4359 matches found
Woomotiv < 3.5.0 - Review Count Reset via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'ajaxcancelreview' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrato...
WPB Show Core < 2.6 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Click SendPress in the Admin menu...
WPB Show Core < 2.7 - Reflected XSS
Description The plugin does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting Open an HTML file containing the following: alert/XSS/' / var form1 = document.getElementById'hack'; form1.submit...
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Click SendPress which is available ...
BackWPup < 4.0.4 - Unauthenticated Backup Download
Description The plugin does not prevent visitors from leaking key information about ongoing backups, allowing unauthenticated attackers to download backups of a site's database. 1 Ensure that Apache is configured with the ability to list directory content. 2 When this is done, you can see the...
WPB Show Core < 2.7 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users...
Font Farsi <= 1.6.6 - Admin+ Stored XSS in Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Inline Related Posts < 3.5.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in the CSS margin-top settings: 0 em" onmouseover=alert/XSS/// Th...
Gutenberg Blocks by Kadence Blocks < 3.2.26 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor or above, edit a post in...
Gutenberg Blocks by Kadence Blocks < 3.2.26 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor or above, edit a post in...
Malware Scanner < 4.7.3 and Web Application Firewall < 2.1.2 - Unauthenticated Privilege Escalation
Description The plugin does not prevent unauthenticated users from resetting any account's password, allowing them to takeover sites by resetting one of its administrators' password. curl --url 'http://vulnerable-site.tld/wp-login.php' --data...
WooCommerce Cart Abandonment Recovery < 1.2.27 - Templates/Abandoned Orders Deletion via CSRF
Description The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks. Make a logged in admin open one of the URLs below - To make th...
WP Statistics < 14.5.1 - Unauthenticated Stored Cross-Site Scripting
Description The plugin does not properly escape visited URLs which are reflected on the plugin's dashboard. Visit one same page multiple times so it makes it to the most visited pages, adding the following "utmid" parameter to it:...
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting
Description The plugin does not properly sanitize user-input provided by the addqueryarg function when echoed back into JavaScript code context. http://vulnerable-site.tld/wp-admin/edit-comments.php?%27;alert1//...
Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators...
Page Builder Gutenberg Blocks < 3.1.7 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Create/Edit a Post, add an "Icon" block and...
WooCommerce Product Filter < 1.4.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup As and admin, create a filter...
WooCommerce Product Filter < 1.4.4 - Filter Deletion via CSRF
Description The plugin does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs Make a logged in admin open the URL below to make them delete the filter with the slug test1...
Hubbub Lite < 1.33.1 - Unauthenticated Password Protected Posts Access
Description The plugin does not ensure that user have access to password protected post before displaying its content in a meta tag. When the "Disable Open Graph Meta Tags" settings of the plugin is disabled, view the source of a password protected post and note its content being disclosed in the...
WooCommerce Product Filter < 1.4.4 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below the filter with the slug test1 needs to exist...
My Calendar < 3.4.24 - Authenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks depending on the permissions set by the admin 1. Use any type of role as long as you permit it the action to Add Events. 2. Add a n...
Pz-LinkCard < 2.5.3 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the code below ' /...
Pz-LinkCard < 2.5.3 - Contributor+ SSRF
Description The plugin does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. Setup a listener on a localhost/LAN host such as nc -l 127.0.0.1 9000, then as a contributor, put the followi...
Pz-LinkCard < 2.5.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in the "Class ID to be Added for PC" setting of the plugin...
Backup and Restore WordPress < 1.50 - Unauthenticated Sensitive Data Exposure
Description The plugin does not protect some log files containing sensitive information such as site configuration etc, allowing unauthenticated users to access such data. 1 There is a lot of sensitive data and most importantly, you can download this logs to your machine and read it. These files...
Testimonial Slider < 2.3.7 - Author+ Settings Update
Description The plugin does not properly ensure that a user has the necessary capabilities to edit certain sensitive plugin settings, making it possible for users with at least the Author role to edit them. 1 Go to a page where one of the sliders is already in use and intercept the nonce tss 2...
CM Download and File Manager < 2.9.1 - Download Edit via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack Make an admin open an HTML file containing the following:...
CM Download Manager < 2.9.0 - Download Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack Make an admin open the URL below https://example.com/cmdownload/del/id/...
CM Download and File Manager < 2.9.0 - Download Unpublish via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack Make an admin open the URL below https://example.com/cmdownload/unpublish/id/...
Schema Pro < 2.7.16 - Contributor+ Custom Field Access
Description The plugin does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode As a contributor, add/edit a post and embed aiosrsprocustomfield postid="ANYPOSTID" fieldkey="ANYMETAKEY" and specify/guess any po...
LiteSpeed Cache < 5.7.0.1 - Unauthenticated Stored XSS
Description The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nameservers' and 'msg' parameters due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user...
Simple Ajax Chat < 20240223 - Unauthenticated Stored XSS
Description The plugin does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users. await fetch"http://vulnerable-site.tld/wp-content/plugins/simple-ajax-chat/simple-ajax-chat-core.php?sacSendChat=yes", "credentials": "include",...
System Dashboard < 2.8.10 - XSS via Header Injection
Description The plugin does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks X-Forwarded-For: 11.11.11.11alert1...
Booking Calendar < 1.3.83 - CSRF appointment scheduling
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying. input type="s...
Travelpayouts < 1.1.17 - Open Redirect
Description The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayoutsredirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...
Payment Gateway for Telcell < 2.0.4 - Unauthenticated Open Redirect
Description The plugin does not validate the apiurl parameter before redirecting the user to its value, leading to an Open Redirect issue https://localhost/wp-admin/admin.php?page=wc-settings&action=redirecttelcellform&apiurl=https://www.google.com...
Profile Box Shortcode And Widget < 1.2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup When creating a new widget, insert the...
Grid Shortcodes < 1.1.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks GDCrow GDCcolumn size='"...
Team Members < 5.3.2 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Team options attributes before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks. 1. Create/edit a team and...
Responsive Pricing Table < 5.1.11 - Author+ Stored XSS
Description The plugin does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks - Create a new Pricing Table...
Ultimate Member 2.1.3 - 2.8.2 - Unauthenticated SQL Injection
Description The plugin does not sanitize and escape the sorting parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks when the "Enable custom table for usermeta" option is enabled. Requirement: "Enable custom table for usermeta" option to be...
Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a new Facebook like widget. ...
Jobs for WordPress < 2.7.4 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks 1. As a Contributor, navigate to "Add new position" 2. On the page to create a post, in the "Working Hours" add: 3. When a...
Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks otwshortcodetabslayout tabs="2"...
Scalable Vector Graphics (SVG) <= 3.4 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
Advanced Social Feeds Widget & Shortcode <= 1.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup When creating a new widget, insert the...
Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset
Description The plugin does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action Log in as a subscriber, access the Diagnostic tab of the plugin /wp-admin/admin.php?page=enjoyinstagrampluginoptions&tab=diagnostic and click...
Enjoy Social Feed <= 6.2.2 - Unauthenticated Arbitrary Instagram Account Unlinking
Description The plugin does not have authorisation and CSRF in various function hooked to admininit, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example As unauthenticated, open the following URL to unlink the Instagram account of the user with ID ...
Backup Bolt < 1.4.0 - Sensitive Data Exposure
Description The plugin is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information. Access the error log at...