4359 matches found
Side Menu Lite < 2.2.1 - Authenticated SQL Injection
The plugin does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack...
Post Grid < 2.1.8 - Reflected Cross-Site Scripting (XSS)
The slider import search feature and tab parameter of the plugin settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues https://example.com/wp-admin/edit.php?posttype=postgrid&page=post-grid-settings&tab="alert1...
W3 Total Cache < 2.1.5 - Reflected XSS in Extensions Page (JS Context)
The plugin was affected by a reflected Cross-Site Scripting XSS issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This...
Any Hostname <= 1.0.6 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it As admin, put the following payload in the "Allowed host" setting of the plugin /wp-admin/options-general.phpany-hostname:...
Yada Wiki < 3.4.1 - Contributor+ Stored XSS
The plugin did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue - Create a wiki page. If there is already a page, you can skip. The page can be a draft. - Add this shortcode to a post/page, view it and move the mouse over the...
Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue Add the following payload in the "Paypal email address" setting of the plugin /wp-admin/admin.php?page=bookshelf-settings:...
Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS)
The plugin does not sanitize the id parameter of its awesomeweatherrefresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting XSS Vulnerability. Note WPScanTeam: The issue was reported to the WP plugins team on May 4th, 2021, then June 7th, 2021 due to lack of update...
ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation
The user profile update functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during a profile update which made it possible for users to escalate their privileges to that of an an administrator. 'Hax0r3', 'regemail' = '[email protected]', 'regpassword'...
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
The plugin was affected by an IDOR issue, allowing users with the uploadimage capability by default author and above to change and delete the profile pictures of other users including those with higher roles. Use a proxy such as Burp Suite to capture the request made when change your own profile...
ProfilePress < 3.1.8 - Authenticated Stored XSS
The plugin did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site...
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component
There is functionality in the plugin to add file uploads to user registrations and profile updates that had no file type checking in place making it possible for arbitrary files to be uploaded. fh = open'shell.php', 'wb' fh.writeb'\xFF\xD8\xFF\xE0' + b'' fh.close 'Hax0r', 'regemail' =...
Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF
The theme and plugin have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF Server Side Request Forgery and RFI Remote File Inclusion vulnerabilities on...
Steam Group Viewer <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue Enter the following payload in the "Steam Group Adrdess" setting of the plugin: "alert/XSS/...
Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not escape the Summary field of Announcements when outputting it in an attribute, which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege...
W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)
The plugin was vulnerable to a reflected Cross-Site Scripting XSS security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a...
Event Espresso Core < 4.10.7.p - Reflected Cross-Site Scripting (XSS)
The adminpages/messages/templates/eemsgadminoverview.template.php file of the plugin did not escape user input before outputting back in an attribute in the page, leading to a reflected Cross-Site Scripting issue...
ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload
The plugin contained a PHP file, allowing unauthenticated users to upload an arbitrary file anywhere on the web server. Note WPScanTeam: It's unclear which version fixed the issue exactly, however we were able to confirm the issue on version as high as v5.96 and that the related file has been...
WP Image Zoom < 1.47 - Local File Inclusion
The plugin did not validate its tab parameter before using it in the includeonce function, leading to a local file inclusion issue in the admin dashboard PoC: https://example.com/wp-admin/admin.php?page=zoooomsettings&tab=whatever This URL shows includeonce error, which indicates that the paramet...
Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
The plugin did not sanitise, escape or validate the dateanswers POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks v 1.5.3 POST /wp-admin/admin-ajax.php?action=pollinsertvalues HTTP/1.1 Accept: /...
myStickymenu < 2.5.2 - Authenticated Stored XSS
The plugin does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog when the Welcome bar is active Put...
Simple Sort&Search <= 0.0.3 - Ccontributor+ Stored XSS
The plugin does not make sure that the indexurl parameter of the shortcodes "categorysims", "ordersims", "orderbysims", "periodsims", and "tagsims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor As a contributor, add one of the...
Glass <= 1.3.2 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. Add the following...
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection
The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue Go to the Sign-up Sheets-- Add New. Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button. =cmd|' /C...
Export Users With Meta < 0.6.5 - Authenticated SQL Injection
The plugin did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. POST /wp-admin/users.php?page=uewmsettings HTTP/1.1 Accept:...
Prismatic < 2.8 - Contributor+ Stored XSS
The plugin does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher...
Sign-up Sheets < 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard As admin, add a new...
Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning
The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution RCE of the system due to log poisoning and therefore potentially a full compromise of the underlying structure RCE through chaining LFI with log poisoning 1. Path Traversal / Local File...
Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting XSS vulnerability. The Payload will then be triggered when an admin visits the...
Browser Screenshots < 1.7.6 - Contributor+ Stored XSS
The plugin allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the imageclass parameter of the browser-shot shortcode was not escaped. Add the following shortcode in a page, then view the page either published or as preview to trigger th...
Prismatic < 2.8 - Reflected Cross-Site Scripting (XSS)
The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator...
WP YouTube Lyte < 1.7.16 - Authenticated Stored XSS
The plugin did not sanitise or escape its lyteytapikey and lytenotification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues. PoC 1 | Authenticated Persistent XSS | Your YouTube API key: PO...
WP JobSearch < 1.7.4 - Authenticated Stored XSS
The plugin did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue Vulnerable parameters: &jobsearchfieldeducationtitle=,...
Filebird 4.7.3 - Unauthenticated SQL Injection
The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the getcol function and it allows SQL injection. The Rest...
Backup by 10Web <= 1.0.20 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue http://example.com/wp-admin/admin.php?page=buwdrestore&tab=general%22%3E%3Cimg%20src=x%20onerror=alertdocument.domain;%20m0ze...
W3 Total Cache < 2.1.3 - Authenticated Stored XSS
The plugin did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue Vulnerable parameters: &cdncnames= 1, cdncnames= 2, cdncnames= 3. CDN Type:...
Request a Quote < 2.3.4 - Authenticated Stored XSS
The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. Note: By default, admins and editors are allowed to use JavaScript in posts and page, unless the...
WP Reset < 1.90 - Authenticated Stored XSS
The plugin did not sanitise or escape its extradata parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue PoC | Authenticated Persistent XSS | Enter snapshot name or brief description:...
RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. Vulnerable parameters: &ytnetw=, &ytnetwspan=, &ytfeedbacknetw=...
Smooth Scroll Page Up/Down Buttons <= 1.4 - Authenticated Stored XSS via psb_positioning
The plugin does not properly sanitise and validate its psbpositioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog -- Payloads: $ m0ze"...
10Web Map Builder for Google Maps < 1.0.70 - Authenticated Stored XSS
The plugin does not validate or escape its MAP API Key, Center Address, Center Lat, Center Lng and Zoom Level settings in the admin dashboard, allowing high privilege users such as admin to use JavaScript payload in them, leading to Stored Cross-Site Scripting issues even when the unfilteredhtml...
FoodBakery < 2.2 - Reflected Cross-Site Scripting (XSS)
The plugin, used in the theme did not properly sanitize the foodbakeryradius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting XSS vulnerability...
wpForo Forum < 1.9.7 - Open Redirect
The plugin did not validate the redirectto parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimat...
Woocommerce Stock Manager < 2.6.0 - CSRF to Arbitrary File Upload
The plugin is vulnerable to CSRF leading to Arbitrary File Upload due to missing nonce and file validation in the /admin/views/import-export.php file. File will upload to: /wp-content/plugins/woocommerce-stock-manager/admin/views/upload/PoC.php history.pushState'', '', '/' function submitRequest...
BCS BatchLine Book Importer < 1.5.8 - Unauthenticated Product Import
The plugin did not correctly check for permission in its wc/v3/bcsbertlinebookimport REST route, allowing unauthenticated to import arbitrary products or update existing ones POST /wp-json/wc/v3/bcsbertlinebookimport HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflat...
Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action, leading to a Reflected Cross-site Scripting XSS vulnerability. POST /demo/wp-admin/admin-ajax.php HTTP/1.1 Host: jannah.tielabs.com User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:89.0...
WP SVG Images < 3.4 - Authenticated (author+) Stored XSS via SVG
The plugin did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to...
Vik Rent Car < 1.1.7 - CSRF to Stored XSS
In the plugin, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also ...
Async JavaScript < 2.21.06.29 - Authenticated (admin+) Stored XSS
The plugin does not validate or escape its Username and API Key from the Wizard tab of its settings, allowing high privilege users such as admin to set JavaScript payload in them, even when the unfilteredhtml capability is disallowed, leading to Stored Cross-Site Scripting issues Set the payload...
WP DoNotTrack <= 0.8.8 - Authenticated (admin+) Stored XSS
The plugin does not validate or escape its Blacklist and Whitelist settings, allowing high privilege users such as admin to set JavaScript payload in them, even when the unfilteredhtml capability is disallowed, leading to Stored Cross-Site Scripting issues Add the payload below in the Blacklist o...
Easy Cookie Policy <= 1.6.2 - Broken Access Control to Stored Cross-Site Scripting
The plugin is lacking any capability and CSRF check when saving it's settings, allowing any authenticated users such as subscriber to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in al...