4359 matches found
DiveBook <= 1.1.4 - Unauthenticated Reflected XSS
:A reflected Cross-Site Scripting vulnerability exists within the DiveBook log's filter functionality. Arbitrary URL parameters are reflected into the application's response, rendered by the browser as HTML or JavaScript. An attacker may abuse this functionality by sending a victim a crafted link...
DiveBook <= 1.1.4 - Unauthenticated SQL Injection
The filterdiver GET parameter, in pages where the DiveBook is embed, does not properly sanitise and validate user data, leading to an Unauthenticated SQL injection vulnerability. The PoC will be displayed once the issue has been remediated...
WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection
The plugin unserialised the value in the thimpresshotelbooking1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be us...
Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting
Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post 3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS...
Profile Builder & Profile Builder Pro < 3.3.3 - Authenticated Blind SQL Injection
The orderby parameter of the wp-admin/users.php?page=unconfirmedemails=email=asc page, which is available when the "Email confirmation" setting of the plugin is activated default is off, is not properly sanitised and validated before being concatenated in a SQL statement, leading to an SQL...
Canto <= 1.7.0 - Unauthenticated Blind SSRF
The plugin is affected by Blind SSRF issues via the domain parameter in three files: /includes/lib/tree.php, /includes/lib/detail.php and /includes/lib/get.php. All requests to the arbitrary domain/IP will be made with the HTTPS protocol The PoC will be displayed once the issue has been remediate...
Age Gate < 2.13.5 - Unauthenticated Open Redirect
The plugin takes the wphttpreferer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue...
WPJobBoard < 5.7.0 - Unauthenticated Reflected XSS & XFS
Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: query, location. Payloads: " " PoC Unauthenticated Reflected XSS:...
WPJobBoard < 5.7.0 - Unauthenticated SQL Injection
An Unauthenticated SQL Injection vulnerability was discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: type, category. $ :: Payloads Boolean-based blind: /advanced-search/?query=4325&location=4325&type=7 AND 2392=SELECT CASE WHEN 2392=2392 THEN 2392 ELSE SELECT 8365...
WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection
The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+. Edit WPScanTeam: September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates,...
Media Library Assistant < 2.90 - Authenticated Blind SQL Injection
The Media Library Assistant WordPress plugin was affected by an authenticated admin+ blind SQL injection vulnerability when there is at least one Custom Field Rule set in the plugin's options. There need to be at least one Custom Field Rule in the plugin Custom Fields settings...
Secure File Manager < 2.8.2 - Authenticated Remote Command Execution
The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands. v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager men...
WooCommerce Anti-Fraud <= 3.2 - Unauthenticated Order Status Manipulation
The WooCommerce Anti-Fraud WordPress plugin was affected by an issue where an unauthenticated user could change the order status of any order, as there were no checks when changing the order status. The orderid was also predictable. On an individual level, if you have already received your order,...
Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections
Multiple authenticated SQL injections in the Anti-Spam by CleanTalk plugin 5.148 exist, however, it requires high privilege user admin+. Vulnerable functions: removeLogs and removeSpam at: lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php Sleep query: POST...
Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass
The plugin does not properly check for the CSRF nonce in the export and import features, which could allow attackers to make authenticated logged in administrators perform those actions via a CSRF attack. To bypass the nonce validation, just don't send the crpexportsettingsnonce or...
WP DB Error Manager <= 2.1.6 - Reflected Cross-Site Scripting (XSS)
Reflected XSS in the file "admin/partials/wp-db-error-manager-login-display.php" in parameter "email" query string https://example.com/wp-content/plugins/wp-database-error-manager/admin/partials/wp-db-error-manager-login-display.php?email=%22%3E%3Cimg%20src%20onerror=alert/XSS/%3E...
[0day] AIT CSV Import / Export <= 3.0.3 - Unauthenticated Arbitrary File Upload
The WPScan research team discovered an active exploitation attempt against a 0day vulnerability within the premium AIT CSV Import / Export WordPress plugin within our honeypot logs. The honeypot log showed a GET request to the following file:...
Good LMS < 2.1.5 - Unauthenticated SQL Injection
The Good LMS WordPress plugin was vulnerable to Unauthenticated SQL Injection in its 'id' parameter of the gdlrlmscancelbooking action. POST /wp-admin/admin-ajax.php HTTP/1.1 action=gdlrlmscancelbooking&id=SELECT 1337 FROM SELECTSLEEP10MrMV...
BA Book Everything < 1.3.25 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress. Vulnerable parameters: datefrom, dateto. $ :: Payloads: " " ! :: PoC:...
Love Travel < 2.0 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 1.0-1.9. Vulnerable parameters: ndtravelarchiveformkeyword, ndtraveltypologyslug. The issue was fixed due to a code rewrite of the theme. $ :: Payloads: " "...
Love Travel 2.0-3.8 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 2.0-3.8. Vulnerable parameters: keyword, datefrom, dateto, pricefromto, nicdarkpricefrom, nicdarkpriceto The PoC will be displayed once the issue has been remediated...
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles
Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges. $username, 'firstname-'. $formid =...
Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update
Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ;...
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
An attacker could supply an array parameter for sensitive meta data such as the wpcapabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the updateprofile function, and any respective metadata that was submitted, regardle...
Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection
The plugin is affected by an unauthenticated SQL injection via the billingfirstname parameter of the savedata AJAX call. From the original researcher: ./sqlmap.py -u https://example.com/wp-admin/admin-ajax.php --cookie='cookies content here' --method='POST'...
Augmented Reality <= 1.2.0 - Unauthenticated PHP File Upload leading to RCE
The elFinder connector used allows upload of PHP files as the 'uploadAllow' options contains 'text/x-php'. This allows an unauthenticated user to upload PHP files, leading to a RCE vulnerability. The issue is similar to https://wpscan.com/vulnerability/10389 POST...
GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection
The GDPR CCPA Compliance Support WordPress plugin was vulnerable to an Unauthenticated PHP Object Injection security vulnerability. The vulnerability could triggered within the "njtgdprallowpermissions" Base64 encoded cookie value...
AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection
The plugin does not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. https://drive.google.com/file/d/1UBTpW3RcPR7iqTi94ueyXLwWH8aFHuoe/view?usp=sharing Payload: aps-social id="1 and sleep3"...
SW Ajax WooCommerce Search < 1.2.8 - Unauthenticated Reflected XSS & XFS
An Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the SW Ajax WooCommerce Search plugin v1.2.6 for WordPress. The plugin comes with a number of commercial themes such as: OneMall, Revo, eMarket, Autusin, Market, MaxShop, ShoppyStore, Furnicom, EtroStore, HiTheme, StyleShop...
Greenmart < 2.5.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Due to an incomplete fix of CVE-2020-16140 see https://wpscan.com/vulnerability/10444, the reflected XSS attack is still possible on unauthenticated users, by extracting the searchnonce from the source of the homepage and adding it to the original payload. This is possible because WP nonces are...
Greenmart < 2.4.3 - Reflected Cross-Site Scripting (XSS)
The greenmartautocompletesearch AJAX action, available to both authenticated and unauthenticated users does not properly sanitise the callback parameter passed to it, resulting in a reflected Cross-Site Scripting issue. Edit WPScanTeam: The vendor 'fixed' the issue for authenticated users by addi...
Advanced Booking Calendar < 1.6.2 - Unauthenticated SQL Injection
The AJAX action abcbookinggetBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the...
CM Download Manager < 2.8.0 - Authenticated Cross-Site Scripting
The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue. Vulnerable page - 'cmdownload/add/' Vulnerable parameter - 'filename' in 'Content-Disposition' Header POST /cmdownload/add/ HTTP/1.1 Host: localhost:8081 User-Agent:...
Helios Solutions Brand Logo Slider <= 2.1 - Authenticated Arbitrary File Upload
An Authenticated user admin+ can bypass the security check of the plugin and upload arbitrary files via the Brand Logo. The PoC will be displayed once the issue has been remediated...
Loginizer < 1.6.4 - Unauthenticated SQL Injection
The Loginizer WordPress plugin was found to be affected by an Unauthenticated SQL Injection vulnerability found by the security researcher mslavco. The vulnerability was triggered within the brute force protection functionality, which was enabled by default when the plugin was first installed. Wh...
SuperStoreFinder Plugins - Unauthenticated Arbitrary File Upload
The SuperStoreFinder premium WordPress plugins did not properly check file uploads, depending on the plugin, only checking for the mime type and/or the first extension of the file name. An attacker could set the Content-Type header to "Content-Type: text/csv", as well as use a double extension to...
Comment Press < 2.7.2 - Unauthenticated Cross-Frame Scripting
An Unauthenticated Cross-Frame Scripting vulnerability was discovered in the Comment Press plugin v2.7.0 for WordPress. ! :: PoC Burp Suite: POST /wp-comments-post.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest...
Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion
While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, submitted by Vlad Vector, the Realia plugin was found to be the root cause. In fact, having this plugin installed which some themes require can allow unauthenticated attackers to delete arbitrary posts, by...
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation
This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution RCE on a vulnerable site’s server. The following will create hello.php in the...
Quick Chat <= 4.14 - Authenticated Stored Cross-Site Scripting
An Authenticated Persistent XSS vulnerability is present in the the plugin options page /wp-admin/options-general.php?page=quick-chat/quick-chat.php, vulnerable fields: «Chat name prefix for guest users», «Advertisement code for your AdSense». The PoC will be displayed once the issue has been...
Quick Chat <= 4.14 - Unauthenticated Stored Cross-Site Scripting
An Unauthenticated Persistent XSS vulnerability was discovered in the Quick Chat plugin v4.14 for WordPress. The PoC will be displayed once the issue has been remediated...
LocalWeb All In One plugin < 1.6.5 - Unauthenticated Stored Cross-Site Scripting (XSS)
An Unauthenticated Stored XSS vulnerability was discovered in the LocalWeb All In One plugin v1.6.3 for WordPress. There is an older version of this plugin called Web Instant Messenger, latest version is v1.1.1. The specificity of this plugin is that it interacts with the remote host...
PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE
The plugin did not verify some of the uploaded feed images such as the ones from Podcast Artwork section, allowing high privilege accounts admin+ being able to upload arbitrary files, such as php, leading to RCE. https://drive.google.com/file/d/1fyf6blzeG3VX22BQX7hc1QJ20rCY5p43/view?usp=sharing -...
Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload
The plugin does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html...
Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"
The plugin attempts to delete malicious files such as .php form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not remove...
Autoptimize < 2.7.8 - Race Condition leading to RCE
The plugin attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It ...
Dynamic Content for Elementor < 1.9.6 - Authenticated RCE
The PHP Raw Widget https://www.dynamic.ooo/widget/php-raw/ of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com...
HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion
The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink, which leads to an arbitrary file deletion issue. For more details about this issue, please see the reference. File: hypercomments/hypercomments.php:112 $filename =...
WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)
Wordfence discovered an Authenticated Stored Cross-Site Scripting XSS security vulnerability within the WPBakery Page Builder WordPress plugin. The vulnerability could allow a low privileged user, such as contributor, to inject malicious JavaScript into posts. "Exploit Post", "content" =...
Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection
The bulkaction, exportfull and savesliderdb functionalities of the plugin were vulnerable, allowing a high privileged user Admin, or medium one such as Contributor+ if "Role Options" is turn on for other users to perform a SQL Injection attacks. Vulnerable param: check Vulnerable function:...