4359 matches found
Data Tables Generator by Supsystic < 1.10.1 - Authenticated Stored Cross-Site Scripting (XSS)
The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitise any of the user input. Open a Table, go to the editor and enter a payload below in a cell, then save the Table...
Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS)
The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature https://example.com/business/?keyword=%22%3E%3Cimg%20src=x%20onerror=alert/XSS/%3Easd&wyz-loc-filter-txt=&loc-filter-txt=&loc-filter-lat=&loc-filter-lng=&category=&radius=0...
Paid Membership Pro < 2.5.3 - Unauthorised Order Information Disclosure
The pmprogetorderjson AJAX action, available to authenticated user did not check for authorisation, allowing any authenticated users to retrieve arbitrary order information such as customer names, email addresses, and order numbers via the orderid parameter...
Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF
The LikeBtn WordPress plugin was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery SSRF. On line 7493 in likebtnlikebutton.php a hook is set to allow unauthenticated ajax calls which will call the function likebtnprx. As the name suggests, this function works as a proxy and can ...
wpDataTables < 3.4.1 - Unauthenticated SQL Injection
In the default configuration, a simple table can be published in a page that does not require authentication. The table can be searched, and is vulnerable to SQL Injection via the order parameter. An unauthenticated user visiting the page where the table is published can perform a SQL injection...
Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request coul...
Popup Builder < 3.74 - Authenticated Reflected Cross-Site Scripting (XSS)
The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. http://example.com/wp-admin/edit.php?posttype=popupbuilder&page=sgpbSubscribers&sgpb-subscribers-date=%22%3E%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E Video:...
MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple
The plugin had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. The plugin must have a valid purchase code for the request to work curl -X GET --header 'Content-Type: application/json' --header 'Accept:...
WP Editor < 1.2.7 - Authenticated SQL injection
The plugin did not sanitise or validate its setting fields leading to an authenticated admin+ blind SQL injection issue via an arbitrary parameter when making a request to save the settings. https://drive.google.com/file/d/1KT4lHePmYuX36jvA4AEQ1MVDwJBlZOO/view?usp=sharing payload:...
Ivory Search < 4.5.11 - Authenticated Reflected Cross-Site Scripting (XSS)
The setting page of Ivory Search 4.5.10 is vulnerable to reflected XSS when a logged in administrator visit a malicious link or page, as it does not sanitise or escape the GET post parameter before outputting it in a tag attribute As an admin user, open:...
Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
The plugin did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. https://drive.google.com/file/d/1lLEXDyPp4LcKoCOqYS7A-0YgpIQD-ND/view?usp=sharing...
Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
The plugin did not sanitise the mecpostid POST parameter in the mecfesform AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. If the Frontend Event Submission form is embed in a public page, then it could lead to any authenticated user, like subscribers to...
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing...
Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the miccomment field Notes on time when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. Edit WPScanTeam January 22nd, 2021...
Super Forms < 4.9.703 - Unauthenticated PHP File Upload to RCE
The plugin uses the jQuery File Upload library, but does not properly ensure that PHP files are forbidden. Note: Exploitation of the issue is not as easy as the original advisory in the references states. If a form from the plugin with an upload field is present on the blog, and is used to upload...
Contact Form 7 Database Addon < 1.2.5.6 - CSV Injection
The plugin was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Attackers can possibly exploit this issue to execute arbitrary commands on the victim's system, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected...
Doneren met Mollie < 2.8.5 - Unauthorised CSV Export leading to Sensitive Data Disclosure
The plugin did not check for user capability in the dmmexportdonations function, allowing any authenticated user to export a CSV file containing all donors personal information. GET /wp-admin/admin-post.php?action=dmmexport...
Digital Climate Strike WP <= 1.0.0 - Redirect to Malicious Website due to Compromised JS Asset
The plugin loads a JavaScript asset from a remote website which seems to have been compromised. The widget.js file, loaded from https://assets.digitalclimatestrike.net/widget.js, redirects users to gladdiatordotio and is being flagged as malicious. I've reported this to the plugin authors but hav...
Contact Form 7 Database Addon < 1.2.5.4 - Authenticated SQL Injections
The plugin did not properly sanitise the formids from the contactform POST array parameter before using them in a SQL statement in the processbulkaction function. This could allow high privilege users, such as admin to perform SQL Injection against the DBMS via the bulk actions: delete, read and...
Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)
The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage event. Use the following code on another website var popup = window.open'https://VULNERABLE.PAGE/'; var msg = ; msg.method = "alertdocument.domain"; function postpopup.postMessagemsg,'' setIntervalpost,1000;...
Advanced Custom Field Pro < 5.9.1 - Reflected Cross-Site Scripting (XSS)
The plugin did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. The PoC will be displayed on April 16, 2021, to give users the time to update...
Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
The Underconstruction plugin admin configuration is vulnerable to stored XSS issues which will be triggered in the main page of the site, even when the unfilteredhtml is disabled. Edit WPScanTeam A fix was attempted in v3.80, but was insufficient. In the meantime, more fields were found to be...
e-signature < 1.5.6.8 - Unauthenticated Arbitrary File Upload leading to RCE
The AJAX sifuploadfile allowed the authorised extensions to be provided in the request, which result in unauthenticated arbitrary file upload and lead to RCE /wp-admin/admin-ajax.php?action=sifuploadfile...
WP Shieldon 1.6.3 - Unauthenticated Cross-Site Scripting (XSS)
The WP Shieldon WordPress plugin, versions 1.6.3 and below, were vulnerable to Unauthenticated Reflected Cross-Site Scripting XSS when the CAPTCHA page is shown. This was due to $SERVER'REQUESTURI' being echoed to a page without any encoding. http://www.example.com/?alert1...
301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
The plugin does not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. The PoC video provided mentioned 2.53 as vulnerable, however v2.45 was installed and used. The issue has been verified to have been fixed in 2.51 POST...
Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise the text fields such as Email Subject, Email Recipient, etc when creating or editing a form, leading to an authenticated author+ stored cross-site scripting issue. This could allow medium privilege accounts such as author and editor to perform XSS attacks...
Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
The plugin does not validate the sjbfile parameter when viewing a resume, allowing authenticated user with the downloadresume capability such as HR users to download arbitrary files from the web-server via a path traversal attack The sjbfile parameter to use may depends on the configuration of th...
Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export
The sbelemcfddownloadcsv function, registered as an admininit hook does not have capability and CSRF checks, allowing unauthenticated attackers to download arbitrary form submissions as a CSV. The data will include PII such as email addresses. A CSRF check was added, but no capability one, so the...
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting
Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfilteredhtml capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be maliciou...
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation
Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for...
Custom Global Variables <= 1.0.5 - Stored Cross-Site Scripting (XSS)
The plugin does not sanitise the 'name' field of the variable added in its settings, leading to a Stored Cross-Site Scripting issue. Attackers could also used the lack of CSRF nonce and check to make a logged in administrator add the payload and make them perform further unwanted actions. The PoC...
Modal Survey < 2.0.1.8.2 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin did not sanitise the msuid parameter from the survey participants page in the admin Dashboard, leading to a reflected Cross-Site Scripting issue https://example.com/wp-admin/admin.php?page=modalsurveyparticipants&msuid=%27%3E%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E...
Modal Survey < 2.0.1.8.2 - Authenticated PHP Object Injection
The Unserialize function is used multiple times in the code, for example when importing custom surveys. This could allow a malicious administrator to import a crafted JSON to trigger a PHP Object Injection vulnerability "name":"Open Text Answer Sample", "id":"924478511", "options":"", "global":"0...
Modal Survey < 2.0.1.8.2 - Unauthenticated Arbitrary Survey Update, Deletion and Creation
The plugin AJAX calls including unauthenticated ones did not have capabilities and CSRF checks, allowing unauthenticated users to update, delete or create arbitrary surveys. curl --url https://exmple.com/wp-admin/admin-ajax.php --data "action=ajaxsurvey&sspcmd=delete&surveyid=110251535" curl --ur...
WP24 Domain Check < 1.6.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin version 1.6.2 and possibly below, was vulnerable to Stored Cross-Site Scripting XSS in the plugin's fieldnameDomain settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability. In the plugin's advanced settings...
WP Paginate < 2.1.4 - Authenticated Stored Cross-Site Scripting (XSS)
The WP Paginate WordPress plugin, version 2.1.3 and possibly below, was vulnerable to Stored Cross-Site Scripting XSS in the plugin's preset settings parameter. The form did require a valid CSRF nonce, limiting the exploitability of the vulnerability. POST...
Contact Form Submissions <= 1.6.4 - Authenticated Double Query SQL injection
The plugin is affected by a double query SQL injection, which could allow high privileged users to access data from the DBMS. Edit WPScanTeam October 26th, 2020 - Confirmed & Escalated to WP October 27th, 2020 - WP Investigating January 3rd, 2021 - No updates, disclosing The PoC will be displayed...
Contact Form Submissions <= 1.6.4 - Authenticated SQL Injection
The wpcf7contactform GET parameter is vulnerable to SQL injection when submitting a filter request as a high privilege user admin+ Edit WPScanTeam September 28th, 2020 - Escalated to WP & WP Investigating October 26th, 2020 - Received another submission related a SQL injection in the same paramet...
WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR
"The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the orderid parameter in a fetchorderstatus action." https://example.com/wp-admin/admin-ajax.php?action=fetchorderstatus&orderid=XX...
LiteSpeed Cache < 3.6.1 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise invalid IPs given in its Toolbox page before displaying them in an error message. Submit a payload such as in the Admin IPs section of the Toolbox /wp-admin/admin.php?page=litespeed-toolbox...
WP Postratings < 1.86.1 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise the postratingsimage parameter from its options page wp-admin/admin.php?page=wp-postratings/postratings-options.php. Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfilteredhtml...
Envira Gallery Lite < 1.8.3.3 - Authenticated Stored Cross-Site Scripting
The plugin does not properly sanitise the images metadata namely title before outputting them in the generated gallery. This allows privileged accounts such as editor+ to perform XSS attacks even without the unfilteredhtml capability against users visiting the gallery in the frontend. As an...
Simple Social Buttons < 3.2.1 - Unauthenticated Reflected Cross-Site Scripting
The version 3.2.0 attempted to fix a reflected Cross-Site Scripting issue, by adding a CSRF check, which does not fully remediate it as unauthenticated users will all have the same nonce generated and valid for 12h to 24h, or 2 WP ticks. Only unauthenticated users can be attacked with this issue...
Simple Social Buttons < 3.2.0 - Reflected Cross-Site Scripting
Simple Social Buttons version 3.1.1 has a reflected Cross-Site Scripting vulnerability in the POST parameter "sharecounts". Both unauthenticated and authenticated attacks are possible Edit WPScanTeam The original report stated the issue as being fixed in 3.2.0, however a CSRF nonce has been added...
Contact Form 7 < 5.3.2 - Unrestricted File Upload
The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload. Append a unicode special character from U+0000 null to U+001F us to a filename and upload it via the ContactForm7 upload feature...
Redux Framework < 4.1.21 - CSRF Nonce Validation Bypass
The plugin did not properly validate some nonces, only checking them if their value was set. As a result, CSRF attacks could still be performed by not submitting the nonce in the request, bypassing the protection they are supposed to provide. Just don't send the parameters: $POST'nonce' or...
Total Upkeep by BoldGrid < 1.14.10 - Sensitive Data Disclosure (Server IP Address, UID etc)
The plugin does not restrict access to a file containing sensitive information, such as the real server IP address, UID and so on, which may help attackers in further attacks. GET /wp-content/plugins/boldgrid-backup/cli/env-info.php ..., "phpuname":"Linux wordpress-server X.X.X-XX-generic XX-Ubun...
Limit Login Attempts Reloaded < 2.16.0 - Authenticated Reflected Cross-Site Scripting
The plugin does not properly sanitise user input in its options page, which could allow attackers to perform XSS attacks against logged in administrator by making them open a malicious URL The issue was partially fixed in 2.15.1, and fully remediated in 2.16.0...
Total Upkeep by BoldGrid < 1.14.10 - Unauthenticated Backup Download
The plugin does not restrict access to a file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them. The filepath in /wp-content/plugins/boldgrid-backup/cron/restore-info.json will reveal the internal path of the backup...
Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting
The plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection. Iimport a CSV file containing the following in the header: 'term" autofocus onfocus=alert'Complex\u0020XSS';alertdocument.cookie;//'"...