Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
•added 2021/03/15 12:0 a.m.•134 views

Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation

Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions. Only one PoC provided for privilege escalation. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output =...

6.5CVSS1.3AI score0.01439EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/03/15 12:0 a.m.•173 views

Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating

The tutorplacerating AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutor2.txt --dbms=mysql --technique=B -p courseid --dump Where tutor2.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL...

4CVSS1.1AI score0.01253EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/03/15 12:0 a.m.•106 views

Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct

The tutormarkanswerascorrect AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutortime.txt --dbms=mysql --technique=T -p answerid --dump Where tutortime.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...

4CVSS1AI score0.01253EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/03/15 12:0 a.m.•536 views

Related Posts for WordPress < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)

Unvalidated input and lack of output encoding within the plugin lead to a Reflected Cross-Site Scripting XSS vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL...

3.5CVSS0.5AI score0.00632EPSS
Exploits2
wpexploit
wpexploit
•added 2021/03/14 12:0 a.m.•520 views

Social Slider Widget < 1.8.5 - Authenticated Reflected Cross-Site Scripting (XSS)

The plugin allowed Authenticated Reflected XSS in the plugin settings page as the ‘tokenerror’ parameter can be controlled by users and it is directly echoed without being sanitized /wp-admin/admin.php?page=settings-wisw&tokenerror=alert/XSS/;...

3.5CVSS1.9AI score0.00679EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/03/13 12:0 a.m.•739 views

VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)

The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. The PoC will be displayed once the issue has been remediated...

4.3CVSS1.8AI score0.00377EPSS
Exploits1
wpexploit
wpexploit
•added 2021/03/13 12:0 a.m.•773 views

VM Backups <= 1.0 - CSRF to Database Backup Download

The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current theme. The files will be created in the uploads directory by default, with a timestamp in their filenames, without any access restriction,...

4.3CVSS4.6AI score0.00411EPSS
Exploits1
wpexploit
wpexploit
•added 2021/03/11 12:0 a.m.•539 views

JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

The plugin doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. curl 'https://example.com/non-existing-page"' -e '"'...

3.5CVSS1AI score0.02044EPSS
Exploits2
wpexploit
wpexploit
•added 2021/03/10 12:0 a.m.•718 views

Database Backups <= 1.2.2.6 - CSRF to Backup Download

The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. When generating a backup, the file is created in the /wp-content/uploads/database-backups directory, with ...

5.8CVSS0.3AI score0.03218EPSS
Exploits5
wpexploit
wpexploit
•added 2021/03/08 12:0 a.m.•130 views

SuperStoreFinder & SuperInteractiveMaps - Unauthenticated SQL Injections

The ssf-social-action.php and sim-wp-data.php files from the respective superstorefinder-wp = 5.0.12 AND time-based blind query SLEEP Payload: action=select&ssfwpid=1 AND SELECT 7900 FROM SELECTSLEEP5gxXh Type: UNION query Title: Generic UNION query NULL - 7 columns Payload: action=select&ssfwpid...

0.6AI score
Exploits0References3
wpexploit
wpexploit
•added 2021/03/08 12:0 a.m.•495 views

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user including admin by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even ...

7.5CVSS0.2AI score0.14462EPSS
Exploits3References2
wpexploit
wpexploit
•added 2021/03/03 12:0 a.m.•115 views

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the plugin returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. Usage: php poc.php author...

7.5AI score0.04788EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/03/03 12:0 a.m.•573 views

Advanced Order Export For WooCommerce < 3.1.8 - Reflected Cross-Site Scripting (XSS)

This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. wp-admin/admin.php?page=wc-order-export&tab=alert/XSS/...

4.3CVSS0.6AI score0.10348EPSS
Exploits5
wpexploit
wpexploit
•added 2021/03/01 12:0 a.m.•129 views

WP GDPR Compliance < 1.5.6 - Unauthenticated Stored Cross-Site Scripting (XSS)

The GDPR Compliance action=wpgdprcprocessaction&security=cccf5a60ec&data="type":"accessrequest","email":"[email protected]","consent":true...

1.7AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/27 12:0 a.m.•110 views

Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Reflected Cross-Site Scripting (XSS)

The includes/mc-getlists.php file decoded JSON data fetched from the URL provided and then displayed the HTML from the response without any HTML escaping, leading to a reflected cross-site scripting issue where the payload is on a different server controlled by the attacker for example. The issue...

6.3AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/27 12:0 a.m.•87 views

Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)

The includes/mc-getlists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmmmcapi AJAX call available to both authenticated and...

0.3AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/24 12:0 a.m.•430 views

NextGEN Gallery Pro < 3.1.11 - Reflected Cross-Site Scripting (XSS)

In the eCommerce module of NextGEN Gallery Pro, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript. On a page where a NextGEN Pro gallery is embed:...

1AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/24 12:0 a.m.•640 views

Woocommerce Customers Manager < 26.5 - Arbitrary Account Creation/Update by Low Privilege Users

The uploadcsv AJAX action, available to authenticated users, did not have proper capability checks. allowing any authenticated users, such as a subscriber, to call it and import arbitrary users. They could either update their own account, to make themselves administrator, or create new...

1.9AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/23 12:0 a.m.•175 views

Photo Gallery by 10web < 1.5.69 - Reflected Cross-Site Scripting (XSS)

The plugin did not properly sanitise the bwgsearchX GET parameter, available in a frontend gallery when the Show Search Box setting is enabled disabled by default, leading to a reflected Cross-Site Scripting issue Append the below payload in a page with an embedded gallery and the Show Search Box...

0.3AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/22 12:0 a.m.•234 views

QuadMenu < 2.0.7 - Unauthenticated RCE via compiler_save

The compilersave AJAX action, available to both authenticated and unauthenticated users did not check the extension of the imported file, and had the nonce used for CSRF check displayed in the homepage. This could allow unauthenticated users to create an arbitrary PHP file on the blog, leading to...

1.4AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/19 12:0 a.m.•277 views

Testimonial Rotator <= 3.0.3 - Authenticated Stored Cross-Site Scripting

Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users Contributor to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation Edit WPScanTeam: The https://wordpress.org/plugins/themify-portfolio-post/ plugin...

0.3AI score0.00687EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/18 12:0 a.m.•1027 views

Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload

The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users admin+ to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is...

7.3AI score0.84112EPSS
Exploits9
wpexploit
wpexploit
•added 2021/02/17 12:0 a.m.•235 views

Better Search < 2.5.3 - CSRF Nonce Bypass in Import/Export

The plugin did not properly check the CSRF nonces when exporting and importing settings, allowing attackers to make a logged in user with the manageoptions capability export and import arbitrary settings by not providing the nonce parameter in the request POST...

1.1AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/17 12:0 a.m.•198 views

Process Steps Template Designer < 1.3 - CSRF to Stored Cross-Site Scripting (XSS)

The plugin did not properly check its CSRF nonce in the FontAwesomeField.save method, which could allow attackers to make logged in users capable of editing posts change the Step Icon of arbitrary Process Steps. Due to the lack of sanitisation of the submitted Step icon value, it could also lead ...

1.1AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/17 12:0 a.m.•232 views

Custom Banners < 3.3 - CSRF Nonce Bypass in saveCustomFields

The plugin did not properly check the CSRF nonce in the saveCustomFields method, which could allow attackers to make a logged in user with the editpost capability to save custom fields in a post. Numerous sanitisation fixes were also added to v3.3 Send a request without the my-custom-fieldswpnonc...

2.4AI score
Exploits0References3
wpexploit
wpexploit
•added 2021/02/16 12:0 a.m.•206 views

Ninja Forms < 3.4.34 - Administrator Open Redirect

The wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. http://mysite.com/wp-admin/admin-ajax.php?clientid=1&redirect=https://google.com&action=nfoauthconnect...

2AI score0.01643EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/16 12:0 a.m.•170 views

Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure

The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...

0.1AI score0.01439EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/16 12:0 a.m.•179 views

Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure

Low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connection. Usage: php poc.php subscriber password $wpuser, 'pwd' = $wppas...

0.9AI score0.00889EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/16 12:0 a.m.•186 views

Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection

The wpajaxnfoauthdisconnect from the plugin had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...

1.4AI score0.00458EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/14 12:0 a.m.•642 views

Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)

The ZebraForm PHP library v2.9.8 latest and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file. There is currently no patch available and the removal of this library is recommended. Via $GET'form': &control=upload" method="post"...

0.3AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/13 12:0 a.m.•348 views

Theme Editor < 2.6 - Authenticated Arbitrary File Download

The plugin did not validate the GET file parameter before passing it to the downloadfile function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd Edit WPScanTeam: The AJAX action wpajaxmkthemeeditorfileopen could also be used to achieve the same thing a...

0.01066EPSS
Exploits1
wpexploit
wpexploit
•added 2021/02/12 12:0 a.m.•438 views

Post SMTP Mailer/Email Log < 2.0.21 - CSRF Nonce Bypass

A user could bypass the nonce check associated with Export mail to CSV handleCsvExport function Submit a request w/o the post-smtp-log-nonce parameter...

0.3AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/10 12:0 a.m.•194 views

Map Block for Google Maps < 1.32 - Unauthorised Google API Key change

The gmwmapblocksavekey AJAX action, available to both authenticated and unauthenticated users did not have any check in place to prevent unauthorised change of the Google API key...

0.8AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/10 12:0 a.m.•243 views

Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload

"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further...

1.2AI score0.08196EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/10 12:0 a.m.•267 views

Responsive Menu < 4.0.4 - CSRF to Settings Update

"Attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site." function submitRequest var xhr = new...

1.4AI score0.00796EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/10 12:0 a.m.•211 views

Responsive Menu < 4.0.4 - CSRF to Arbitrary File Upload

"Attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site." function submitRequest var xhr = new XMLHttpRequest;...

2.1AI score0.01249EPSS
Exploits2References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•169 views

Ultimate Maps by Supsystic < 1.1.17 - Authenticated SQL Injections

The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for maps in the dashboard, leading to an authenticated SQL Injection issues...

1.5AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•150 views

Contact Form by Supsystic < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)

The label field Form name was vulnerable to stored Cross-Site Scripting issue. When creating or editing a form, use the following payload as a Form name label field: "alert1!--', which will be executed when viewing the "Show All Forms" section, as well as when opening the Contact Details of a use...

Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•143 views

Contact Form by Supsystic < 1.7.11 - Authenticated SQL Injections

The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for Forms in the dashboard, leading to an authenticated SQL Injection issues...

1.2AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•172 views

Pricing Table by Supsystic < 1.8.9 - Authenticated SQL Injections

The GET parameter sidx and sord are used in a SQL statement without being sanitised when searching for pricing tables in the dashboard, leading to an authenticated SQL Injection issues...

0.6AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•156 views

Digital Publications by Supsystic < 1.6.12 - Authenticated Path Traversal

The "Folder" tab under "Publications" is vulnerable to path traversal and exposes limited information, for example, the user can gain information regarding images stored in outside of the WordPress blog, ie, home directories. Enter the following payload into the "Folder" input field of a...

0.6AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•179 views

Membership by Supsystic <= 1.5.0 - Authenticated SQL Injection

The GET parameter "sidx" and "search are used in a SQL statement without being sanitised when searching for badges in the dashboard, leading to authenticated SQL Injection issues. v1.4.8 attempted a fix, which was found to not be sufficient The PoC will be displayed once the issue has been...

1AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•169 views

Digital Publications by Supsystic <= 1.6.11 - Authenticated Stored Cross-Site Scripting (XSS)

When creating or editing a publication, all values such as Area Width, Publication Width are vulnerable to stored XSS. It is possible to store code in all input fields as the code does not sanitize any user input. v1.6.11 attempted to fix the issue by using sanitizetextfield, however the output i...

0.3AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•159 views

Backup by Supsystic <= 2.3.9 - Authenticated Arbitrary File Download and Deletion

The plugin does not check for path traversal attacks, allowing administrator to download and delete any file from the web server. Due to the lack of CSRF check on the file deletion, unauthenticated attacker could make a logged in administrator delete files from the web server as well The PoC will...

2.2AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•53 views

Extra Charges To Payment Gateway For WooCommerce <= 2.0.2.1 - Unauthorised Arbitrary Plugin Settings Change to Stored XSS

The addformfields method, hooked to the adminhead action is lacking any CSRF and capability checks, allowing low privilege users to arbitrary update those settings, and set XSS payloads in them as well, which could lead to privilege escalation. Unauthenticated users could also make a logged in us...

0.6AI score
Exploits0References2
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•163 views

Newsletter by Supsystic <= 1.5.6 - Authenticated SQL Injection

The GET parameter "sidx" is used in a SQL statement without being sanitised when searching for subscribers in the dashboard, leading to an authenticated SQL Injection issue. The PoC will be displayed once the issue has been remediated...

0.8AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•218 views

Welcart e-Commerce < 2.1.1 - Authenticated SQL Injection

The Welcart e-Commerce WordPress plugin, less than version 2.1.1 and possibly below, was vulnerable to authenticated SQLI Injection in the searchordercolumn0 POST parameter of the "/wp-admin/admin.php?page=uscesorderlist" page. Refer to references...

2.9AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•295 views

WP Amour < 1.5.7 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not sanitise and escape its setting fields, leading to Stored Cross-Site Scripting issues. Furthermore, the lack of CSRF checks could also allow attackers to trigger the XSS via CSRF attacks against a logged in administrator alert/XSS-Field/' / alert/XSS-Error/' /...

0.9AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•180 views

Pricing Table by Supsystic < 1.9.0 - Authenticated Stored Cross-Site Scripting

The label and datahtml POST parameter are not properly sanitised and escaped before being saved and output back in the page, leading to stored Cross-Site Scripting issues v alert1alert1 instead of the one above v 1.9.0, the edit HTML feature was removed client side but a crafted request could sti...

6.4AI score
Exploits0References1
wpexploit
wpexploit
•added 2021/02/08 12:0 a.m.•179 views

Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection

The POST parameter "datasearchtextlike" was used in a SQL statement without being sanitised when searching for Tables in the dashboard, leading to an authenticated SQL Injection issue. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: YOLO Accept: / Accept-Language:...

8.2AI score
Exploits0References1
Total number of security vulnerabilities4359