Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
added 2021/04/06 12:0 a.m.761 views

WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update

An AJAX action registered by the plugin did not have capability checks, allowing low privilege users, such as subscribers, to update the license options key, email. When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action =...

4CVSS0.5AI score0.00938EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/04/05 12:0 a.m.841 views

Tutor LMS < 1.8.8 - Authenticated Local File Inclusion

The plugin is affected by a local file inclusion vulnerability through the maliciously constructed subpage parameter of the plugin's Tools, allowing high privilege users to include any local php file https://your.domain/wp-admin/admin.php?page=tutor-tools&subpage=..%2F..%2F..%2F..%2F..%2F..%2Find...

5.5CVSS2.8AI score0.00778EPSS
Exploits2
wpexploit
wpexploit
added 2021/04/05 12:0 a.m.93 views

Simple Membership < 4.0.4 - Authenticated SQL Injections

The plugin did not properly sanitise user input before using it in SQL queries in the admin backend, leading to authenticated admin+ SQL injections GET /wp/wp-admin/admin.php?status=&membershiplevel=&s=hhhh%27%20OR%20SLEEP%281%29%20OR%20firstname%20LIKE%20%27%25i%0A&page=simplewpmembership HTTP/1...

1AI score
Exploits1References1
wpexploit
wpexploit
added 2021/04/03 12:0 a.m.477 views

Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)

The plugin does not sanitise the invitaioncode GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/admin.php?page=prnewregistrationform&showdashwidget=1&invitaioncode=PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=...

4.3CVSS1.8AI score0.01602EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/04/03 12:0 a.m.584 views

WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)

An AJAX action registered by the plugin did not have capability checks nor sanitization, allowing low privilege users subscriber+ to call it and set XSS payloads, which will be triggered in all backend pages. Version 4.5.6 fixed the XSS issue with sanitization of the parameters, but did not fix t...

0.4AI score0.00703EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/04/02 12:0 a.m.214 views

Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE

The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. Note WPScanTeam: - The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the...

7.5CVSS1.6AI score0.03037EPSS
Exploits1References1
wpexploit
wpexploit
added 2021/04/01 12:0 a.m.844 views

Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them even when the unfiletedhtml is disabled Use a payload such as a" in the plugin settings for example, the Powered by Text input...

0.4AI score
Exploits0References1
wpexploit
wpexploit
added 2021/03/31 12:0 a.m.115 views

Goto - Tour & Travel < 2.0 - Unauthenticated Reflected XSS

The theme does not sanitise the keywords and startdate GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue. Payload:...

4.3CVSS1.2AI score0.02927EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/31 12:0 a.m.549 views

Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR

The plugin, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter. GET...

4CVSS2.8AI score0.01114EPSS
Exploits2References3
wpexploit
wpexploit
added 2021/03/31 12:0 a.m.590 views

Realteo < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)

The plugin, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue...

4.3CVSS1.4AI score0.06298EPSS
Exploits2References3
wpexploit
wpexploit
added 2021/03/30 12:0 a.m.80 views

Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation

The plugin did not properly restrict access when checking user with limited access, allowing them to query pages they should not be able to, which could lead to privilege escalation by creating a new administrator with full, unrestricted access to the blog. Created a temporary admin account via t...

2AI score
Exploits0References1
wpexploit
wpexploit
added 2021/03/30 12:0 a.m.121 views

Ivory Search < 4.6.1 - Reflected Cross Site Scripting (XSS)

The Search Forms page of the plugin did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack...

4.3CVSS0.3AI score0.01173EPSS
Exploits2References2
wpexploit
wpexploit
added 2021/03/30 12:0 a.m.564 views

Advanced Booking Calendar < 1.6.8 - Authenticated Reflected Cross-Site Scripting (XSS)

The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.phpL550...

3.5CVSS0.5AI score0.0062EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/30 12:0 a.m.629 views

Cooked Pro < 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)

The plugin was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute. https://cooked.pro/demo/trial/5snjx6louabhdpg/profile/?t8osi%22%3e%3cscript%3ealert1%3c%2fscript%3edr7ag=1...

4.3CVSS1.6AI score0.01749EPSS
Exploits3References2
wpexploit
wpexploit
added 2021/03/30 12:0 a.m.527 views

Woocommerce Customers Manager < 26.6 - Authenticated Reflected Cross-Site Scripting (XSS)

The wccmcustomersids and wccmcustomersemails parameters are output in href attributes, after being sanitised with the sanitizetextfield function, which is not appropriate for such case, as payload such as ' injected-attribute=value will still be injected. This lead to a reflected XSS issue in the...

1.6AI score
Exploits0References2
wpexploit
wpexploit
added 2021/03/30 12:0 a.m.703 views

Woocommerce Customers Manager < 26.6 - Arbitrary Account Creation/Update via CSRF

The fixes for https://wpscan.com/vulnerability/126143e0-b0cc-4517-862e-3ac557db744f still allowed the issue to be performed via a CSRF attack. The uploadcsv AJAX action, available to authenticated users, did not have proper CRSF check, allowing attacker to make a logged in user with the...

1.5AI score
Exploits0References2
wpexploit
wpexploit
added 2021/03/29 12:0 a.m.106 views

Virtual Robots.txt < 1.10 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not sanitise the content of the robots.txt, allowing high privilege users admin+ to use XSS payloads, which will be output back in the settings page of the plugin. Put the following directive in the plugin settings "User Agents and Directives for this site" Disallow:...

0.4AI score0.01669EPSS
Exploits1References1
wpexploit
wpexploit
added 2021/03/28 12:0 a.m.616 views

Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)

The plugin did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue Payloads: - Original reporter:...

3.5CVSS0.6AI score0.00691EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/27 12:0 a.m.99 views

Easy Form Builder <= 1.0 - Unauthorised AJAX calls

While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...

1.2AI score
Exploits0
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.94 views

Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API

While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsmrestgetbankquestions function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements...

0.6AI score
Exploits0References1
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.149 views

N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE

The plugin suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5uniqidrand, however, in the case of misconfigured servers with Directory listing enabled,...

7.5CVSS0.8AI score0.02207EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.103 views

Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload

The EFBPverifyuploadfile AJAX action of the plugin, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE. The PoC will be displayed once the issue has been remediated...

6.5CVSS1.9AI score0.01906EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.728 views

Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode

The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...

6.5CVSS0.3AI score0.01893EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.106 views

WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE

The plugin suffers from an arbitrary file upload issue in page where the formCadastro is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE. The PoC will be displayed once the...

7.5CVSS1.1AI score0.02426EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.124 views

Vertical News Scroller < 1.17 - Authenticated Reflected Cross-Site Scripting (XSS)

The plugin attempted to fix a reflected Cross-Site Scripting in v1.10, however the changes were insufficient, as sanitizetextfield was used, but output in an attribute without being escaped. For versions 1.17:...

1AI score
Exploits0
wpexploit
wpexploit
added 2021/03/26 12:0 a.m.845 views

AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

In the plugin, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the accessallyorderform shortcode, no login o...

5CVSS2AI score0.05404EPSS
Exploits2
wpexploit
wpexploit
added 2021/03/25 12:0 a.m.160 views

Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain

The runaction function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution. Step 1: Use the nonce...

6.8CVSS0.2AI score0.0352EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/25 12:0 a.m.84 views

Business Directory <= 1.2.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)

This theme does not sanitise its search input, leading to a Reflected XSS issue when output back in the search result page. Note WPScanTeam: The theme has been removed from the WordPress marketplace listing on March 22nd, 2021 The PoC will be displayed once the issue has been remediated...

0.8AI score
Exploits0References1
wpexploit
wpexploit
added 2021/03/25 12:0 a.m.156 views

Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion

The wpajaxsavefbesettings and wpajaxdeletefbesettings AJAX actions of the plugin were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. CSRF to XSS alert0" / alert0" / alert0" / CSRF to Dele...

6.8CVSS8.8AI score0.00699EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/24 12:0 a.m.187 views

All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion

Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote...

6.4CVSS1AI score0.03946EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/24 12:0 a.m.81 views

MapifyLite < 4.0.0 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin does not sanitise the Image URL either in the settings or in a location, allowing editor+ users to use a malicious payload, leading to Stored Cross-Site Scripting issues. Notes WPScanTeam: - The vendor has been notified on March 24th, 2021 - The pro version is very likely to be...

Exploits0References1
wpexploit
wpexploit
added 2021/03/24 12:0 a.m.516 views

All Thrive Themes and Plugins - Unauthenticated Option Update

The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty apikey parameter in vulnerable versions if Zapier was not enabled. Attackers coul...

5CVSS1.1AI score0.02076EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/23 12:0 a.m.120 views

Mapplic and Mapplic Lite - SSRF to Stored Cross-Site Scripting (XSS)

The Mapplic Lite alert/XSS/...

6.5AI score
Exploits0References2
wpexploit
wpexploit
added 2021/03/23 12:0 a.m.118 views

GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)

The plugin was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page...

4.3CVSS1.8AI score0.0137EPSS
Exploits4References1
wpexploit
wpexploit
added 2021/03/23 12:0 a.m.147 views

Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation

An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. Even with the maximu...

10CVSS1.5AI score0.09733EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/21 12:0 a.m.965 views

WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE

We noticed 0-day in the plugin https://woocommerce.com/products/woocommerce-help-scout/ being actively exploited. This vulnerability affects at least versions 2.6-2.8 current latest published version and allows unauthenticated users to upload any files to the site which by default will end up in...

7.5CVSS0.1AI score0.07908EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/19 12:0 a.m.782 views

PhastPress < 1.111 - Open Redirect

There is an open redirect in the plugin that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/ that...

5.8CVSS0.5AI score0.03066EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/19 12:0 a.m.718 views

WordPress Related Posts <= 3.6.4 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin contains an authenticated admin+ stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. Put the following payload in the "Related Posts Title" settings of the plugin...

3.5CVSS0.3AI score0.00628EPSS
Exploits2
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.527 views

WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts

By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete...

4CVSS1.1AI score0.00689EPSS
Exploits2References2
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.124 views

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget

In the plugin, the icon box widget includes/widgets/icon-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in...

3.5CVSS5.5AI score0.00746EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.133 views

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget

In the plugin, the accordion widget includes/widgets/accordion.php accepts a ‘titlehtmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScri...

3.5CVSS5.5AI score0.00746EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.172 views

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget

In the plugin, the image box widget includes/widgets/image-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript ...

3.5CVSS5.5AI score0.00746EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.324 views

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element

In the plugin, the column element includes/elements/column.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in th...

3.5CVSS0.1AI score0.00746EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.185 views

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget

In the plugin, the divider widget includes/widgets/divider.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request with this parameter set to...

3.5CVSS0.00746EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/17 12:0 a.m.115 views

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget

In the plugin, the heading widget includes/widgets/heading.php accepts a ‘headersize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request with this parameter set t...

3.5CVSS5.5AI score0.00746EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/16 12:0 a.m.390 views

WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)

The plugin was affected by an authenticated admin+ RCE in the settings page due to input validation failure and weak $cachepath check in the WP Super Cache Settings - Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for...

9CVSS1.5AI score0.23844EPSS
Exploits3References3
wpexploit
wpexploit
added 2021/03/16 12:0 a.m.559 views

SEO Redirection < 6.4 - Authenticated Reflected Cross-Site Scripting (XSS)

The setting page of the plugin is vulnerable to reflected Cross-Site Scripting XSS as user input is not properly sanitised before being output in an attribute. Timeline WPScanTeam January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team who confirmed to have received...

3.5CVSS5.3AI score0.00632EPSS
Exploits2
wpexploit
wpexploit
added 2021/03/15 12:0 a.m.109 views

Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id

The tutoransweringquizquestion/getanswerbyid function pair from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. POST /courses/first-class/tutorquiz/test/ HTTP/1.1 Host: URL Content-Length: 413 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin...

4CVSS1.1AI score0.01253EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/15 12:0 a.m.106 views

Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form

The tutorquizbuildergetquestionform AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. python3 sqlmap.py -r /tutorunion4.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion4.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...

4CVSS1.2AI score0.01742EPSS
Exploits2References1
wpexploit
wpexploit
added 2021/03/15 12:0 a.m.113 views

Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question

The tutorquizbuildergetanswersbyquestion AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. python3 sqlmap.py -r /tutorunion.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...

4CVSS1.2AI score0.01742EPSS
Exploits2References1
Total number of security vulnerabilities4359