4359 matches found
Simple Post <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. 1. Install WordPress 5.7.2 2. Install and activate Simple Post 3. Navigate to...
GTranslate < 2.8.65 - Reflected Cross-Site Scripting (XSS)
In the Pro and Enterprise versions of GTranslate alert123;...
NewsPlugin < 1.1.0 - CSRF to Stored Cross-Site Scripting
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handlesavestyle function found in the /news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18. Note: v1.1.0 Added CSRF to the affected function, but see...
Grid Gallery < 1.2.5 - Authenticated Stored Cross Site Scripting (XSS)
The plugin does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability. Step 1: Install Grid Gallery - Photo Image Grid Gallery plugin in word press and activate the plugin. Step 2...
Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting
While fixing an Authenticated Stored Cross-Site Scripting issue https://wpscan.com/vulnerability/a5837621-ee6e-4876-9f65-82658fc0341f, the vendor identified another Cross-Site Scripting issue, which could be exploited by unauthenticated users and would be triggered in the context of a logged in...
Maintenance < 4.03 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them even when the unfilteredhtml capability is disallowed, which will be triggered in the frontend POST /wp-admin/admin.php?page=maintenance HTTP/1.1...
SendGrid <= 1.11.8 - Authenticated Authorization Bypass
The plugin is vulnerable to authorization bypass via the getajaxstatistics function found in the /lib/class-sendgrid-statistics.php file which allows authenticated users to export statistics for a WordPress multi-site main site in versions up to 1.11.8. This vulnerability only affects the main si...
Charitable – Donation Plugin < 1.6.51 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. 1. Go to /wp-admin/edit.php?posttype=donation 2. Add new donation 3. In the first or last name forms, add the XSS payload 4. Save and the XSS payload will be executed...
NEX Forms < 7.8.8 - Authentication Bypass for Excel Reports
The plugin was vulnerable to Authentication Bypass for Excel Reports allowing unauthenticated attackers to download Excel reports. http://www.example.com/wp-admin/admin.php?page=nex-forms-dashboard&exportcsv=true...
KN Fix Your Title <= 1.0.1 - Authenticated Stored XSS
The plugin was vulnerable to Authenticated Stored XSS in the separator field. 1. Install WordPress 5.7.2 2. Install and activate KN Fix Your Title 3. Navigate to Fix Title under Settings Tab Click on I have done this and enter the XSS payload into the Separator input field. 4. Click Save Changes...
HM Multiple Roles < 1.3 - Arbitrary Role Change
The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by eith...
NEX Forms < 7.8.8 - Authentication Bypass for PDF Reports
The plugin was vulnerable to Authentication Bypass for PDF Reports allowing unauthenticated attackers to download PDF reports. http://www.example.com/wp-content/uploads/submissionreport.pdf...
Giveaway <= 1.2.2 - Authenticated SQL Injection
The plugin is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $postid on the options.php page. 1. Navigate in Wordpress panel to Settings - Giveaway 2. Intercept the request in Burp Suite 3. Click on "Select" button at the very to...
Wonder Video Embed < 1.8 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginvideo shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. wonderpluginvideo iframe='youtube.com?v=dQw4w9WgXcQ" onload="alert1' videocss='animation-name:twentytwentyone-close-button-transition"...
My Site Audit <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue Create an audit with the...
Light Messages <= 1.0 - CSRF to Stored XSS
The plugin is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them even with the unfilteredhtml disallowed. As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the...
Profile Builder < 3.4.9 - Admin Access via Password Reset
The plugin has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example. The password reset key is checked against the...
Verse-O-Matic <= 4.1.1 - CSRF to Stored XSS
The plugin does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site...
Mimetic Books <= 0.2.13 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Authenticated Stored Cross-Site Scripting XSS in the "Default Publisher ID" field on the plugin's settings page. 1. Install WordPress 5.7.2 2. Install and activate Mimetic Books 3. Navigate to Settings Mimetic Books API and enter the XSS payload into the Default...
Shantz WordPress QOTD <= 1.2.2 - Arbitrary Setting Update via CSRF
The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values...
Vik Rent Car < 1.1.10 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue Add or Edit a Characteristic...
Custom Login Redirect <= 1.0.0 - CSRF to Stored XSS
The plugin does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue alert/XSS/' /...
Telugu Bible Verse Daily <= 1.0 - CSRF to Stored XSS
The plugin is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading...
RestroPress < 2.8.3.1 - Unauthorised AJAX Calls
The plugin did not check for CSRF as well as capability in some of its AJAX calls which should only be accessible by admin. As a result, any authenticated user can change arbitrary order status, as well as access arbitrary order details including PII such as phone number and address Change the...
PhoneTrack Meu Site Manager <= 0.1 - Authenticated Stored XSS
The plugin does not sanitise or escape its "phpid" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. Put the following payload in the "phpid" field in the plugin's settings /wp-admin/options-general.php?page=phtmanager: "alert/XSS/...
Wonder PDF Embed < 1.7 - Contributor+ Stored XSS
The plugin does not escape parameters of its wonderpluginpdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. wonderpluginpdf src="a" onload="alert1"...
Photo Gallery < 1.5.79 - Stored XSS via Uploaded SVG in Zip
The plugin did not ensure that uploaded SVG files inside a Zipped archive added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
RestroPress < 2.8.3 - Cart Manipulation via CSRF
The plugin does not properly check for CSRF in some of its AJAX calls, allowing attackers to make users do unwanted actions, such as add arbitrary products to their cart, or empty it completely To clear the cart of the current user authenticated or not:...
Social Tape <= 1.0 - CSRF to Stored XSS
The plugin does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack alert/XSS/' /...
Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG
The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
Photo Gallery < 1.5.75 - File Upload Path Traversal
The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than...
VDZ Verification < 1.4 - Authenticated Stored XSS
The plugin does not sanitise its Meta Tag settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payload in any of the Meta Tag field in the plugin's Settings...
Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection
The plugin was reported to be affected by a critical Authenticated Blind SQL Injection vulnerability. http://www.example.com/wp-json/wc/store/products/collection-data?calculateattributecounts0taxonomy=a%252522%252529%252520or%252520sleep%25252810.1%252529%252523...
Form Maker < 1.13.60 - Authenticated Stored XSS
The plugin does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue Create or edit a form and add the following payload in the Form Title field "autofocus onmouseover=alert/XSS///...
Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. 1. Install WordPress 5.7.2 2. Install and activate Custom Book 3...
Video Posts Webcam Recorder < 3.2.4 - Authenticated Reflected XSS
The plugin has an authenticated reflected cross site scripting XSS vulnerability in one of the administrative functions for handling deletion of videos. .../wp-content/plugins/video-posts-webcam-recorder/posts/videowhisper/recordedvideos.php?delete=%3Cscript%3Ealert1%3C/script%3E...
WOWRestro < 1.1 - CSRF Bypass
The plugin does not properly check for CSRF in numerous of its AJAX actions, allowing attacker to make logged in users call them and perform unwanted actions, such as add/remove an item from their basket and empty it as well. To empty a user basket:...
Advanced Menu Manager < 3.0 - Unauthorised Menu Edition via CSRF
The plugin does not properly check for CSRF in its ammsaveexistingmenu function, allowing attackers to make logged in high privilege users edit menus via a CSRF attack...
Page View Counts < 2.4.9 - Contributor+ Stored XSS
The plugin does not escape the postid parameter of pvcstats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege user...
Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)
Description The theme does not sanitise the tdblockid parameter in its tdajaxblock AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. Due to a nonce check, this issue is only exploitable on unauthenticated users for as long as the nonce used in the reques...
Advanced Menu Manager <= 3.0 - Unauthorised Menu Creation/Deletion
The plugin is lacking any capability and CSRF checks in its myactiondeletemenu and myactioncreatemenuajax AJAX actions, allowing any authenticated users such as subscriber to call them. Such attack could also be performed via a CSRF vector against any logged in user. - To delete a menu: POST...
WPFront Notification Bar < 2.0.0.07176 - Authenticated Stored XSS
The plugin does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue v alert/XSS/ v alert/XSS/...
VDZ CallBack < 1.14.6 - Authenticated Stored XSS
The plugin does not properly sanitise or escape some of its settings, allowing high privilege users such as admin to perform XSS attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Title setting of the plugin...
Astra Pro Addon < 3.5.2 - Unauthenticated SQL Injection
The plugin did not properly sanitise or escape some of the POST parameters from the astrapaginationinfinite and astrashoppaginationinfinite AJAX action available to both unauthenticated and authenticated user before using them in SQL statement, leading to an SQL Injection issues Via...
Marmoset Viewer < 1.9.3 - Reflected Cross Site Scripting
The plugin does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-content/plugins/marmoset-viewer/mviewer.php?id=http://%3C/script%3E%3Csvg/onload=alert1%3E WPScanTeam Reporter...
Haxcan <= 1.0.0 - Arbitrary File Access
The plugin does not properly ensure that the file to be accessed is within the blog, allowing high privilege users to read any file on the web server. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type:...
Popular Brand SVG Icons - Simple Icons < 2.7.8 - Contributor+ Stored XSS
The plugin does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in...
Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php, leading to a reflected Cross-Site Scripting issue...
Magic Post Thumbnail < 3.3.7 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its ids GET parameter before outputting it back in the bulk generation page, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=magicpostthumbnail%2Finc%2Fadmin%2Fbulkgeneration.php&ids=alert/XSS/...
Haxcan <= 1.0.0 - CSRF Bypass
The plugin does not properly check for CSRF in its getajaxresponse AJAX action, allowing attacker to make logged in admin call them it via CSRF attack and add arbitrary files in quarantine for example. Add an arbitrary file to quarantine...