4359 matches found
WPBakery Page Builder Clipboard < 4.5.8 - Unauthorised Arbitrary License Options Update
An AJAX action registered by the plugin did not have capability checks, allowing low privilege users, such as subscribers, to update the license options key, email. When logged in as a user with Subcriber role or greater, submit a request to wp-admin/admin-ajax.php with action =...
Tutor LMS < 1.8.8 - Authenticated Local File Inclusion
The plugin is affected by a local file inclusion vulnerability through the maliciously constructed subpage parameter of the plugin's Tools, allowing high privilege users to include any local php file https://your.domain/wp-admin/admin.php?page=tutor-tools&subpage=..%2F..%2F..%2F..%2F..%2F..%2Find...
Simple Membership < 4.0.4 - Authenticated SQL Injections
The plugin did not properly sanitise user input before using it in SQL queries in the admin backend, leading to authenticated admin+ SQL injections GET /wp/wp-admin/admin.php?status=&membershiplevel=&s=hhhh%27%20OR%20SLEEP%281%29%20OR%20firstname%20LIKE%20%27%25i%0A&page=simplewpmembership HTTP/1...
Pie Register < 3.7.0.1 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the invitaioncode GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue. https://example.com/wp-admin/admin.php?page=prnewregistrationform&showdashwidget=1&invitaioncode=PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=...
WPBakery Page Builder Clipboard < 4.5.6 - Subscriber+ Stored Cross-Site Scripting (XSS)
An AJAX action registered by the plugin did not have capability checks nor sanitization, allowing low privilege users subscriber+ to call it and set XSS payloads, which will be triggered in all backend pages. Version 4.5.6 fixed the XSS issue with sanitization of the parameters, but did not fix t...
Business Hours Pro <= 5.5.0 - Unauthenticated Arbitrary File Upload to RCE
The plugin allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. Note WPScanTeam: - The issue has been escalated to Envato on March 30th, 2021 and the plugin has been removed from the...
Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them even when the unfiletedhtml is disabled Use a payload such as a" in the plugin settings for example, the Powered by Text input...
Goto - Tour & Travel < 2.0 - Unauthenticated Reflected XSS
The theme does not sanitise the keywords and startdate GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue. Payload:...
Realteo < 1.2.4 - Arbitrary Property Deletion via IDOR
The plugin, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the propertyid parameter. GET...
Realteo < 1.2.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The plugin, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue...
Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation
The plugin did not properly restrict access when checking user with limited access, allowing them to query pages they should not be able to, which could lead to privilege escalation by creating a new administrator with full, unrestricted access to the blog. Created a temporary admin account via t...
Ivory Search < 4.6.1 - Reflected Cross Site Scripting (XSS)
The Search Forms page of the plugin did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack...
Advanced Booking Calendar < 1.6.8 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.phpL550...
Cooked Pro < 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)
The plugin was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute. https://cooked.pro/demo/trial/5snjx6louabhdpg/profile/?t8osi%22%3e%3cscript%3ealert1%3c%2fscript%3edr7ag=1...
Woocommerce Customers Manager < 26.6 - Authenticated Reflected Cross-Site Scripting (XSS)
The wccmcustomersids and wccmcustomersemails parameters are output in href attributes, after being sanitised with the sanitizetextfield function, which is not appropriate for such case, as payload such as ' injected-attribute=value will still be injected. This lead to a reflected XSS issue in the...
Woocommerce Customers Manager < 26.6 - Arbitrary Account Creation/Update via CSRF
The fixes for https://wpscan.com/vulnerability/126143e0-b0cc-4517-862e-3ac557db744f still allowed the issue to be performed via a CSRF attack. The uploadcsv AJAX action, available to authenticated users, did not have proper CRSF check, allowing attacker to make a logged in user with the...
Virtual Robots.txt < 1.10 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the content of the robots.txt, allowing high privilege users admin+ to use XSS payloads, which will be output back in the settings page of the plugin. Put the following directive in the plugin settings "User Agents and Directives for this site" Disallow:...
Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue Payloads: - Original reporter:...
Easy Form Builder <= 1.0 - Unauthorised AJAX calls
While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...
Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API
While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsmrestgetbankquestions function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements...
N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE
The plugin suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5uniqidrand, however, in the case of misconfigured servers with Directory listing enabled,...
Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
The EFBPverifyuploadfile AJAX action of the plugin, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE. The PoC will be displayed once the issue has been remediated...
Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode
The plugin did not sanitise the resultid GET parameter on pages with the qsmresult shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised...
WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE
The plugin suffers from an arbitrary file upload issue in page where the formCadastro is embed. The form allows unauthenticated user to register and submit files for their profile picture as well as resume, without any file extension restriction, leading to RCE. The PoC will be displayed once the...
Vertical News Scroller < 1.17 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin attempted to fix a reflected Cross-Site Scripting in v1.10, however the changes were insufficient, as sanitizetextfield was used, but output in an attribute without being escaped. For versions 1.17:...
AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage
In the plugin, the file "resource/frontend/product/product-shortcode.php" responsible for the accessallyorderform shortcode is dumping serialize$SERVER, which contains all environment variables. The leakage occurs on all public facing pages containing the accessallyorderform shortcode, no login o...
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
The runaction function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution. Step 1: Use the nonce...
Business Directory <= 1.2.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
This theme does not sanitise its search input, leading to a Reflected XSS issue when output back in the search result page. Note WPScanTeam: The theme has been removed from the WordPress marketplace listing on March 22nd, 2021 The PoC will be displayed once the issue has been remediated...
Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion
The wpajaxsavefbesettings and wpajaxdeletefbesettings AJAX actions of the plugin were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. CSRF to XSS alert0" / alert0" / alert0" / CSRF to Dele...
All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote...
MapifyLite < 4.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the Image URL either in the settings or in a location, allowing editor+ users to use a malicious payload, leading to Stored Cross-Site Scripting issues. Notes WPScanTeam: - The vendor has been notified on March 24th, 2021 - The pro version is very likely to be...
All Thrive Themes and Plugins - Unauthenticated Option Update
The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty apikey parameter in vulnerable versions if Zapier was not enabled. Attackers coul...
Mapplic and Mapplic Lite - SSRF to Stored Cross-Site Scripting (XSS)
The Mapplic Lite alert/XSS/...
GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)
The plugin was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors page...
Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation
An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. Even with the maximu...
WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE
We noticed 0-day in the plugin https://woocommerce.com/products/woocommerce-help-scout/ being actively exploited. This vulnerability affects at least versions 2.6-2.8 current latest published version and allows unauthenticated users to upload any files to the site which by default will end up in...
PhastPress < 1.111 - Open Redirect
There is an open redirect in the plugin that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/ that...
WordPress Related Posts <= 3.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin contains an authenticated admin+ stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. Put the following payload in the "Related Posts Title" settings of the plugin...
WP Page Builder < 1.2.4 - Insecure default configuration Allows Subscribers Editing Access to Posts
By default, the plugin allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. A subscriber, upon registering an account with a site with the WP Pagebuilder plugin, could immediately modify or delete...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget
In the plugin, the icon box widget includes/widgets/icon-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Accordion Widget
In the plugin, the accordion widget includes/widgets/accordion.php accepts a ‘titlehtmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScri...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget
In the plugin, the image box widget includes/widgets/image-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript ...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element
In the plugin, the column element includes/elements/column.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request containing JavaScript in th...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget
In the plugin, the divider widget includes/widgets/divider.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request with this parameter set to...
Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget
In the plugin, the heading widget includes/widgets/heading.php accepts a ‘headersize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘savebuilder’ request with this parameter set t...
WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)
The plugin was affected by an authenticated admin+ RCE in the settings page due to input validation failure and weak $cachepath check in the WP Super Cache Settings - Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for...
SEO Redirection < 6.4 - Authenticated Reflected Cross-Site Scripting (XSS)
The setting page of the plugin is vulnerable to reflected Cross-Site Scripting XSS as user input is not properly sanitised before being output in an attribute. Timeline WPScanTeam January 29th, 2021 - Report received & Confirmed & Escalated to WordPress plugins Team who confirmed to have received...
Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id
The tutoransweringquizquestion/getanswerbyid function pair from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. POST /courses/first-class/tutorquiz/test/ HTTP/1.1 Host: URL Content-Length: 413 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin...
Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form
The tutorquizbuildergetquestionform AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. python3 sqlmap.py -r /tutorunion4.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion4.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...
Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question
The tutorquizbuildergetanswersbyquestion AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students. python3 sqlmap.py -r /tutorunion.txt --dbms=mysql --technique=U -p questionid --dump Where tutorunion.txt is POST /wp-admin/admin-ajax.php HTTP/1.1...