Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
added 2020/12/09 12:0 a.m.65 views

DiveBook <= 1.1.4 - Unauthenticated Reflected XSS

:A reflected Cross-Site Scripting vulnerability exists within the DiveBook log's filter functionality. Arbitrary URL parameters are reflected into the application's response, rendered by the browser as HTML or JavaScript. An attacker may abuse this functionality by sending a victim a crafted link...

4.3CVSS0.4AI score0.00948EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/12/09 12:0 a.m.75 views

DiveBook <= 1.1.4 - Unauthenticated SQL Injection

The filterdiver GET parameter, in pages where the DiveBook is embed, does not properly sanitise and validate user data, leading to an Unauthenticated SQL injection vulnerability. The PoC will be displayed once the issue has been remediated...

5CVSS1AI score0.01422EPSS
Exploits1References1
wpexploit
wpexploit
added 2020/12/08 12:0 a.m.474 views

WP Hotel Booking <= 1.10.3 - Unauthenticated PHP Object Injection

The plugin unserialised the value in the thimpresshotelbooking1 cookie without sanitisation, which could lead to an unauthenticated PHP Object Injection. If the plugin is installed on WP 5.5.2, then there is a suitable gadget chain to obtain RCE, otherwise, another gadget chain will have to be us...

7.5CVSS0.4AI score0.14269EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/12/04 12:0 a.m.553 views

Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting

Stored Cross-Site Scripting vulnerabilities in Themify Portfolio Post 3. Publish/Send for review and visit created post/preview as editor/admin to trigger XSS...

5.6AI score0.00658EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/12/02 12:0 a.m.105 views

Profile Builder & Profile Builder Pro < 3.3.3 - Authenticated Blind SQL Injection

The orderby parameter of the wp-admin/users.php?page=unconfirmedemails=email=asc page, which is available when the "Email confirmation" setting of the plugin is activated default is off, is not properly sanitised and validated before being concatenated in a SQL statement, leading to an SQL...

0.4AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/30 12:0 a.m.93 views

Canto <= 1.7.0 - Unauthenticated Blind SSRF

The plugin is affected by Blind SSRF issues via the domain parameter in three files: /includes/lib/tree.php, /includes/lib/detail.php and /includes/lib/get.php. All requests to the arbitrary domain/IP will be made with the HTTPS protocol The PoC will be displayed once the issue has been remediate...

5CVSS0.9AI score0.26037EPSS
Exploits3References1
wpexploit
wpexploit
added 2020/11/27 12:0 a.m.59 views

Age Gate < 2.13.5 - Unauthenticated Open Redirect

The plugin takes the wphttpreferer parameter to redirect users after some actions as well as after invalid or missing nonces, leading to an Unauthenticated Open Redirect issue...

0.7AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/25 12:0 a.m.36 views

WPJobBoard < 5.7.0 - Unauthenticated Reflected XSS & XFS

Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: query, location. Payloads: " " PoC Unauthenticated Reflected XSS:...

0.9AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/25 12:0 a.m.56 views

WPJobBoard < 5.7.0 - Unauthenticated SQL Injection

An Unauthenticated SQL Injection vulnerability was discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: type, category. $ :: Payloads Boolean-based blind: /advanced-search/?query=4325&location=4325&type=7 AND 2392=SELECT CASE WHEN 2392=2392 THEN 2392 ELSE SELECT 8365...

0.8AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/25 12:0 a.m.717 views

WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection

The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+. Edit WPScanTeam: September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates,...

0.2AI score0.01416EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/11/24 12:0 a.m.28 views

Media Library Assistant < 2.90 - Authenticated Blind SQL Injection

The Media Library Assistant WordPress plugin was affected by an authenticated admin+ blind SQL injection vulnerability when there is at least one Custom Field Rule set in the plugin's options. There need to be at least one Custom Field Rule in the plugin Custom Fields settings...

0.9AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/23 12:0 a.m.736 views

Secure File Manager < 2.8.2 - Authenticated Remote Command Execution

The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands. v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager men...

6.5CVSS8.9AI score0.18028EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/11/22 12:0 a.m.31 views

WooCommerce Anti-Fraud <= 3.2 - Unauthenticated Order Status Manipulation

The WooCommerce Anti-Fraud WordPress plugin was affected by an issue where an unauthenticated user could change the order status of any order, as there were no checks when changing the order status. The orderid was also predictable. On an individual level, if you have already received your order,...

0.5AI score
Exploits0References2
wpexploit
wpexploit
added 2020/11/20 12:0 a.m.660 views

Anti-Spam by CleanTalk < 5.149 - Multiple Authenticated SQL Injections

Multiple authenticated SQL injections in the Anti-Spam by CleanTalk plugin 5.148 exist, however, it requires high privilege user admin+. Vulnerable functions: removeLogs and removeSpam at: lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php Sleep query: POST...

1.4AI score0.01444EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/11/19 12:0 a.m.14 views

Contextual Related Posts < 2.9.4 - CSRF Nonce Validation Bypass

The plugin does not properly check for the CSRF nonce in the export and import features, which could allow attackers to make authenticated logged in administrators perform those actions via a CSRF attack. To bypass the nonce validation, just don't send the crpexportsettingsnonce or...

1.5AI score
Exploits0References2
wpexploit
wpexploit
added 2020/11/14 12:0 a.m.19 views

WP DB Error Manager <= 2.1.6 - Reflected Cross-Site Scripting (XSS)

Reflected XSS in the file "admin/partials/wp-db-error-manager-login-display.php" in parameter "email" query string https://example.com/wp-content/plugins/wp-database-error-manager/admin/partials/wp-db-error-manager-login-display.php?email=%22%3E%3Cimg%20src%20onerror=alert/XSS/%3E...

1.6AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/13 12:0 a.m.48 views

[0day] AIT CSV Import / Export <= 3.0.3 - Unauthenticated Arbitrary File Upload

The WPScan research team discovered an active exploitation attempt against a 0day vulnerability within the premium AIT CSV Import / Export WordPress plugin within our honeypot logs. The honeypot log showed a GET request to the following file:...

7.1AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/12 12:0 a.m.84 views

Good LMS < 2.1.5 - Unauthenticated SQL Injection

The Good LMS WordPress plugin was vulnerable to Unauthenticated SQL Injection in its 'id' parameter of the gdlrlmscancelbooking action. POST /wp-admin/admin-ajax.php HTTP/1.1 action=gdlrlmscancelbooking&id=SELECT 1337 FROM SELECTSLEEP10MrMV...

7.5CVSS2.7AI score0.1064EPSS
Exploits2References2
wpexploit
wpexploit
added 2020/11/12 12:0 a.m.55 views

BA Book Everything < 1.3.25 - Unauthenticated Reflected XSS & XFS

An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress. Vulnerable parameters: datefrom, dateto. $ :: Payloads: " " ! :: PoC:...

1.3AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/12 12:0 a.m.19 views

Love Travel < 2.0 - Unauthenticated Reflected XSS & XFS

An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 1.0-1.9. Vulnerable parameters: ndtravelarchiveformkeyword, ndtraveltypologyslug. The issue was fixed due to a code rewrite of the theme. $ :: Payloads: " "...

1.9AI score
Exploits0References2
wpexploit
wpexploit
added 2020/11/12 12:0 a.m.28 views

Love Travel 2.0-3.8 - Unauthenticated Reflected XSS & XFS

An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the Love Travel theme for WordPress, affected versions: 2.0-3.8. Vulnerable parameters: keyword, datefrom, dateto, pricefromto, nicdarkpricefrom, nicdarkpriceto The PoC will be displayed once the issue has been remediated...

1.6AI score
Exploits0References2
wpexploit
wpexploit
added 2020/11/09 12:0 a.m.63 views

Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles

Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges. $username, 'firstname-'. $formid =...

7.5CVSS1.6AI score0.02961EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/11/09 12:0 a.m.40 views

Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update

Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ;...

6.5CVSS1.3AI score0.02032EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/11/09 12:0 a.m.42 views

Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta

An attacker could supply an array parameter for sensitive meta data such as the wpcapabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the updateprofile function, and any respective metadata that was submitted, regardle...

7.5CVSS1.1AI score0.08975EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/11/08 12:0 a.m.26 views

Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection

The plugin is affected by an unauthenticated SQL injection via the billingfirstname parameter of the savedata AJAX call. From the original researcher: ./sqlmap.py -u https://example.com/wp-admin/admin-ajax.php --cookie='cookies content here' --method='POST'...

2.2AI score
Exploits0References2
wpexploit
wpexploit
added 2020/11/05 12:0 a.m.18 views

Augmented Reality <= 1.2.0 - Unauthenticated PHP File Upload leading to RCE

The elFinder connector used allows upload of PHP files as the 'uploadAllow' options contains 'text/x-php'. This allows an unauthenticated user to upload PHP files, leading to a RCE vulnerability. The issue is similar to https://wpscan.com/vulnerability/10389 POST...

7.4AI score
Exploits0References1
wpexploit
wpexploit
added 2020/11/03 12:0 a.m.18 views

GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection

The GDPR CCPA Compliance Support WordPress plugin was vulnerable to an Unauthenticated PHP Object Injection security vulnerability. The vulnerability could triggered within the "njtgdprallowpermissions" Base64 encoded cookie value...

2.3AI score
Exploits0References3
wpexploit
wpexploit
added 2020/11/02 12:0 a.m.710 views

AccessPress Social Icons < 1.8.1 - Authenticated SQL Injection

The plugin does not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. https://drive.google.com/file/d/1UBTpW3RcPR7iqTi94ueyXLwWH8aFHuoe/view?usp=sharing Payload: aps-social id="1 and sleep3"...

2.7AI score0.01255EPSS
Exploits1References2
wpexploit
wpexploit
added 2020/10/30 12:0 a.m.39 views

SW Ajax WooCommerce Search < 1.2.8 - Unauthenticated Reflected XSS & XFS

An Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the SW Ajax WooCommerce Search plugin v1.2.6 for WordPress. The plugin comes with a number of commercial themes such as: OneMall, Revo, eMarket, Autusin, Market, MaxShop, ShoppyStore, Furnicom, EtroStore, HiTheme, StyleShop...

6.7AI score
Exploits0References2
wpexploit
wpexploit
added 2020/10/29 12:0 a.m.29 views

Greenmart < 2.5.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Due to an incomplete fix of CVE-2020-16140 see https://wpscan.com/vulnerability/10444, the reflected XSS attack is still possible on unauthenticated users, by extracting the searchnonce from the source of the homepage and adding it to the original payload. This is possible because WP nonces are...

6.4AI score0.00923EPSS
Exploits3References1
wpexploit
wpexploit
added 2020/10/28 12:0 a.m.29 views

Greenmart < 2.4.3 - Reflected Cross-Site Scripting (XSS)

The greenmartautocompletesearch AJAX action, available to both authenticated and unauthenticated users does not properly sanitise the callback parameter passed to it, resulting in a reflected Cross-Site Scripting issue. Edit WPScanTeam: The vendor 'fixed' the issue for authenticated users by addi...

4.3CVSS1.3AI score0.00923EPSS
Exploits3References2
wpexploit
wpexploit
added 2020/10/22 12:0 a.m.30 views

Advanced Booking Calendar < 1.6.2 - Unauthenticated SQL Injection

The AJAX action abcbookinggetBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the...

2AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/22 12:0 a.m.32 views

CM Download Manager < 2.8.0 - Authenticated Cross-Site Scripting

The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue. Vulnerable page - 'cmdownload/add/' Vulnerable parameter - 'filename' in 'Content-Disposition' Header POST /cmdownload/add/ HTTP/1.1 Host: localhost:8081 User-Agent:...

4.3CVSS0.1AI score0.00999EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/10/21 12:0 a.m.51 views

Helios Solutions Brand Logo Slider <= 2.1 - Authenticated Arbitrary File Upload

An Authenticated user admin+ can bypass the security check of the plugin and upload arbitrary files via the Brand Logo. The PoC will be displayed once the issue has been remediated...

1AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/21 12:0 a.m.108 views

Loginizer < 1.6.4 - Unauthenticated SQL Injection

The Loginizer WordPress plugin was found to be affected by an Unauthenticated SQL Injection vulnerability found by the security researcher mslavco. The vulnerability was triggered within the brute force protection functionality, which was enabled by default when the plugin was first installed. Wh...

7.5CVSS0.5AI score0.53619EPSS
Exploits4References4
wpexploit
wpexploit
added 2020/10/21 12:0 a.m.79 views

SuperStoreFinder Plugins - Unauthenticated Arbitrary File Upload

The SuperStoreFinder premium WordPress plugins did not properly check file uploads, depending on the plugin, only checking for the mime type and/or the first extension of the file name. An attacker could set the Content-Type header to "Content-Type: text/csv", as well as use a double extension to...

7.5AI score
Exploits0References5
wpexploit
wpexploit
added 2020/10/15 12:0 a.m.50 views

Comment Press < 2.7.2 - Unauthenticated Cross-Frame Scripting

An Unauthenticated Cross-Frame Scripting vulnerability was discovered in the Comment Press plugin v2.7.0 for WordPress. ! :: PoC Burp Suite: POST /wp-comments-post.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest...

0.8AI score
Exploits0References2
wpexploit
wpexploit
added 2020/10/15 12:0 a.m.16 views

Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion

While investigating an IDOR issue on a premium theme, allowing arbitrary deletion of Ads, submitted by Vlad Vector, the Realia plugin was found to be the root cause. In fact, having this plugin installed which some themes require can allow unauthenticated attackers to delete arbitrary posts, by...

0.7AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/14 12:0 a.m.32 views

Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation

This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution RCE on a vulnerable site’s server. The following will create hello.php in the...

6.8CVSS1.4AI score0.00765EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/10/14 12:0 a.m.13 views

Quick Chat <= 4.14 - Authenticated Stored Cross-Site Scripting

An Authenticated Persistent XSS vulnerability is present in the the plugin options page /wp-admin/options-general.php?page=quick-chat/quick-chat.php, vulnerable fields: «Chat name prefix for guest users», «Advertisement code for your AdSense». The PoC will be displayed once the issue has been...

0.8AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/14 12:0 a.m.13 views

Quick Chat <= 4.14 - Unauthenticated Stored Cross-Site Scripting

An Unauthenticated Persistent XSS vulnerability was discovered in the Quick Chat plugin v4.14 for WordPress. The PoC will be displayed once the issue has been remediated...

0.9AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/12 12:0 a.m.26 views

LocalWeb All In One plugin < 1.6.5 - Unauthenticated Stored Cross-Site Scripting (XSS)

An Unauthenticated Stored XSS vulnerability was discovered in the LocalWeb All In One plugin v1.6.3 for WordPress. There is an older version of this plugin called Web Instant Messenger, latest version is v1.1.1. The specificity of this plugin is that it interacts with the remote host...

0.3AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/11 12:0 a.m.680 views

PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE

The plugin did not verify some of the uploaded feed images such as the ones from Podcast Artwork section, allowing high privilege accounts admin+ being able to upload arbitrary files, such as php, leading to RCE. https://drive.google.com/file/d/1fyf6blzeG3VX22BQX7hc1QJ20rCY5p43/view?usp=sharing -...

0.1AI score0.01647EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/10/09 12:0 a.m.47 views

Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload

The plugin does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html...

0.5AI score0.00617EPSS
Exploits2
wpexploit
wpexploit
added 2020/10/09 12:0 a.m.59 views

Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"

The plugin attempts to delete malicious files such as .php form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not remove...

0.9AI score0.13139EPSS
Exploits7
wpexploit
wpexploit
added 2020/10/09 12:0 a.m.53 views

Autoptimize < 2.7.8 - Race Condition leading to RCE

The plugin attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It ...

0.5AI score0.13139EPSS
Exploits7
wpexploit
wpexploit
added 2020/10/08 12:0 a.m.30 views

Dynamic Content for Elementor < 1.9.6 - Authenticated RCE

The PHP Raw Widget https://www.dynamic.ooo/widget/php-raw/ of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as editor to perform RCE attacks. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com...

9CVSS8.9AI score0.05648EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/10/07 12:0 a.m.65 views

HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion

The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink, which leads to an arbitrary file deletion issue. For more details about this issue, please see the reference. File: hypercomments/hypercomments.php:112 $filename =...

1.2AI score
Exploits0References1
wpexploit
wpexploit
added 2020/10/07 12:0 a.m.57 views

WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)

Wordfence discovered an Authenticated Stored Cross-Site Scripting XSS security vulnerability within the WPBakery Page Builder WordPress plugin. The vulnerability could allow a low privileged user, such as contributor, to inject malicious JavaScript into posts. "Exploit Post", "content" =...

3.5CVSS0.3AI score0.00691EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/09/29 12:0 a.m.695 views

Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection

The bulkaction, exportfull and savesliderdb functionalities of the plugin were vulnerable, allowing a high privileged user Admin, or medium one such as Contributor+ if "Role Options" is turn on for other users to perform a SQL Injection attacks. Vulnerable param: check Vulnerable function:...

1.7AI score0.02586EPSS
Exploits2References1
Total number of security vulnerabilities4359