4359 matches found
WPGraphQL < 1.3.6 - Denial of Service
The plugin suffers from a Denial of Service vulnerability by Field Duplication. It is possible to create an expensive query by duplicating the number of fields, while simultaneously sending these requests in batches using GraphQL's Batching capability. v1.3.6 added a setting to disable batch...
Store Locator Plus <= 5.5.15 - Unauthenticated Stored Cross-Site Scripting (XSS)
There are several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. The PoC will be displayed once the issue has been remediated...
Store Locator Plus <= 5.5.14 - Authenticated Privilege Escalation
There is functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. Partially unpatched because they added CSRF protection that technically blocks low-level users from using the endpoint, howeve...
Goto < 2.1 - Unauthenticated Blind SQL Injection
The theme did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue sqlmap --url="https://example.com/tour-list/?keywords=13&startdate=13" --random-agent -dbs --level=3 --threads=4...
Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection
The requestlistrequest AJAX call of the plugin, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the orderid POST parameter before using it in a SQL statement, leading to a SQL Injection issue. curl 'https://example.com/wp-admin/admin-ajax.php' ...
Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=moove-redirect-settings&tab=" onMouseOver="alert1;...
Software License Manager < 4.4.6 - CSRF to Stored XSS
The plugin did not have CSRF check on its settings page, nor sanitisation when outputting user input back. Attackers could make a logged in administrator change the plugin's settings, and put XSS payload in them. alert/XSS-1/' / alert/XSS-2/' / alert/XSS-3/' / alert/XSS-4/' /...
Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/options-general.php?page=moove-taxonomy-settings&tab=" onMouseOver="alert1;...
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF
The "cppluginsdobuttonjoblatercallback" AJAX action, from multiple plugins of the WP-Buy vendor, was lacking CSRF check, allowing attackers to make a logged in administrator install and active arbitrary plugins including specific version from the WordPress repository which could lead to more...
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User
Low privileged users could use the AJAX action "cppluginsdobuttonjoblatercallback" from multiple plugins of the WP-Buy vendor, to install any plugin including a specific version from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical...
Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfilteredhtml is disabled Enable taxes...
RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues As admin, Navigate to Setting Яндекс.Турбо Счетчики and enter a payload such as " onmouseover="alert1 into all t...
iThemes Security Free (< 7.9.1) & Pro (< 6.8.4) - Hide Backend Bypass
Both the iThemes Security free and pro versions were affected. - Patched in Version iThemes Security: 7.9.1 - Patched in Version iThemes Security Pro: 6.8.4 The bug allowed attackers to bypass the "Hide Backend" feature, that, when enabled, hides the WordPress wp-login.php and wp-admin pages...
Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue. v 2.2.29 https://example.com/wp-admin/edit.php?posttype=accordions&page=settings&tab=a%22%3E%3Csvg%2Fonload%3Dalert%28123%29%3B%2F%2F%3E%3C%22 v...
Redirection for Contact Form 7 < 2.3.4 - Unauthenticated Arbitrary Nonce Generation
In the plugin, unauthenticated users can use the wpcf7rgetnonce AJAX action to retrieve a valid nonce for any WordPress action/function. 'wpcf7rgetnonce', 'param' = 'ANY ACTION HERE' ; $output = curlexec$ch; curlclose$ch; printr$output; ?...
Kaswara Modern VC Addons (0-day) - Unauthenticated Arbitrary File Upload
The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fontsicon directory with no checks for malicious files such as PHP. The vendor has been unresponsive to both the reporter and Envato,...
Redirection for Contact Form 7 < 2.3.4 - Authenticated PHP Object Injection
In the plugin, any authenticated user, such as a subscriber, could use the importfromdebug AJAX action to inject PHP objects. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // OBJI $ch = curlinit; curlsetopt$ch, CURLOPTURL, $wpur...
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
In the plugin, any authenticated user, such as a subscriber, could use the deleteactionpost AJAX action to delete any post on a target site. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Set redirect url $ch = curlinit;...
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
In the plugin, low level users, such as subscribers, could use the importfromdebug AJAX action to install any plugin from the WordPress repository. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output = curlexec$ch; curlclose$ch; // Install some plugins $ch =...
Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue /wp-admin/admin.php?page=contact-form-supsystic&tab="onmouseover=alert1//...
Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to Reflected Cross-Site Scripting XSS issues via the galleryid, tag, albumid and themeid GET parameters passed to the bwgfrontenddata AJAX action available to both unauthenticated and authenticated users...
Ultimate Maps by Supsystic < 1.2.5 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue /wp-admin/admin.php?page=ultimate-maps-supsystic&tab="onmouseover=alert1//...
Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue /wp-admin/admin.php?page=popup-wp-supsystic&tab="onmouseover=alert1//...
WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication
The duplicate method, hooked to the admininit action did not have any CSRF and authorisation checks, allowing unauthorised users such as unauthenticated ones to duplicate arbitrary downloads As an unauthenticated or authenticated user, open the following URL to duplicate the Download with id 717...
All 404 Redirect to Homepage < 1.21 - Authenticated Reflected Cross-Site Scripting (XSS)
The tab parameter of the settings page of the plugin was vulnerable to an authenticated reflected Cross-Site Scripting XSS issue as user input was not properly sanitised before being output in an attribute...
Easy Digital Downloads < 2.10.3 - Unauthorised Stripe Disconnect via CSRF
The plugin did not property check for CSRF when disconnecting Stripe, allowing attackers to make logged in users with the manageoptions capability disconnect the Stripe gateway via a CSRF attack. https://example.com/wp-admin/admin-post.php?page=edd-settings&edds-stripe-disconnect=1...
SEO Redirection < 6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the Redirect From and Redirect To fields when creating a new redirect in the dashboard, allowing high privilege users even with the unfilteredhtml disabled to set XSS payloads Create a new Custom redirect /wp-admin/options-general.php?page=seo-redirection.php and set a...
Outdated php-mod/curl Library - Unauthenticated Reflected Cross-Site Scripting (XSS)
The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation WPScanTeam, the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputtin...
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
Description The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges. 1. As one user, create a new password protected post. Ensure...
WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
Description A user with the ability to upload files like an Author can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity XXE vulnerability affecting PHP versions 8 and above. Thi...
User Rights Access Manager < 1.0.4 - Improper Access Controls
The plugin did not properly restrict access to some paths, still allowing a restricted user to access them, and edit the Blog Options, create/edit posts and so on for example To reproduce it, install the plugin, create a new admin user and take all his privileges using the mentioned plugin block...
Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored...
Business Directory Plugin < 5.11.2 - Arbitrary Payment History Update
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status from pending to completed to example Add a listing, don't complete payment status will be pending paymentcreatedatdate...
WP Login Security and History <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well -- Payloads: $ " $ " -- PoC 1 | Authenticated...
WP Super Cache < 1.7.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise its wpcachelocation parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. -- Payloads: $ ";' onmouseover=alertdocument.cookie; style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; $ ";'...
Content Copy Protection & Prevent Image Save <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. -- PoC 1 | Authenticated Persistent XSS & XFS | Image saving disabled message text: ! POST...
Business Directory Plugin < 5.11.2 - Authenticated Stored Cross-Site Scripting
The plugin suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin. Log on as an admin, create or edit a Form Field wp-admin/admin.php?page=wpbdpadminformfields and set the Field Label input...
Business Directory Plugin < 5.11.2 - Arbitrary Listing Export
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc The state is base64 encoded and will need to be adapted to the...
Business Directory Plugin < 5.11.1 - Arbitrary Add/Edit/Delete Form Field to Stored XSS
The plugin suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. Note WPScanTeam: The CSRF has ben fixed and proper capability checks have also been adde...
College Publisher Import <= 0.1 - Arbitrary File Upload to RCE
The plugin does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack. The issue has been escalated to WordPress on April 12th, 2021 Th...
Business Directory Plugin < 5.11.1 - Authenticated PHP4 Upload to RCE
The plugin did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE Create a php4 file with PHP code in it, zip it and import it via the plugin import feature...
Business Directory Plugin < 5.11 - Arbitrary File Upload to RCE
The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. Note WPScanTeam: CSRF check and some file validation were added in v5.11, however a blacklist...
Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
The plugin settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege...
Event Banner <= 1.3 - Arbitrary File Upload to RCE
The plugin does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation chec...
Classyfrieds <= 3.8 - Authenticated Arbitrary File Upload to RCE
The plugin does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE. POST /addalisting/ HTTP/1.1...
Larsens Calender <= 1.2 - Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or encode the Title of the calendar entries when outputting them in the admin dashboard, leading to Stored XSS issue. Due to the lack of CSRF check, this can be exploited by a CSRF attack, making logged in administrators create malicious entries The PoC will be...
WorkScout Core < 1.3.4 - Authenticated Stored XSS & XFS
The plugin, used by the WorkScout Theme did not sanitise the chat messages sent via the workscoutsendmessagechat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues Payloads: " " POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencode...
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
The plugin did not escape user input when blocking requests such as matching a spam word, outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue. From an IP not in the Allow List...
Imagements <= 1.2.5 - Unauthenticated Arbitrary File Upload to RCE
The Imagements WordPress plugin, versions = 1.2.5, allowed images to be uploaded in comments, however, only checked for the Content-Type HTTP header for validation, which can be tampered with. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type head...
OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error
The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration...