4359 matches found
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
The plugin does not have proper access control when updating a timeslot, allowing any user with the editposts capability contributor+ to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with...
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
The plugin does not enforce path validation, authorisation and CSRF checks in the omgfajaxemptydir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard...
Simple School Staff Directory <= 1.1 - Admin+ Arbitrary File Upload
The plugin does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE As admin, upload a PHP file via the Add Logo page of the plugin...
Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType combined with content, align, color, variant and fontID argument of a Gutenberg block. As a contributor, put the...
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
The plugin does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. Access the URL below as unauthenticated...
Timetable and Event Schedule by MotoPress < 2.4.0 - Arbitrary User's Hashed Password/Email/Username Disclosure
The plugin outputs the Hashed Password, Username and Email Address along other less sensitive data of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the editposts capability. Combined with the other Unauthorised Event...
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design like subutton's onclick attribute...
Limit Login Attempts < 4.0.50 - Unauthenticated Stored Cross-Site Scripting
The plugin does not escape the IP addresses which can be controlled by attacker via headers such as X-Forwarded-For of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue. POST /wp-login.php HTTP/1.1 Accept:...
Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF
The plugin does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments POST /wp-admin/admin.php?page=comment-link-remove HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Deletion
The plugin does not have proper access control when deleting a timeslot, allowing any user with the editposts capability contributor+ to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in wit...
Timetable and Event Schedule by MotoPress < 2.3.19 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s Create an event with the following payload in the description of a timeslot: The XSS will be execute...
Post Views Counter < 1.3.5 - Authenticated Stored XSS
The plugin does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfilteredhtml capability is disallowed Put the following payload in the Post Views Label settings of the plugin...
WP iCommerce <= 1.1.1 - Authenticated (contributor+) SQL Injection
The Orders functionality in the plugin has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors GET...
WP-Board <= 1.1 (beta) - Unauthenticated SQL Injection
The options.php file of the plugin accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it take...
WP Domain Redirect <= 1.0 - Authenticated SQL Injection
The Edit domain functionality in the plugin has an editid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. POST /wp-admin/admin.php?page=add&action=edit&id=1 HTTP/1.1 Content-Length: 102 Cache-Control: max-age=0...
GSEOR <= 1.3 - Authenticated SQL Injection
A pageid GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=gseor.php&search=1&pageid=1%20AND%20SELECT%206449%20FROM%20SELECTSLEEP5wwdQ HTTP/1.1 Cache-Control: max-age=0...
Responsive 3D Slider <= 1.2 - Authenticated SQL Injection
The Add new scene functionality in the plugin uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 secon...
WordPress Page Contact <= 1.0 - Authenticated (editor+) SQL Injection
The Orders functionality in the plugin has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors POST /wp-admin/admin.php?page=wpagecontact-plugin HTTP/1...
Display users <= 2.0.0 - Authenticated SQL Injection
The Edit Role functionality in the plugin had an id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=display-users&tab=manage-role&action=edit&id=-4476+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL--+-...
Create WooCommerce Product Feeds For 40+ Merchants < 3.3.1.0 - Authenticated SQL Injection
The fetchproductajax functionality in the plugin uses a productid POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 162 Accept: / X-Requested-With: XMLHttpReque...
The Sorter <= 1.0 - Authenticated SQL Injection
The checkorder function of the plugin uses an areaid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=thesorterareas&areaid=1%20AND%20SELECT%207667%20FROM%20SELECTSLEEP5DWBj HTTP/1.1 Cache-Control:...
MicroCopy <= 1.1.0 - Authenticated SQL Injection
The edit functionality in the plugin makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET...
Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting
The plugin does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting XSS. Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user as low as subscriber, or unauthenticat...
Donate With QRCode <= 1.4.5 - Plugin's Setting Update via CSRF
The plugin does not have CSRF check in place when saving its settings, which could allow attackers to make a logged in admin update them...
ThinkTwit < 1.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue. Put the following payload in the "Consumer key" setting of the plugin /wp-admin/options-general.php?page=thinktwit: - v alert/XSS/ - v 1.7.1 : "...
Print My Blog < 3.4.2 - Plugin Deactivation via CSRF
The plugin does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link...
Jock on air now < 5.6.3 - Authenticated Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some Show parameters before outputting them in pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Vulnerable parameters: linkURL some validation is done and...
Jock on air now < 5.6.2 - Arbitrary Plugin's Settings Update via CSRF
The plugin does not have CSRF check in place when saving its settings, allowing attackers to make logged in admin change them to arbitrary values via a CSRF attack...
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
The plugin does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, 2 Get title of a password-protected post as...
Jock on air now < 5.6.2 - Reflected Cross-Site Scripting
The plugin does not escape the $SERVER'PHPSELF' before outputting it back in an attribute in its settings, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php/"alert/XSS//?page=joansettings...
Gutenslider < 5.2.0 - Contributor+ Stored XSS
The plugin does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks As a contributor or above, create/edit a post, put the below code while in Code Editor mode, and view/preview the post The...
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
The plugin performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultpoptions values. You can run this from a browser's javascript console:...
MF Gig Calendar <= 1.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue...
Fileviewer <= 2.2 - Arbitrary File Upload/Deletion via CSRF
The plugin does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack To delete /phpinfo.php:...
Shopp eCommerce <= 1.4 - Unauthenticated Arbitrary File Upload
The shoppuploadfile AJAX action of the plugin, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE...
SP Project & Document Manager < 4.26 - Reflected Cross-Site Scripting
The plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the /functions.php file which allows attackers to inject arbitrary web scripts https://example.com/wp-admin/admin.php?page=sp-client-document-manager&from=" style=animation-name:rotation...
Email Artillery <= 4.1 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise, validate or escape some user input before outputting back in pages leading to Reflected Cross-Site Scripting issues which will be executed in the context of a logged in admin...
WP Courses LMS < 2.0.44 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in admin pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/admin.php?page=managestudents&courseid=1&studentid="alert/XSS/...
Afterpay Gateway for WooCommerce < 3.2.1 - Reflected Cross-Site Scripting
The plugin has sample files form the https://github.com/afterpay/sdk-php library, which do not escape some parameters before outputting them in attributes, leading to Reflected Cross-Site Scripting issues...
WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code
The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues 1. On the dashboard, navigate to WP Courses Courses Add New Video...
WordPress Advanced Ticket System < 1.0.64 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Navigate to Tickets Add New add all information on the title, post,...
Email Artillery <= 4.1 - CSRF to Stored XSS
The plugin does not sanitise, validate or escape its settings, and is lacking any CSRF check before saving them. As a result, an attacker could make a logged in admin change them and put malicious JavaScript code as well, leading to Stored Cross-Site Scripting issues. alert/XSS/' /...
Email Artillery <= 4.1 - Multiple Authenticated SQL Injections
The plugin does not sanitise, validate or escape some user input before using it in SQL statements in the admin dashboard, leading to SQL Injections https://example.com/wp-admin/admin.php?page=etmbu-all-posts&s=yes&postid=1%20AND%20SELECT%2042%20FROM%20SELECTSLEEP5aa...
SEOPress 5.0.0 – 5.0.3 - Authenticated Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the /src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $outp...
Simple eCommerce <= 2.2.5 - Arbitrary File Upload
The plugin does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE...
Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
The plugin does not sanitise or escape the feedID POST parameter in its feedlocator AJAX action available to both authenticated and unauthenticated users before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will ...
CBX Bookmark & Favorite < 1.6.9 - Reflected Cross-Site Scripting
The plugin does not escape a page parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues alert/XSS/' / alert/XSS/' /...
Language Bar Flags <= 1.0.8 - CSRF to Stored XSS
The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in t...
Email Artillery <= 4.1 - Arbitrary File Upload
The plugin does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denyin...
Amazon Auto Links < 4.6.20 - Reflected Cross-Site Scripting
The plugin does not escape some parameters before outputting them back in attributes in an admin page, leading to Reflected Cross-Site Scripting issues alert/XSS-page/' / alert/XSS-tab/' /...