4359 matches found
JNews < 8.0.6 - Reflected Cross-Site Scripting (XSS)
The theme did not sanitise the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory, leading to a Reflected Cross-Site Scripting XSS issue. POST /?ajax-request=jnews HTTP/1.1 Accept: text/html, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip,...
Easy Preloader <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise its setting fields, leading to authenticated admin+ Stored Cross-Site scripting issues Step 1: Install the plugin "Easy Preloader" Step 2: Enter the payload below in the text field "Choose overlay color" or any other text fields in the plugin's settings...
WP Statistics < 13.0.8 - Unauthenticated SQL Injection
The plugin relied on using the WordPress escsql function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones...
Video Embed <= 1.0 - Authenticated (subscriber+) SQL Injection
The id GET parameter of one of the plugin's page available via forced browsing is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection. Note: The URL /wp-admin/admin.php?page=edit-video-embed&id=1 is...
FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection
The plugin does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users 1. to and from parameters Editor Level Tools - Flightlog - add a record POST...
Related Posts for WordPress < 2.0.5 - Authenticated Stored XSS & XFS
The plugin does not sanitise its headingtext and css settings, allowing high privilege users admin to set XSS payloads in them, leading to Stored Cross-Site Scripting issues. Payloads: $ m0ze"div x PoC 1 | Authenticated Persistent XSS & XFS | Heading text: ! POST /wp-admin/options.php HTTP/2 Host...
LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR
The plugin was affected by an IDOR issue, allowing students to see other student answers and grades - Add 2 users with Student role for the scenario . - Create A course With a quiz I picked True or Flase question for my quiz - Set Enrol on Free for the ease of scenario - Enrol into the Course wit...
WP Prayer < 1.6.2 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to reque...
Car Repair Services < 4.0 - Unauthenticated Reflected XSS & XFS
The theme did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue https://smartdata.tonytemplates.com/car-repair-service-v4/car1/estimateresult/result?s=&serviceestimatekey=...
Funnel Builder by CartFlows < 1.6.13 - Authenticated Stored XSS via FB Pixel ID and Google Analytics ID
The plugin did not sanitise its facebookpixelid and googleanalyticsid settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used. -- Payloads: $ 'm0ze'; alertdocument.cooki...
Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
The plugin did not properly validate and sanitise its unsplashdownloadw and unsplashdownloadh parameter settings /wp-admin/upload.php?page=instant-images, only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. -- Payloads: $ "div x -- PoC 1 |...
Smooth Scroll Page Up/Down Buttons < 1.4 - Authenticated Stored XSS
The plugin did not properly sanitise and validate its settings, such as psbdistance, psbbuttonsize, psbspeed, only validating them client side. This could allow high privilege users such as admin to set XSS payloads in them -- Payloads: $ " autofocus=autofocus onfocus=alertdocument.cookie; " $ "...
Database Backup for WordPress < 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)
The plugin did not escape the backuprecipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue. POST /wp-admin/tools.php?page=wp-db-backup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type:...
Bello < 1.6.0 - Authenticated Cross-Site Scripting (XSS) and XFS
The theme did not properly sanitise its postexcerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue -- Payloads: $ $ -- PoC | Authenticated XFS | My Listings: ! POST...
Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities
The theme did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector. -- PoC 1 | Authenticated IDOR | Permanent post/page deletion: !...
Bello < 1.6.0 - Unauthenticated Blind SQL Injection
The theme did not sanitise the btbblistingfieldpricerangeto, btbblistingfieldnowopen, btbblistingfieldmylng, listinglistview and btbblistingfieldmylat parameters before using them in a SQL statement, leading to SQL Injection issues -- Payload: $ -4034 OR 4877=4877 AND 2369=2369 -- PoC 1 |...
Mediumish <= 1.0.47 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The search feature of the theme does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue. The vendor has been unresponsive to any form of contact https://example.com/?posttype=post&s=%22%3E%3Cscript%3Ealert/XSS/%3C/script%3E...
Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities
The theme did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues - Unauthenticated Reflected XSS | Search query, vulnerable parameters: keywordsearch and locationsearch - Authenticated Persistent XSS & XFS |...
Bello < 1.6.0 - Unauthenticated Reflected XSS & XFS
The theme did not properly sanitise and escape its listinglistview, btbblistingfieldmylat, btbblistingfieldmylng, btbblistingfielddistancevalue, btbblistingfieldmylatdefault, btbblistingfieldkeyword, btbblistingfieldlocationautocomplete, btbblistingfieldpricerangefrom and...
WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
The parameters $cachepath, $wpcachedebugip, $wpsupercachefrontpagetext, $cachescheduledtime, $cacheddirectpages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to...
External Media < 1.0.34 - Authenticated Arbitrary File Upload
The wpajaxupload-remote-file AJAX action of the plugin was vulnerable to arbitrary file uploads via any authenticated users. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Upload File $ch = curlinit; curlsetopt$ch, CURLOPTURL,...
Weekly Schedule < 3.4.3 - Authenticated Stored XSS
The "Schedule Name" input in the plugin general options did not properly sanitize input, allowing a user to inject javascript code using the Go to Weekly Schedule - General Options /wp-admin/admin.php?page=weekly-schedule - Schedule Name - Fill the field with a payload such as alertxss...
Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title
The plugin did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117 Creat...
LifterLMS < 4.21.1 - Authenticated Stored XSS in Edit Profile
The 'State' field of the Edit profile page of the plugin is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users such as students to elevate their privilege via an XSS attack when an admin...
ReDi Restaurant Reservations < 21.0426 - Unauthenticated Stored Cross-Site Scripting (XSS)
The ReDi Restaurant Reservations plugin provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to ma...
Simple Giveaways < 2.36.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS https://example.com/giveaway/mygiveaways/?share=%3Cscript%3Ealertdocument.domain%3C/script%3E...
All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize
The plugin enables authenticated users with "aioseotoolssettings" privilege most of the time admin to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool Import/Export". However, the plugin attempts to...
ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
Some AJAX actions did not have proper CSRF and authorisation checks, allowing unauthorised call either via unauthenticated/low privilege users or CSRF, which could allow attackers to reset or change the settings of the plugin for example Reset arbitrary option in the plugin v 1.0.5 POST...
Ultimate Member < 2.1.20 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the...
Leads-5050 Visitor Insights < 1.1.0 - Unauthorised License Change
The leads5050setlicense AJAX action is available to authenticated users, but is missing any capability and CSRF checks. This could allow any low privilege users subscriber+ to set an arbitrary license in the plugins settings POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: application/jso...
DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
The dsgvoaiowritelog AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard wp-admin/admin.php?page=dsgvoaiofree-show-log. This could allow unauthenticated attackers to gain unauthorised access by...
Leads-5050 Visitor Insights < 1.0.4 - Unauthenticated License Change
The leads5050setlicense AJAX action was available to unauthenticated users allowing them to set an arbitrary license in the plugins settings POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip,...
Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues Adds the following payloads in the API Key settings /wp-admin/options-general.php?page=aocritcss "alert/XSS/ --...
PickPlugins Product Slider for WooCommerce < 1.13.22 - Reflected Cross-Site Scripting (XSS)
The slider import search feature of the plugin settings did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue https://example.com/wp-admin/edit.php?posttype=wcps&page=importlayouts&keyword="onmouseover=alert1;//...
Simple Admin Language Change < 2.0.2 - Arbitrary User Locale Change
The plugin did not have proper capability and CSRF checks in its changeuserlocale AJAX action, and was also affected by an IDOR issue, allowing any authenticated user to change the locale of another user. v2.0.1 fixed the authorisation and IDOR but still had an incorrect CSRF logic which was fixe...
Parcel Tracker eCourier < 1.0.2 - Plugin's Settings Update via CSRF
The plugin did not properly check for CSRF, allowing attackers to make a logged in administrator update the plugin's settings...
Target First Plugin 2.0 - Unauthenticated Stored XSS via Licence Key
The Target First WordPress Plugin, also previously known as Watcheezy, suffered from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the "weeWzKey" parameter that will be save as the "weeID" option. The input value...
Ship To Ecourier < 1.0.2 - Plugin's Settings Update via CSRF
The plugin did not properly check for CSRF, allowing attackers to make a logged in administrator update the plugin's settings...
Hana Flv Player <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the "Default Skin" field. Step1: Install and activate the plugin. Step2: Go to the plugin setting. Step3: Enter the following payload in the field "Default Skin" xss"alert1input type='text'...
WP Customer Reviews < 3.5.6 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled 1. Login to WordPress as an Administrator 2. Install and Activate plugin "WP Customer Reviews" 3. Clic...
Goto < 2.1 - Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitize the formvalue JSON POST parameter in its tlfilter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate...
Hotjar Connecticator <= 1.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was vulnerable to Stored Cross-Site Scripting XSS in the "hotjar script" textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users. Step 1: Install and activate the plugin "Hotjar...
Activity Log < 2.7.0 - Authenticated SQL Injection
The plugin was vulnerable to SQL Injection in the order column of the past events table. time curl 'http://www.example.com/wp-admin/admin.php?page=activitylogpage&orderby=histtime%20AND%20SLEEP%280%29' -H 'Cookie: ...'...
Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated admin+ Stored XSS issues. Notes WPScanTeam - The original reporter mentioned the issue being fixed in 2.10.2, but we could still trigger i...
Download Manager < 3.1.22 - Plugin Settings Change via CSRF
The wpdmsettings AJAX action, used the section POST parameter to call the associated settings handler methods dynamically. However, the pluginUpdate section=plugin-update and Privacy section=privacy were missing CSRF checks. Furthermore, the Privacy function did not ensure that the options to be...
Download Manager < 3.1.23 - Unauthorised Asset Manager Usage
The majority of the AJAX actions related to the Asset Manager use the same nonce action ie the NONCEKEY constant, and are lacking any authorisation checks. Given that the nonce is available in other pages, accessible by low priviledge users such as author, or even subscribers depending on the...
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
The wpdmadminuploadfile AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden. As an author or any account with the uploadfiles capability, attach a .php4 file to a download...
AcyMailing < 7.5.0 - Open Redirect
When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. When using acymailing to subscribe to a newsletter, you make a POST...
404 SEO Redirection <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
Description The plugin is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues The PoC will be displayed once the iss...
404 SEO Redirection <= 1.3 - Reflected Cross-Site Scripting (XSS)
Description The tab parameter of the settings page of the plugin is vulnerable to a reflected Cross-Site Scripting XSS issue as user input is not properly sanitised or escaped before being output in an attribute. The PoC will be displayed once the issue has been remediated...