4359 matches found
Appointment Hour Booking < 1.3.16 - Authenticated Stored Cross-Site Scripting
The plugin does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create a new Calendar Appointment Hour Booking Add new Put the following payload in the Form Settings...
Media File Renamer - Auto & Manual Rename < 5.2.7 - Media Title/Filename/Locking State Update via CSRF
The plugin does not have CSRF in place, which could allow attacker to make a logged in admin change arbitrary uploaded media title, filename, as well as locking state via a CSRF attack Notes: - We were unable to reproduce the issue from an attacker point of view, the endpoints are expecting JSON...
Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections
The plugin does not escape multiple POST parameters such as statuscode, department, userid, conversationid, conversationstatuscode, and recipientid before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. The login-cookie parameter is needed,...
Easy Social Icons < 3.1.3 - Reflected Cross-Site Scripting
The plugin does not escape user input before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues Affected parameters: width, height, margin, attrid, attrclass alert/XSS/' /...
GeoDirectory < 2.1.1.3 - Authenticated (admin+) Stored Cross-Site Scripting (XSS)
The GeoDirectory plugin was vulnerable to Authenticated admin+ Stored Cross-Site Scripting XSS. POST /wp-admin/admin.php?page=gd-settings&tab=general§ion=location HTTP/1.1 ..SNIP.. Content-Disposition: form-data; name="defaultlocationlatitude" prompt/XSS/ ..SNIP...
Meow Gallery < 4.1.9 - Contributor+ SQL Injection
The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode available for users as low as Contributor before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that...
Meow Gallery < 4.2.0 - Unauthorised Arbitrary Options Update via REST API
The plugin does not properly check for capability in its REST API, allowing - Any authenticated user with the uploadfile capability such as author+ to call them in versions before 4.1.9 - Any unauthenticated user to call them except the restallsettings endpoint, in 4.1.9 One endpoint in...
XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting
The plugin does not escape the selected-name parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=xoevent&page=xo-event-holiday-settings&selected-name="alert/XSS/...
WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Export
The plugin does not have authorisation check on its export feature, allowing unauthenticated users to export them. https://example.com/?rpwcdpdexportsettings=1...
Software License Manager < 4.5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape its License Key Prefix setting before outputting it in the Add/Edit Licenses page, leading to an Authenticated Stored Cross-Site Scripting issue Go the plugin’s settings and add "alert/XSS/ as a License Key Prefix Then go the the Add/Edit Licenses page to...
CF Geo Plugin < 7.13.12 - Reflected Cross-Site Scripting
The plugin does not escape the some parameter before outputting them back in admin pages, leading to a Reflected Cross-Site Scripting issue POST /wp-admin/admin.php?page=cf-geoplugin-activate HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language...
qTranslate X <= 3.4.6.8 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Affected POST Parameters: - Settings Languages Languages:...
underConstruction < 1.19 - Reflected Cross-Site Scripting
The plugin does not escape the PHPSELF before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=under-construction...
User Activity Log < 1.4.7 - Reflected Cross-Site Scripting
The plugin does not escape the txtsearch parameter before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=useractionlog&txtsearch=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F...
WP Statistic < 13.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape various user input before outputting it back in pages, which could lead to Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=wpsreferrerspage&referr="alert/XSS/...
CoolClock < 4.3.5 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks As a user with a role as low as contributor, put the following shortcode in a post/page and view/preview it to trigger the XSS which is specific to...
User Activity Log < 1.4.7 - Reflected Cross Site Scripting via Query String
The plugin does not escape the $SERVER'QUERYSTRING' before outputting it back in attributes, which could lead to Reflected Cross-Site Scripting in web browsers which do not encode URL characters. With a web browser which does not encode characters or use burp suite and decode the URL via the...
Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...
Easy Social Icons < 3.0.9 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'PHPSELF' input before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/alert/XSS//?page=cnsssocialiconpage...
TranslatePress < 2.0.9 - Authenticated Stored Cross-Site Scripting
The plugin does not implement a proper sanitisation on the translated strings. The 'trpsanitizestring' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues. As admin...
Cookie Notice & Compliance for GDPR / CCPA < 2.1.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfilteredhtml capability is disallowed. Put the following payload in the Button text setti...
Docket Cache < 21.08.02 - Reflected Cross-Site Scripting
The plugin does not escape some filter parameters when the OPCache Viewer is enabled before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=docket-cache-opcviewer&idx=opcviewer&s=a&sf="alert/XSS-sf/&sm="alert/XSS-sm/...
Multiple Plugins from miniorange - Reflected Cross-Site Scripting via appId
The plugins do not escape the appId parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=mooauthsettings&tab=config&appId="alert/XSS/...
Premium Addons for Elementor < 4.5.2 - Subscriber+ Arbitrary Blog Option Update
The plugin does not have any CSRF and authorisation checks in the padismissadminnotice AJAX action, available to any authenticated users, and do not validate the option key to ensure the option to update belongs to the plugin. As a result, any authenticated user, such as subscriber can update...
Duplicate Page < 4.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. The attempt to fix the issue in 4.4.2 is insufficient and...
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Contributor+ Stored Cross-Site Scripting
The plugin allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's block. PoC can be entered with code editor the example below uses Taxonomy block; all blocks are vulnerable:...
Woffice < 4.0.2 - Unauthenticated Disclosure of Notification Titles
The theme lacks authentication checks before returning the titles of notifications between the site's users. Any request to the wofficeNotificationGet ajax endpoint will return titles of notifications sent between users. Example:...
Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting
Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vxdebug GET parameter...
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Contributor+ Stored Cross-Site Scripting
The plugin, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode. Create a page as any user with the following shortcode block: gutenbergpostblocks id='a"...
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Private Content Disclosure
The plugin, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID. If the post 1234, created by other users, is set as private, save gutenbergpostblocks id="1234...
Contact Form 7 Zoho < 1.1.8 - Reflected Cross-Site Scripting
The plugin does not escape some of its filters before outputting them back in the admin dashboard, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=vxcfzoho&tab=logs&startdate="alert/XSS-startdate/&enddate="alert/XSS-enddate/...
WP Map Block < 1.2.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape some attributes of the WP Map Block, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks - As a contributor, add a WP Map Block to a post/page - Click "Show more settings" - Scroll the sidebar and click "Map Marker" -...
Multiple Plugins - Reflected Cross-Site Scripting via PHPRelativePath Library
The plugins are using the PHPRelativePath library, which contain an example file affected a Reflected Cross-Site Scripting POST /wp-content/plugins/mpl-publisher/vendor/grandt/relativepath/RelativePath.Example1.php HTTP/1.1 Accept:...
Responsive Poll < 1.5.9 - Reflected Cross-Site Scripting
The TotalSoftPoll1Vote AJAX action available to both unauthenticated and unauthenticated users outputs the invalid nonce without escaping it first, leading to a Reflected Cross-Site Scripting issue. The issue was fixed in 1.5.5, however additional sanitisation and escaping was done in 1.5.5 to...
Block and Stop Bad Bots < 6.62 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issues POST /wp-admin/admin.php?page=sbbmy-custom-submenu-page HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...
MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting
The plugin does not escape the timezone attribute of the mxmtzctimezoneclocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks mxmtzctimezoneclocks timezone='"+alertXSS-timezone+"'...
Contact Form Entries < 1.2.1 - Reflected Cross-Site Scripting
The plugin does not escape some of its filters before outputting them back in the admin dashboard, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=vxcfleads&tab=entries&startdate="alert/XSS-startdate/&enddate="alert/XSS-enddate/...
TextME SMS < 1.8.9 - Authenticated Stored XSS
The plugin does not escape its settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Account Username or Password settings of the plugin: " style=animation-name:rotation...
Coupon Affiliates for WooCommerce < 4.11.0.2 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter in its Referral Visits dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Live Scores for SportsPress < 1.9.1 - Authenticated Local File Inclusion
The plugin does not validate or sanitise the tab parameter in the admin dashboard before using it in an include statement, leading to an Authenticated Local File Inclusion https://example.com/wp-admin/admin.php?page=live-scores-for-sportspress&tab=../../index This will include the homepage of the...
Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not properly sanitise or escape some of the properties of the Recipe Card Block such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. As a...
Live Scores for SportsPress < 1.9.1 - Reflected Cross-Site Scripting
The plugin does not sanitise the lsfsmatchdate parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=spevent&page=lsfs-live-matches&lsfsmatchdate="alert/XSS/...
SMTP Mail < 1.2 - Reflected Cross-Site Scripting (XSS)
The plugin does not escape its page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue alert/XSS/' /...
Recipe Card Blocks < 2.8.1 - Reflected Cross-Site Scripting
The plugin does not escape the message parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/index.php?slactivation=false&message=%3Cscript%3Ealertorigin%3C%2Fscript%3E...
SMTP Mail < 1.2.2 - Authenticated SQL Injections
The plugin does not properly validate or escape the order and orderby parameters before using them in SQL statements, leading to SQL Injections in the admin dashboard...
Contact List < 2.9.42 - Reflected Cross-Site Scripting
The plugin does not escape the cardheight parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=contact&page=contact-list-printable&cardheight="alert/XSS/...
Booster for WooCommerce < 5.4.4 - Authentication Bypass
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...
Podlove Podcast Publisher < 3.5.6 - Unauthenticated SQL Injection
The plugin contains a 'Social & Donations' module not activated by default, which adds the rest route '/services/contributor/?P\d+, takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi. With the 'Social & Donations' module of the plugin activated. Permali...
WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks videolightboxvimeo5 videoid='"onmouseover=alert/XSS/ b="' width="640" height="480" anchor="Click here to open vimeo video" videolightboxvimeo5...
Gallery Blocks with Lightbox < 2.2.1- Authenticated Stored Cross-Site Scripting
A stored cross-site scripting vulnerability has been discovered in : Simply Gallery Blocks with Lightbox Version – 2.2.0 & below . The vulnerability exists in the Lightbox functionality where a user with low privileges is allowed to execute arbitrary script code within the context of the...