.5.3 - Authenticated Stored XSS
The plugin does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. Open the Coming Soon plugin's settings Coming Soon - Coming Soon Click on the "Title" section Inject XSS payload into the...
Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS
The plugin does not properly sanitize values used when creating new calendars. Open the Appointment Hour Booking Tab. Enter XSS payload like "alertdocument.location in new calendar name field. and click on "add new" button. Go back to the Appointment Hour Booking Tab and select "Publish" for any...
Easy Accordion < 2.0.22 - Authenticated Stored XSS
The plugin does not properly sanitize inputs when adding new items to an accordion. When adding new items to an accordion, an injection payload of "" for an accordion item's title will result in XSS in the wp-admin page as well as on pages that show the accordion...
Chained Quiz < 1.2.7.2 - Authenticated Stored Cross Site Scripting
The plugin does not properly sanitize or escape inputs in the plugin's settings. Open "Chained Quiz Social Sharing" in the WP admin panel. Under title field enter the payload : "alertdocument.domain Click on Save All Setting and the XSS will fire every time the Social Sharing page is loaded...
WP Sitemap Page < 1.7.0 - Admin+ Stored Cross Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payloads in the mentioned settings of the plugin: - How to display the pos...
Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting
The plugin does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue. v1.3.4 fixed the CSRF, but not the sanitisation/escaping fully. Another issue has been created for it To have the XSS only trigger...
Weather Effect < 1.3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not properly validate and escape some of its settings like sizeleaf, flakesleaf, speed which could lead to Stored Cross-Site Scripting issues POST /wp-admin/admin.php?page=weather-effects-setting HTTP/1.1 Accept: text/html, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding...
User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting
The plugin does not properly sanitise the userregistrationprofilepicurl value when submitted directly via the userregistrationupdateprofiledetails AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed 1. Login a...
CM Tooltip Glossary < 3.9.21 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some glossarytooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks glossarytooltip dashicon='" style="animation-name:twentytwentyone-close-button-transition"...
uListing < 2.0.9 - Arbitrary Blog Option Update via CSRF
The plugin does not have CSRF check in the uListingimportlayout function, nor perform any validation on the option/post meta key to update to ensure it belongs to the plugin. As a result, attackers could make a logged in admin change any of the blog option such as siteurl, blogname etc as well as...
UsersWP < 1.2.2.29 - Reflected Cross-Site Scripting
The plugin sanitises user input via sanitizetextfield but do not escape it before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues On the reset page made by the plugin: https://example.com/reset/?key=a&login=%22accesskey=X%20onclick=alert1%20b=%22...
My Chatbot <= 1.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its tab parameter in the Settings page before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=my-chatbot&tab=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E...
PublishPress Editorial Calendar < 3.5.1 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=pp-content-overview&orderby="alert/XSS-orderby/&order="alert/XSS-order/...
Better Find and Replace < 1.2.9 - Reflected Cross-Site Scripting
The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=cs-all-masking-rules&s=alert/XSS/...
Bitcoin / AltCoin Payment Gateway for WooCommerce < 1.6.1 - Reflected Cross-Site Scripting
The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=cs-woo-altcoin-all-coins&s="alert/XSS/...
Enfold Theme < 4.8.4 - Reflected Cross-Site Scripting (XSS)
The Enfold theme was vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder. The issue appears when pagination comes in place while navigating on a WordPress site with Enfold theme active. When that occurs,...
ELEX WooCommerce Google Shopping < 1.2.4 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the search GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue, which will be executed in a logged in admin context https://example.com/wp-admin/admin.php?page=elex-product-feed-manage&search="alert/XSS/...
Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Go to the plugin Settings Messages Taxonomies...