4359 matches found
CRM: Contact Management Simplified – UkuuPeople <= 1.6.3 - Unauthorised Favourite Addition/Deletion
The plugin does not properly check for CSRF in its ukuuaddtofav AJAX action, allowing attacker to make logged in users call them them and add or delete arbitrary favourite post. To delete a favourite To Add a favourite...
Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
The plugin did not validate its cachingexcludeurls and cachingincludequerystrings settings before outputting them in a PHP file, which could lead to RCE PoC | Authenticated RCE | Caching Exclude URLs / Cached query strings: POST /wp-admin/admin.php?page=sbp-settings HTTP/2 Host: example.com Cooki...
Filter Gallery < 0.0.7 - Unauthorised AJAX Calls
The plugin had a logic flaw in the CSRF checks of its AJAX calls, allowing them to be passed by not providing the related parameter in the request. This could allow attacker to make logged in users do unwanted actions. Furthermore, the AJAX calls are also lacking capability checks, allowing any...
Forms < 1.12.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the Forms "Add new" field. Step 1: Install and activate the plugin. Step 2: Go to the Forms-- Add New. St...
Workreap < 2.2.2 - Multiple CSRF + IDOR Vulnerabilities
Several AJAX actions available in the theme lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary object...
Community Event < 1.4.8 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator...
Workreap < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
The theme's AJAX actions workreapawardtempfileuploader and workreaptempfileuploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were...
Workreap < 2.2.2 - Missing Authorization Checks in Ajax Actions
The theme had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site. log in as arbitrary freelancer...
WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfilteredhtml capability is disallowed Create a new map. Add an XSS payload to the title. Click "Show as map title". Add t...
Leaflet Map < 3.0.0 - Contributor+ Stored XSS
The plugin does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues Most of the shortcode attributes are not escaped, so these are just one of them: leaflet-map...
Cooked < 1.7.9.1- Unauthenticated Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to Unauthenticated Reflected Cross-Site Scripting XSS. For clarification, this vulnerability is separate to the similar vulnerability CVE-2021-24233. The PoC will be displayed once the issue has been remediated...
Leaflet Map < 3.0.0 - Arbitrary Settings Update via CSRF Leading to Stored XSS
The plugin does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or usin...
SEO Wizard <= 4.0.2 - Unauthorised robots.txt & .htaccess Edit via CSRF
The plugin does not properly check for CSRF in its wswedithtaccessfile, wswcreaterobotstext and wswupdatecontentrobots AJAX actions, allowing attackers to make logged in admin write arbitrary data to the robots.txt and .htaccess files...
WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF
The plugin does not properly check for CSRF in its delfield and savealldata AJAX actions, allowing attacker to make logged in user call them via a CSRF attack To delete a field from the Registration Form: To change the whole Registration Form: input type=...
Woocommerce Tabs Plugin, Add Custom Product Tabs <= 1.0.1 - Arbitrary Tab Deletion/Edition via CSRF
The plugin does not properly check for CSRF in its tabsession, tabsessiondel, tabsessionedit and ptabsubmit AJAX actions, allowing attacker to make logged in user call them via a CSRF attack To delete a tab:...
MZ Mindbody API < 2.8.3 - Unauthorised AJAX Calls
The plugin did not properly check for CSRF and authorisation in various AJAX actions, allowing attacker to make users call them and perform unwanted actions, as well as allow low privilege users to call them As a low privilege user such as subscriber...
Fontsampler < 0.4.13 - CSRF to Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not properly check for CSRF and authorisation in its ajaxgetmockfontsampler AJAX action, which could lead to an authenticated reflected XSS issue as user input was then output without being sanitised first. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language:...
Strong Testimonials < 2.51.3 - Unauthorised AJAX Call
The plugin did not propely check for CSRF and authorisation in all the wpmtstaddfieldfunction functions, allowing unauthorised call of the associated AJAX actions either via low privilege users or CSRF attack https://example.com/wp-admin/admin-ajax.php?action=wpmtstgetcatcount...
Title Field Validation <= 1.1 - Unauthorised AJAX Calls
The plugin does not properly check for CSRF in its findposttype, savevalidation, editvalidation, updatevalidation and deletevalidation AJAX actions. Additionally, the actions were also missing any capability checks. As a result, any authenticated user such as subscriber could call them to create,...
YITH Request a Quote for WooCommerce < 1.6.4 - Unauthorised AJAX call via CSRF
The ajax method did not properly check for CSRF, allowing attackers to make users call the ajaxadditem, ajaxremoveitem or ajaxvariationexist actions, which will tamper with their session quote. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
BuddyPress Customer.io Analytics Integration <= 1.1.6 - Arbitrary Plugin Settings Update via CSRF
The plugin does not properly perform the CSRF check when saving its settings, allowing attackers to make logged in admin change them to arbitrary values...
Cognitive Content Analyzer < 2.3 - Unauthorised AJAX call via CSRF
The plugin did not properly check for CSRF in its blobinatoranalyze AJAX action, allowing attacker to make a logged in administrator call the blobinatorprocesstext method with arbitrary parameters and update the related post with the results. POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accep...
MailOptin < 1.2.35.2 - Unauthorised AJAX Call
The fetchcustomfields and fetchtags function did not have proper CSRF check and authorisation, allowing unauthorised users to call the related AJAX action via either low privilege account or CSRF attack POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
SEO Wizard <= 4.0.2 - Unauthorised AJAX Calls
The plugin does not properly check for CSRF in its ajaxsaveglobalsettings and ajaxsavepostsettings AJAX actions, as well as other AJAX actions. Furthermore, capability checks were also missing, resulting in any authenticated users as low as subscriber being able to call those actions and modify t...
Newspaper < 11 - Reflected Cross-Site Scripting (XSS)
Description The theme does not sanitise the tdatts.modulescategory parameter in its tdajaxsearch AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type...
WP SMS < 5.4.9.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape some of its parameter before outputting them back in the pages, leading to reflected Cross-Site Scripting issues which will be executed in the context of a logged in admin. alert/XSS/' / alert/XSS/' / alert/XSS/' /...
Adapta RGPD < 1.3.3 - Unauthorised Consent via CSRF
The acceptcookieconsent AJAX action did not properly check for CSRF, allowing attackers to make users consent via a CSRF attack. https://example.com/wp-admin/admin-ajax.php?action=acceptcookieconsent...
TaxoPress < 3.0.7.2 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue. Add or edit a Taximony...
Profile Builder < 3.4.8 - Authenticated Stored XSS
The plugin does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue As admin, put the following...
Multiple Plugins from AYS Pro - Reflected Cross-Site Scripting (XSS)
The plugins did not properly sanitise and escape some GET parameters before outputting them back in attributes, leading to reflected Cross-Site Scripting issues which will be executed in the context of a logged in administrator...
Super Progressive Web Apps < 2.1.13 - Authenticated (High Privileged) Arbitrary File Upload to RCE
When the Apple Touch Icons & Splash Screen add-on is active, its superpwasplashscreenuploader AJAX action, did not properly check for authorisation and the content of the uploaded archive file. This allows high privilege users admin+ to upload an archive with a PHP file, leading to RCE. v2.1.12...
Handsome Testimonials & Reviews < 2.1.1 - Authenticated (Subscriber+) SQL Injection
The hndtstactioninstancecallback AJAX call of the plugin, available to any authenticated users, does not sanitise, validate or escape the hndtstpreviewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. curl -i -s -k -X $'POST' \ -H...
WP Offload SES Lite < 1.4.5 - Stored Cross-Site Scripting (XSS)
The plugin did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for exampl...
Portfolio Responsive Gallery < 1.1.8 - Authenticated Blind SQL Injections
The getportfolios and getportfolioattributes functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to...
Image Slider by Ays - Responsive Slider and Carousel < 2.5.0 - Authenticated Blind SQL Injection
The getsliders function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
Popup Like box - Page Plugin < 3.5.3 - Authenticated Blind SQL Injections
The getfblikeboxes function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQ...
FAQ Builder < 1.3.6 - Authenticated Blind SQL Injections
The getfaqs function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
Poll Maker < 3.2.1 - Authenticated Blind SQL Injections
The getpollcategories, getpolls and getreports functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby...
Quiz Maker < 6.2.0.9 - Multiple Authenticated Blind SQL Injections
The plugin did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard When we WPScanTeam confirmed the issues, more SQL Injections were identified, reported and fixed by the vendor but have not...
Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE
When the Apple Touch Icons & Splash Screen add-on is active, its superpwasplashscreenuploader AJAX action, does not properly check for CSRF, authorisation and the content of the uploaded archive file. This allows attackers to upload an archive with a PHP file, leading to RCE by either using a low...
Photo Gallery by Ays - Responsive Image Gallery < 4.4.4 - Authenticated Blind SQL Injections
The getgallerycategories and getgalleries functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --leve...
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
The Import feature of the plugin /wp-admin/tools.php?page=rsvpmakerexportscreen takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack. Go to the...
Popup box < 2.3.4 - Authenticated Blind SQL Injections
The getayspopupboxes and getpopupcategories functions of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard Exploit All of them with same technique. SQLMAP:...
Secure Copy Content Protection and Content Locking < 2.6.7 - Authenticated Blind SQL Injections
The getreports function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL...
Survey Maker < 1.5.6 - Authenticated Blind SQL Injections
The getresults and getitems functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the getresults DB calls, leading to SQL injection issues in the admin dashboard Note WPScanTeam: Other SQLi were identified when confirming the...
Event Geek <= 2.5.2 - Stored Cross-site Scripting (XSS)
The plugin does not sanitise or escape its "Use your own theme" setting before outputting it in the page, leading to an authenticated admin+ stored Cross-Site Scripting issue As admin, put the following payload in the "Use your own theme enter URL:" option...
Migrate Users <= 1.0.1 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack. Add the following paylo...
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in Image Uploader Component
The cover photo and profile photo upload functionalities of the plugin were vulnerable to arbitrary file uploads due to the use of exifimagetype for filetype checking. 'Hax0r2', 'regemail' = '[email protected]', 'regpassword' = 'password', 'regpasswordpresent' = 'true', 'regfirstname' = 'Hax0r2',...
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
The user registration functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during registration which made it possible for users to register as an administrator. 'Hax0r', 'regemail' = '[email protected]', 'regpassword' = 'password', 'regpasswordpresent' =...
DrawBlog <= 0.90 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue As admin, put the following payload in the "Checkbox reminder" setting of the plugin: "alert/XSS/...