4359 matches found
Innovs HR <= 1.0.3.4 - Employee Creation via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees. input type="hidden" name="maritalstatus" value="Single"...
Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure
Description The plugin contains a vulnerability that allows you to read and download PHP logs without authorization 1 Admin should click on "Save as TXT file" in http://yoursite/wordpress/wp-admin/admin.php?page=rrrlgvwr-monitor.php 2 Then someone else can go to...
Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. otwshortcodebutton...
Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators. - Log in as an administrator, and visit /wp-admin/. - Add a Catalog Product in /wp-admin/admin.php?page=fancyproductdesigner - Sear...
Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
Description The plugin does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. 1. ADMIN: Install Formidable Pro plugin 2. ADMIN: Install Formidable...
Login as User or Customer <= 3.8 - Admin Account Takeover
Description The plugin does not prevent users to log in as any other user on the site. 1. As an admin, log in as some user. Note the user ID. 2. Run the following curl command, filling in the ADMINID and the USERID: curl -v https://example.com/wp-admin/admin-ajax.php -H 'Cookie:...
404 Solution < 2.35.8 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins. 1. navigate to logs "https://example.com/wp-admin/options-general.php?page=abj404solution&subpage=abj404logs"...
Seriously Simple Podcasting < 3.0.0 - Unauthenticated Administrator Email Disclosure
Description The plugin discloses the Podcast owner's email address which by default is the admin email address via an unauthenticated crafted request. This was fixed in 3.0.0 for new plugin installation, however when upgrading, users will have to unset the "Owner email address" in the Feed Detail...
Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure
Description The plugin does not prevent user with at least the contributor role from leaking other users' sensitive metadata. As a contributor, - Add shortcode to any post and specify/guess any user ID and meta key and save - Preview the post and see custom field value outputs from any user Examp...
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
Description The plugin does not prevent unauthenticated visitors from running code on vulnerable sites. Run the following JS on any site using the theme: await fetch"/wp-json/bricks/v1/renderelement", "credentials": "include", "headers": "Content-Type": "application/json" , "body":...
Photos and Files Contest Gallery < 21.3.1 - Author+ Stored Cross Site Scripting
Description The plugin does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks. 1. Add a New gallery, and click on the "Add files" button to add content. 2. Now add a description for this content with the XSS paylo...
Enhanced Text Widget < 1.6.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...
Ultimate Posts Widget < 2.3.1 - Admin+ Stored XSS
Description The plugin does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...
Starbox < 3.5.0 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks http://132" onmouseover='alert1'...
Login Lockdown – Protect Login Form < 2.09 - Subscriber+ Options Leak
Description The plugin does not prevent logged-in users of any role e.g. subscribers from leaking its settings, which may include allowlisted IP addresses as well as a global unlock key, with which they could add their own IP address to the plugin's list. As a logged-in subscriber, visit the...
Event Tickets and Registration < 5.8.1 - Contributor+ Arbitrary Events Access
Description The plugin does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. e.g. draft, private, pending review, pw-protected, and trashed events. 1. ADMIN: Install Event Tickets 2. ADMIN: Install Event Tickets Plus...
Event Tickets Plus < 5.9.1 - Contributor+ Attendees Lists Disclosure
Description The plugin does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. e.g. draft, private, pending review, password-protected, and trashed posts. 1. ADMIN: Install Event Tickets 2. ADMIN: Install Event Tickets Plus ...
Shariff Wrapper < 4.6.10 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the...
PageLayer < 1.8.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Enter the following payload in the...
JobSearch WP Job Board < 2.3.4 - Authentication Bypass
Description The plugin does not prevent attackers from logging-in as any users with the only knowledge of that user's email address. Browse to the site, paste the following in your browser's console replace the email address with that site's administrator's email address:...
Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion
Description The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged ...
JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE
Description The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server Navigate to the site, and paste the following in your browser's console: fetch'/wp-admin/admin-ajax.php', method: 'POST', headers:...
JetBackup < 2.0.9.9 - Directory Listing Exposing Backups
Description The plugin doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files. A partial fix was released in 2.0.9.6, removing the ability to list the directory but still allowing direct...
Spiffy Calendar < 4.9.9 - Broken Access Control
Description The plugin doesn't check the eventauthor parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+. Using a Contributor+ account and a proxy interceptor such as Burp Suite, create an event. Change the...
WPDashboardNotes < 1.0.11 - Unauthorised Deletion of Private Notes
Description The plugin is vulnerable to Insecure Direct Object References IDOR in postid= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises...
Website Builder by SeedProd < 6.15.22 - Unauthenticated Plugin Page Content Update
Description The plugin does not have authorisation in its seedprodlitenewlpage function, allowing unauthenticated attackers to update the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin to a blank state As unauthenticated, open the following URL to put the...
Fancy Comments WordPress < 1.2.15 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin Put...
MapPress < 2.88.17 - Contributor+ Stored XSS via Map Settings
Description The plugin is vulnerable to Stored Cross-Site Scripting via the width and height parameters, allowing with contributor access and above to perform Stored XSS attacks - Go to Plugin’s page /wp-admin/admin.php?page=mappressmaps - Add New Map and search any location you want. - Add XSS...
Cookie Information < 2.0.23 - Subscriber+ Arbitrary Options Update
Description The plugin is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler, allowing any authenticated users, such as subscriber to update arbitrary site options Run the below command in the developer console of the web browser while being on th...
Persian Fonts <= 1.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate to:...
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Description The plugin does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF As a subscriber, open...
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Description The plugin does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF As a subscriber, open...
User Activity Tracking and Log < 4.1.4 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. 1. Add X-Forwarded-For: 11.11.11.11 to any request which will be in activity log. For example in creation of new post. 2. View the activity log and see that the...
Allow SVG < 1.2.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
Travelpayouts < 1.1.13 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack Make a logged in admin open a page containing the HTML code below, this will make them update the plugin's...
coreActivity < 1.8.1 - Unauthenticated Stored XSS
Description The plugin does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin As unauthenticated: curl 'https://example.com/alertXSS' The XSS will be triggered when an...
wp-dashboard-notes < 1.0.11 - Contributor+ Arbitrary Private Notes Update via IDOR
Description The plugin does not validate that the user has access to the postid parameter in its wpdnupdatenote AJAX action. This allows users with a role of contributor and above to update notes created by other users. 1. Create a note as an admin. View the source of the page to get the Note ID...
illi Link Party! <= 1.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Make an admin open the following HTML: See that the support the plugin option is toggled on/off...
Add SVG Support for Media Uploader | inventivo <= 1.0.5 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
WP-Reply Notify <= 1.1 - Settings Update via CSRF
Description The plugin does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Make an admin open an HTML page containing the following: document.forms0.submit;...
Advanced Page Visit Counter <= 8.0.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Visit the "Settings" interface...
illi Link Party! <= 1.0 - Unauthenticated Arbitrary Link Deletion
Description The plugin lacks proper access controls, allowing unauthenticated visitors to delete links. http://example.com/?page=illi3/includes/functions.php&action=deletesubmission&id=INSERTID Replace "INSERTID" with an ID of a link and hit enter. The link will be deleted...
illi Link Party! <= 1.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks. 1. Go to "Settings Link Party!". 2. Under "Add a New Party", enter the payload for either the "Party Name" or "Party Description":...
Advanced Schedule Posts <= 2.1.8 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins...
SVG Uploads Support <= 2.1.1 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to see the XSS...
Marketing Twitter Bot <= 1.11 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Have an admin open an HTML page containing the following: ' document.forms0.submit;...
Travelpayouts < 1.1.14 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below:...
WolfNet IDX for WordPress <= 1.19.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. In the settings of the plugin, ente...
illi Link Party! <= 1.0 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated vistors to perform Cross-Site Scripting attacks. 1. Add a new link party and add its shortcode to a new post. 2. In a new private window, navigate to the post where you added the shortcode. 3...
Ultimate Noindex Nofollow Tool <= 1.1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing the following: document.forms0.submit;...