4359 matches found
Welcart e-Commerce < 2.2.4 - Cross-Site Scripting (XSS)
The plugin did not sanitise or validate the orderid parameter before outputting in the page of the admin dashboard, leading to a reflected Cross-Site Scripting issue http://wp.lab/wordpress/wp-admin/admin.php?page=uscesorderlist&orderaction=edit&orderid=1"alert/XSS/...
Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitise the ctcommunity parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context...
Motor theme < 3.1.0 - Unauthenticated Local File Inclusion
Lack of authentication or validation in motorloadmore, motorgalleryloadmore, motorquickview and motorprojectquickview AJAX handlers of the theme allows an unauthenticated attacker access to arbitrary files in the server file system, and to execute arbitrary php scripts found on the server file...
Advanced AJAX Product Filters < 1.5.4.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The braapfgetchild AJAX action of the plugin, available to both unauthenticated and authenticated users does not sanitise the 'termid' POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue. "' / POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection
The joomsportmdload AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other...
WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF
The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings including the email settings for example. v1.6.6 fixed most of CSRF checks, but the one in model.emailsettings.php was improperly fixed bypass still...
WP Google Maps < 8.1.12 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue Note: The vendor attributed the issue in the changelog to the wrong reporter us, WPScan, as we reported it on behalf of th...
Recently < 3.0.5 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise or escape its default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue POST /wp-admin/options-general.php?page=recently&tab=tools HTTP/1.1 Accept:...
Jannah < 5.4.4 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the options JSON parameter in its tiegetuserweather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting XSS vulnerability. via GET:...
Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the page parameter before outputting back in an attribute, leading to a reflected Cross-Site Scripting issue alert/XSS/"' /...
WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise or escape its Default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue POST /wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools HTTP/1.1 Accept:...
Smart Slider 3 < 3.5.0.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may...
WP Hardening < 1.2.2 - Reflected XSS via URI
The plugin did not sanitise or escape the $SERVER'REQUESTURI' before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/plugins.php?%22%3E%3Cscript%3Ealertdocument.domain%3C/script%3Cv=...
WP Hardening < 1.2.2 - Reflected XSS via historyvalue
The plugin did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/admin.php?page=wphwpharden&historyvalue=alertdocument.domain//...
Comments Like Dislike < 1.1.4 - Add Like/Dislike Bypass
The plugin allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user even unauthenticated to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie...
GeoDirectory Location Manager < 2.1.0.10 - Multiple Unauthenticated SQL Injections
In the plugin, the AJAX action gdpopularlocationlist did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. The prerequisite to exploiting this vulnerability is finding a page on the vulnerable si...
Quiz And Survey Master < 7.1.19 - Unauthenticated Stored Cross-Site Scripting (XSS)
When the "Disable collecting and storing IP addresses?" setting is not used, the plugin retrieves the IP address of the submitting user via various methods, such as $SERVER'REMOTEADDR' but also arbitrary headers which can be tampered with. The final IP is not sanitised or validated, before being...
Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak
The Jetpack Carousel module allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhgvcs that allowed the comments of non-published page/posts to be leaked. Please refer to th...
Quiz And Survey Master < 7.1.18 - Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise or escape its resultid parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link...
Stock in & out <= 1.0.4 - Authenticated SQL Injection
The plugin lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability...
GetPaid < 2.3.4 - Authenticated Stored XSS
In the plugin, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is...
MC4WP: Mailchimp for WordPress < 4.8.5 - Unauthorised Actions via CSRF
The plugin did not properly check for CSRF in some of its actions handled by the listenforactions method hooked as admininit, allowing attackers to make logged in users with the manageoptions capability do unwanted actions such as empty the logs, dismiss notice and so on...
MC4WP: Mailchimp for WordPress < 4.8.5 - Authenticated Arbitrary Redirect
The plugin did not properly check for CSRF in some of its actions handled by the listenforactions method hooked as admininit, allowing attackers to make logged in users with the manageoptions capability do unwanted actions and redirect them to an arbitrary website after...
All 404 Redirect to Homepage < 2.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin v1.21 attempted to fix a Stored Cross-Site scripting issue in its "Redirect All 404 page to" settings, however the fix is insufficient, still allowing the issue to be triggered. This could allow high privilege users even with the unfilteredhtml disabled to use malicious payloads in it,...
WordPress Bitcoin Payments - Blockonomics < 3.3 - Reflected Cross-Site Scripting (XSS)
The plugin does not properly sanitise its filter action when viewing Orders before outputting it back in an attribute, leading to a reflected Cross-Site Scripting vulnerability. v alert/XSS/...
Fancy Product Designer < 4.6.9 - Unauthenticated Arbitrary File Upload and RCE
The plugin allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution. The issue is being actively exploited, and no patch is available. Further details will be made available once pathed. The Custom Product Designer plugin for WordPress offers the ability for...
The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending
The plugin did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect...
Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection
The plugin did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users contributor+ to perform Blind SQL Injection attacks To exploit, the site administrator must add a question set and a question first. This requirement is usually met for all...
The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)
The theplusmorepost AJAX action of the plugin did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting exploitable on both unauthenticated and authenticated users POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
FooGallery < 2.0.35 - Authenticated Stored Cross-Site Scripting
In the plugin, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue. Create or edit a gallery and add the following payload in the Custom CSS field: Then, view t...
WP Config File Editor <= 1.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
The WP Config File Editor WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS vulnerability. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesse...
The Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect
The plugin did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue. The vulnerable code leading to the open redirect is in the function "redirecttotpcustompasswordreset" in...
Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field
The Admin Columns WordPress plugin allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns. When a "Custom...
Stock in & out <= 1.0.4 - Reflected Cross-Site Scripting (XSS)
The plugin has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue POST /wp-admin/admin.php?page=stockin HTTP/1.1 Content-Length: 66...
Sendit WP Newsletter <= 2.5.1 - Authenticated (admin+) SQL Injection
The page lists-management feature of the plugin, available to Administrator users does not sanitise, validate or escape the idlista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection. time curl -i -s -k -X $'POST' \ -H $'Upgrade-Insecure-Requests: 1' -H...
Xllentech English Islamic Calendar < 2.6.8 - Authenticated SQL Injection
When deleting a date in the plugin, the yearnumber and monthnumber POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection. POST /wp-admin/options-general.php?page=xllentechoptionstab4 HTTP/1.1 Content-Length: 220 Cache-Control:...
Side Menu < 3.1.5 - Authenticated (admin+) SQL Injection
The menu delete functionality of the plugin, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue GET...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Export
The exportdata function of the plugin had no capability or nonce checks making it possible for unauthenticated users to export a site's redirects. curl -X POST --url "URL/wp-admin/admin-post.php?page=301options&export=true"...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import
The importdata function of the plugin had no capability or nonce checks making it possible for unauthenticated users to import a set of site redirects. curl -i -s -k -X $'POST' \ -H $'Host: URLHERE' -H $'Content-Length: 379' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H...
Multivendor Marketplace Solution for WooCommerce < 3.7.4 - Unauthenticated Arbitrary Product Comment
The plugin did not properly check for CSRF when saving a product comment, and took the user ID to link the comment to from user input. As a result, attackers can post arbitrary comment, as another user as well by manipulating the currentuserid parameter. POST / HTTP/1.1 Accept: application/json,...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Activation
In the plugin, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activateplugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Installation
A lack of capability checks and insufficient nonce check on the AJAX action in the plugin, made it possible for authenticated users to install arbitrary plugins on vulnerable sites. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch;...
Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin is affected by an Unauthenticated Stored Cross-Site Scripting XSS vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel. $ curl -i http://localhost:10008/ --user-agent "alert1" The payload will be executed o...
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value
In the plugin, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/getwildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects. $wpuser, 'pwd' = $wppass,...
Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also b...
Gallery From Files <= 1.6.0 - Unauthenticated RCE
The upload feature of the plugin does not properly check for the allowed extensions, allowing them to be set in the request and attempting to remove the dangerous ones such as .php and .js, but forgetting about .php4, .html etc. As a result, unauthenticated users could upload arbitrary .php4 file...
SP Project & Document Manager < 4.22 - Authenticated Shell Upload
The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for...
Cookie Law Bar <= 1.2.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise its Bar Message setting, allowing high privilege users to set an XSS payload in it, which will be triggered in all frontend page of the blog. As admin, go the plugin settings /wp-admin/options-general.php?page=clb and set a payload such as alert/XSS/ in the B...
WP LMS < 1.1.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user including unauthenticated v1.1.3 fixed the XSS by escapin...
iFlyChat – WordPress Chat <= 4.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue Step1: Install and activate the plugin "iFlyChat – WordPress Chat-4.6.4" Step2: Enter the following payload in the "APP ID" field of the plugin...