4359 matches found
Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation
Several AJAX endpoints in the plugin were unprotected, allowing students to modify course information and elevate their privileges among many other actions. Only one PoC provided for privilege escalation. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $output =...
Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating
The tutorplacerating AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutor2.txt --dbms=mysql --technique=B -p courseid --dump Where tutor2.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL...
Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct
The tutormarkanswerascorrect AJAX action from the plugin was vulnerable to blind and time based SQL injections that could be exploited by students. python3 sqlmap.py -r /tutortime.txt --dbms=mysql --technique=T -p answerid --dump Where tutortime.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...
Related Posts for WordPress < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)
Unvalidated input and lack of output encoding within the plugin lead to a Reflected Cross-Site Scripting XSS vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL...
Social Slider Widget < 1.8.5 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin allowed Authenticated Reflected XSS in the plugin settings page as the ‘tokenerror’ parameter can be controlled by users and it is directly echoed without being sanitized /wp-admin/admin.php?page=settings-wisw&tokenerror=alert/XSS/;...
VM Backups <= 1.0 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. The PoC will be displayed once the issue has been remediated...
VM Backups <= 1.0 - CSRF to Database Backup Download
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current theme. The files will be created in the uploads directory by default, with a timestamp in their filenames, without any access restriction,...
JH 404 Logger <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. curl 'https://example.com/non-existing-page"' -e '"'...
Database Backups <= 1.2.2.6 - CSRF to Backup Download
The plugin does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. When generating a backup, the file is created in the /wp-content/uploads/database-backups directory, with ...
SuperStoreFinder & SuperInteractiveMaps - Unauthenticated SQL Injections
The ssf-social-action.php and sim-wp-data.php files from the respective superstorefinder-wp = 5.0.12 AND time-based blind query SLEEP Payload: action=select&ssfwpid=1 AND SELECT 7900 FROM SELECTSLEEP5gxXh Type: UNION query Title: Generic UNION query NULL - 7 columns Payload: action=select&ssfwpid...
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user including admin by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even ...
User Profile Picture < 2.5.0 - Sensitive Information Disclosure
The REST API endpoint getusers in the plugin returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information. Usage: php poc.php author...
Advanced Order Export For WooCommerce < 3.1.8 - Reflected Cross-Site Scripting (XSS)
This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. wp-admin/admin.php?page=wc-order-export&tab=alert/XSS/...
WP GDPR Compliance < 1.5.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
The GDPR Compliance action=wpgdprcprocessaction&security=cccf5a60ec&data="type":"accessrequest","email":"[email protected]","consent":true...
Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Reflected Cross-Site Scripting (XSS)
The includes/mc-getlists.php file decoded JSON data fetched from the URL provided and then displayed the HTML from the response without any HTML escaping, leading to a reflected cross-site scripting issue where the payload is on a different server controlled by the attacker for example. The issue...
Under Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)
The includes/mc-getlists.php file used the 'apiKey' POST parameter to create an https URL from it without sanitisation and called it with cURL, leading to a SSRF issue. The issue is exploitable via direct access to the affected file, and ucmmmcapi AJAX call available to both authenticated and...
NextGEN Gallery Pro < 3.1.11 - Reflected Cross-Site Scripting (XSS)
In the eCommerce module of NextGEN Gallery Pro, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript. On a page where a NextGEN Pro gallery is embed:...
Woocommerce Customers Manager < 26.5 - Arbitrary Account Creation/Update by Low Privilege Users
The uploadcsv AJAX action, available to authenticated users, did not have proper capability checks. allowing any authenticated users, such as a subscriber, to call it and import arbitrary users. They could either update their own account, to make themselves administrator, or create new...
Photo Gallery by 10web < 1.5.69 - Reflected Cross-Site Scripting (XSS)
The plugin did not properly sanitise the bwgsearchX GET parameter, available in a frontend gallery when the Show Search Box setting is enabled disabled by default, leading to a reflected Cross-Site Scripting issue Append the below payload in a page with an embedded gallery and the Show Search Box...
QuadMenu < 2.0.7 - Unauthenticated RCE via compiler_save
The compilersave AJAX action, available to both authenticated and unauthenticated users did not check the extension of the imported file, and had the nonce used for CSRF check displayed in the homepage. This could allow unauthenticated users to create an arbitrary PHP file on the blog, leading to...
Testimonial Rotator <= 3.0.3 - Authenticated Stored Cross-Site Scripting
Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users Contributor to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation Edit WPScanTeam: The https://wordpress.org/plugins/themify-portfolio-post/ plugin...
Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users admin+ to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is...
Better Search < 2.5.3 - CSRF Nonce Bypass in Import/Export
The plugin did not properly check the CSRF nonces when exporting and importing settings, allowing attackers to make a logged in user with the manageoptions capability export and import arbitrary settings by not providing the nonce parameter in the request POST...
Process Steps Template Designer < 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin did not properly check its CSRF nonce in the FontAwesomeField.save method, which could allow attackers to make logged in users capable of editing posts change the Step Icon of arbitrary Process Steps. Due to the lack of sanitisation of the submitted Step icon value, it could also lead ...
Custom Banners < 3.3 - CSRF Nonce Bypass in saveCustomFields
The plugin did not properly check the CSRF nonce in the saveCustomFields method, which could allow attackers to make a logged in user with the editpost capability to save custom fields in a post. Numerous sanitisation fixes were also added to v3.3 Send a request without the my-custom-fieldswpnonc...
Ninja Forms < 3.4.34 - Administrator Open Redirect
The wpajaxnfoauthconnect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place. http://mysite.com/wp-admin/admin-ajax.php?clientid=1&redirect=https://google.com&action=nfoauthconnect...
Ninja Forms < 3.4.34 - Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the clientsecret key needed to...
Ninja Forms < 3.4.34.1 - Authenticated OAuth Connection Key Disclosure
Low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connection. Usage: php poc.php subscriber password $wpuser, 'pwd' = $wppas...
Ninja Forms < 3.4.34 - CSRF to OAuth Service Disconnection
The wpajaxnfoauthdisconnect from the plugin had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection...
Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)
The ZebraForm PHP library v2.9.8 latest and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file. There is currently no patch available and the removal of this library is recommended. Via $GET'form': &control=upload" method="post"...
Theme Editor < 2.6 - Authenticated Arbitrary File Download
The plugin did not validate the GET file parameter before passing it to the downloadfile function, allowing administrators to download arbitrary files on the web server, such as /etc/passwd Edit WPScanTeam: The AJAX action wpajaxmkthemeeditorfileopen could also be used to achieve the same thing a...
Post SMTP Mailer/Email Log < 2.0.21 - CSRF Nonce Bypass
A user could bypass the nonce check associated with Export mail to CSV handleCsvExport function Submit a request w/o the post-smtp-log-nonce parameter...
Map Block for Google Maps < 1.32 - Unauthorised Google API Key change
The gmwmapblocksavekey AJAX action, available to both authenticated and unauthenticated users did not have any check in place to prevent unauthorised change of the Google API key...
Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload
"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further...
Responsive Menu < 4.0.4 - CSRF to Settings Update
"Attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site." function submitRequest var xhr = new...
Responsive Menu < 4.0.4 - CSRF to Arbitrary File Upload
"Attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site." function submitRequest var xhr = new XMLHttpRequest;...
Ultimate Maps by Supsystic < 1.1.17 - Authenticated SQL Injections
The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for maps in the dashboard, leading to an authenticated SQL Injection issues...
Contact Form by Supsystic < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)
The label field Form name was vulnerable to stored Cross-Site Scripting issue. When creating or editing a form, use the following payload as a Form name label field: "alert1!--', which will be executed when viewing the "Show All Forms" section, as well as when opening the Contact Details of a use...
Contact Form by Supsystic < 1.7.11 - Authenticated SQL Injections
The GET parameters sidx and sord were used in a SQL statement without being sanitised when searching for Forms in the dashboard, leading to an authenticated SQL Injection issues...
Pricing Table by Supsystic < 1.8.9 - Authenticated SQL Injections
The GET parameter sidx and sord are used in a SQL statement without being sanitised when searching for pricing tables in the dashboard, leading to an authenticated SQL Injection issues...
Digital Publications by Supsystic < 1.6.12 - Authenticated Path Traversal
The "Folder" tab under "Publications" is vulnerable to path traversal and exposes limited information, for example, the user can gain information regarding images stored in outside of the WordPress blog, ie, home directories. Enter the following payload into the "Folder" input field of a...
Membership by Supsystic <= 1.5.0 - Authenticated SQL Injection
The GET parameter "sidx" and "search are used in a SQL statement without being sanitised when searching for badges in the dashboard, leading to authenticated SQL Injection issues. v1.4.8 attempted a fix, which was found to not be sufficient The PoC will be displayed once the issue has been...
Digital Publications by Supsystic <= 1.6.11 - Authenticated Stored Cross-Site Scripting (XSS)
When creating or editing a publication, all values such as Area Width, Publication Width are vulnerable to stored XSS. It is possible to store code in all input fields as the code does not sanitize any user input. v1.6.11 attempted to fix the issue by using sanitizetextfield, however the output i...
Backup by Supsystic <= 2.3.9 - Authenticated Arbitrary File Download and Deletion
The plugin does not check for path traversal attacks, allowing administrator to download and delete any file from the web server. Due to the lack of CSRF check on the file deletion, unauthenticated attacker could make a logged in administrator delete files from the web server as well The PoC will...
Extra Charges To Payment Gateway For WooCommerce <= 2.0.2.1 - Unauthorised Arbitrary Plugin Settings Change to Stored XSS
The addformfields method, hooked to the adminhead action is lacking any CSRF and capability checks, allowing low privilege users to arbitrary update those settings, and set XSS payloads in them as well, which could lead to privilege escalation. Unauthenticated users could also make a logged in us...
Newsletter by Supsystic <= 1.5.6 - Authenticated SQL Injection
The GET parameter "sidx" is used in a SQL statement without being sanitised when searching for subscribers in the dashboard, leading to an authenticated SQL Injection issue. The PoC will be displayed once the issue has been remediated...
Welcart e-Commerce < 2.1.1 - Authenticated SQL Injection
The Welcart e-Commerce WordPress plugin, less than version 2.1.1 and possibly below, was vulnerable to authenticated SQLI Injection in the searchordercolumn0 POST parameter of the "/wp-admin/admin.php?page=uscesorderlist" page. Refer to references...
WP Amour < 1.5.7 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise and escape its setting fields, leading to Stored Cross-Site Scripting issues. Furthermore, the lack of CSRF checks could also allow attackers to trigger the XSS via CSRF attacks against a logged in administrator alert/XSS-Field/' / alert/XSS-Error/' /...
Pricing Table by Supsystic < 1.9.0 - Authenticated Stored Cross-Site Scripting
The label and datahtml POST parameter are not properly sanitised and escaped before being saved and output back in the page, leading to stored Cross-Site Scripting issues v alert1alert1 instead of the one above v 1.9.0, the edit HTML feature was removed client side but a crafted request could sti...
Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection
The POST parameter "datasearchtextlike" was used in a SQL statement without being sanitised when searching for Tables in the dashboard, leading to an authenticated SQL Injection issue. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: YOLO Accept: / Accept-Language:...