4359 matches found
ShareThis Dashboard for Google Analytics < 2.5.2 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the 'gaaction' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in...
Business Hours Indicator < 2.3.5 - Authenticated Stored XSS
The plugin does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue Put the following payload in the "Now closed message" setting and save them: alert/XSS/ Then refresh the setting...
VDZ Google Analytics or Google Tag Manager / GTM < 1.6.0 - Authenticated Stored XSS
The plugin does not escape its Google Analytics ID settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed. The issue was introduced in v1.5.0, fixed in 1.5.4, then re-introduced in 1.5.5 and fixed in 1.6.0 Put the followi...
WP Dialog <= 1.2.5.5 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Put the following payload in the Welcome message stcontent parameter of the...
JiangQie Official Website Mini Program < 1.1.1 - Authenticated SQL Injection
The plugin does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues https://example.com/wp-admin/admin.php?page=jiangqieowfreefeedback&action=detail&id=1+AND+%28SELECT+%2A+FROM+%28SELECT%28SLEEP%285%29%29%29a%29 Could also make a logged i...
WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Authenticated Directory Traversal in WordPress Download Manager Add New. Name the post, and intercept the request when you Submit for Review no file needs to be uploaded. In the filepagetemplate parameter, swap out page-template-1col-flat.php for “\../../../../../wp-config.php” Then preview the...
Alojapro Widget < 1.1.16 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following code in the Custom CSS settings of the plugin setTimeout"alert'1'",3000...
Splash Header < 1.20.8 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue. Put the following payload in the "Note title" and "Note message" settings of the plugin: "alert/XSS-Title/ and alert/XSS-Msg/ Th...
FluentSMTP < 2.0.1 - Authenticated Stored XSS
The plugin does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting XSS vulnerability. Only users with roles capable of managin...
Post Index <= 0.7.5 - CSRF to Stored XSS
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the /php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5. CSRF PoC alert1;" / iframe src="x" width="1" height="1"...
Poll Maker < 3.2.9 - Reflected Cross-Site Scripting
The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the /admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8...
Admin Custom Login < 3.2.8 - CSRF to Stored XSS
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the /includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7. input...
SEO Backlinks <= 4.0.1 - CSRF to Stored XSS
The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the locconfig function found in the /seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1. CSRF PoC alert1" / alert1" / function csrfSubmit let submit...
uListing < 2.0.6 - Authenticated IDOR
An Authenticated User IDOR vulnerability was discovered in the plugin. Important: userid and listingid values are dependent on each other, that is, if the author ID == 4, the data can only be modified for those ADs and pages that relate to this particular ID. You can find out the author of the...
Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting XSS which is executed in the context of a logged administrator. Timeline WPScanTeam: June 28th, 2021 - Details sent to vendor July 9th, 2021 - Escalat...
uListing < 2.0.6 - Settings Update via CSRF
A Settings Update via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC 1 | CSRF | Main Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: admin cookies User-Agent: Mozilla/5.0...
uListing < 2.0.6 - Unauthenticated Privilege Escalation
An Unauthenticated Privilege Escalation vulnerability was discovered in the uListing plugin through v2.0.5 for WordPress. User registration must be allowed on the target website. PoC | Unauthenticated Privilege Escalation | Request: POST /wp-admin/admin-ajax.php?action=stmlistingregister HTTP/2...
Blue Admin <= 21.06.01 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. Add the following...
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
The plugin does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to an SQL Injection issue POST /wp-admin/admin.php?page=side-menu-lite&tab=list HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8...
uListing < 2.0.6 - Reflected Cross-Site Scripting
An Authenticated Reflected XSS vulnerability was discovered in the plugin. Vulnerable parameters: id, user, expireddate, createddate, updateddate. WPNonce is present in the original requests, but doesn't pass the correct check, as a result of which it doesn't work. PoC 1 | Authenticated Reflected...
uListing < 2.0.6 - Multiple CSRF
The plugin is lacking proper CSRF checks in multiple protected actions within wp-admin pages, leaving them vulnerable to CSRF attacks. PoC | CSRF | Add/Edit Pricing Plans: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: agent or admin cookies User-Agent: Mozilla/5.0 Content-Type:...
uListing < 2.0.6 - Modify User Roles via CSRF
An Add/Edit User Roles via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC | CSRF | Add/Edit User Roles: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: cookies User-Agent: Mozilla/5.0 Content-Type:...
WPFront Scroll Top < 2.0.6.07225 - Authenticated Stored XSS
The plugin does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfilteredhtml capability is disallowed. Put the one of the payload below in the Image ALT setting of the plugin: The XSS will...
WP SMS < 5.4.13 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise the "wpgroupname" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue WPScanTeam: During the verification of the fixes with the vendor, other payloads and injection points were identified, reported an...
uListing < 2.0.4 - Unauthenticated SQL Injection
An Unauthenticated SQL Injection vulnerability was discovered in the plugin. Vulnerable parameters: custom. SQL Injection types: Error-based, Boolean-based Blind, Time-based Blind. PoC 1 | Unauthenticated SQL Injection | Tables: sqlmap...
Simple Banner < 2.10.4 - Authenticated Stored XSS
The plugin does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfilteredhtml capability is disallowed. Put the following payload in the Simple Banner Text setting of the plugin: The XSS will be triggered ...
Slider Hero < 8.2.7 - Contributor+ SQL Injection
The plugin does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. As a contributor, add the following shortcode in a post and preview it to execute the SQLi hero-butto...
Paid Member Subscriptions < 2.4.2 - Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to a Reflected Cross-Site Scripting XSS on the edit member page. No CSRF nonce was required. http://www.example.com/wp-admin/admin.php?page=pms-members-page&subpage=editmember&memberid=1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
Contact Form 7 Captcha < 0.0.9 - CSRF to Stored XSS
The plugin does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manageoptions change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. All cf7sr parameters are...
Qyrr < 0.7 - Authenticated (contributor+) Stored XSS
The plugin does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the datauritometa AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role ...
Simple Social Media Share Buttons < 3.2.3 - Contributor+ Stored XSS
The plugin did not escape the align and likebuttonsize parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. SSB align='" onmouseover="alert/align///' likebuttonsize='4" onmouseover="alert/likebuttonsize///' SSB...
HD Quiz < 1.8.4 - Authenticated Stored XSS
The plugin does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues Create or edit a Quiz, and put the following payload as an Answers of a "Multiple Choice: Text" Question: " autofocus...
GiveWP < 2.12.0 - Authenticated Stored XSS
The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. Put the following payload in any Donation Level Text field of a Donation Form ie...
M-vSlider <= 2.1.3 - Authenticated (admin+) SQL Injection
The update functionality in the rsliderpage uses an rsid POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role. POST /wp-admin/admin.php?page=rsliderpage&updated=true HTTP/1.1 Host:...
Broken Link Manager <= 0.6.5 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue GET...
Edit Comments <= 0.3 - Unauthenticated SQL Injection
The plugin does not sanitise, validate or escape the jaleditcomments GET parameter before using it in a SQL statement, leading to a SQL injection issue Post a comment on a page, then open https://example.com//?jaleditcomments=7%20AND%20SELECT%209114%20FROM SELECTSLEEP5wjzD...
Timeline Calendar <= 1.2 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin GET...
Edit Comments <= 0.3 - Reflected Cross-Site Scripting
The plugin does not sanitise, validate or escape the jaleditcomments GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue Post a comment on a page, then open https://example.com//?jaleditcomments=?jaleditcomments="alert/XSS/...
AceIDE <= 2.6.2 - Authenticated (admin+) Arbitrary File Access
The plugin does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory...
Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection
The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...
Simple Events Calendar <= 1.4.0 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the eventid POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue POST /wp-admin/admin.php?page=simple-events&tab=existingevents HTTP/1.1 Content-Length: 33 Cache-Control: max-age=0...
Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection
The plugin does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue GET /wp-admin/admin.php?page=wppaytmdonation&action=delete&id=1%20AND%20SELECT%205581%20FROM%20SELECTSLEEP5Pjwy HTTP/1....
Email Subscriber <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The kentoemailsubscriberajax AJAX action of the plugin, does not properly sanitise, validate and escape the submitted subscribeemail and subscribename POST parameters, inserting them in the DB and then outputting them back in the Subscriber list...
Project Status <= 1.6 - Reflected Cross-Site Scripting (XSS)
The pspinduplicatepostsaveasnewpost function of the plugin does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue Open the below URL as any authenticated user...
Embed Youtube Video <= 1.0 - Authenticated SQL Injection
The editid GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=embed-youtube-video-add&editid=-6425+UNION+ALL+SELECT+NULL%2Cuser%28%29%2CNULL%2CNULL%2CNULL-- HTTP/1.1 Cache-Control: max-age=...
Easy Testimonial Manager <= 1.2.0 - Authenticated SQL Injection
An id GET parameter of the plugin is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection GET /wp-admin/admin.php?page=easytestimonialupdate&id=page=easytestimonialupdate&id=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,user,NULL,NULL-- HTTP/1.1...
Comment Highlighter <= 0.13 - Authenticated SQL Injection
A c GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET...
Alipay <= 3.7.2 - Authenticated SQL Injection
A proid GET parameter of the plugin is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. GET /wp-admin/options-general.php?page=wsalipay&action=edit&proid=-5818%20UNION%20ALL%20SELECT...
WordPress Membership SwiftCloud.io <= 1.0 - Authenticated SQL Injection
An id GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=swiftbookaddemailtemplate&id=0%20UNION%20ALL%20SELECT%20NULL,NULL,user,NULL,NULL-- HTTP/1.1 Cache-Control: max-age=0...
Cashtomer <= 1.0.0 - Authenticated SQL Injection
An editid GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=add-social-point&id=facebookshare&editid=-9677%20UNION%20ALL%20SELECT%20NULL,NULL,user,NULL,NULL-- HTTP/1.1...