4359 matches found
Ninja Forms < 3.4.27.1 - CSRF leading to Arbitrary Plugin Installation
The plugin is affected by a Cross-Site Request Forgery CSRF which could allow attackers to make a logged administrator install an arbitrary plugin from the WordPress repository. http://example.com/wp-admin/admin-ajax.php?action=nfservicesinstall&plugin=wpscan&installpath=wpscan/wpscan.php...
XCloner Backup and Restore 4.2.1 - 4.2.12 - Unprotected AJAX Action
"This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server. Alternatively, an attacker could create an exploit cha...
Coditor <= 1.1 - Arbitrary File Edition, Deletion and Internal Directory Listing in wp-content
The coditorprocessajax AJAX call is missing any CSRF and authorisation checks, allowing low privilege users subscriber+ to read and edit any files in the wp-content folder, as well as list its content. The PoC will be displayed once the issue has been remediated...
JobMonster < 4.6.6.1 - Directory Listing in Upload Folder
The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. This could expose personal data such as people's resumes. Although Directory Listing can be prevented by securely configuring the we...
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.5.5 - Unauthenticated Remote Code Execution
The Drag and Drop Multiple File Upload – Contact Form 7 WordPress plugin was vulnerable to Remote Code Execution via file upload. The plugin used a blacklist of dangerous file extensions that it did not allow to be uploaded, however, the extensions .phar and .phpt were not within the blacklist,...
Affiliate Manager < 2.7.8 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly validate and sanitise data passed to the affiliate-register form, allowing unauthenticated user to set XSS payloads in some of its fields. The payloads will then be triggered when privileged users, such as admin, will view the created affiliate in the backend. As an...
10Web Social Post Feed < 1.1.27 - Authenticated SQL Injection
Authenticated SQL injection in the 10Web Social Post Feed WordPress Plugin 1.1.26 via the /wordpress/wp-admin/admin.php?page=infoffwd searchvalue parameter. https://drive.google.com/file/d/1Hndhdy3leYTzutx-DJvu1B-tW5Y5teBB/view...
Email Subscribers & Newsletters < 4.5.6 - Unauthenticated email forgery/spoofing
It allows a remote unauthenticated attacker to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com Content-Type:...
ActiveCampaign < 8.0.2 - Cross-Site Request Forgery in Settings
The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. When a logged-in administrator accesses an HTML page embedded below content, the plugin's setting will be changed...
Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in Constant Contact Forms for WordPress 1.8.7 and lower allow high-privileged user Editor+ to inject arbitrary Javascript code or HTML in posts where the malicious form is embed. High-privileged user Editor+ can exploit XSS via Add New Form's...
Advanced Database Cleaner < 3.0.2 - Authenticated SQL injection
The plugin did not properly sanitise user input given, allowing high privilege users admin+ to perform SQL injection attacks. https://drive.google.com/file/d/1ljyMPfcwLXP2VS8lbAKNR9SzNfX1sm3W/view?usp=sharing...
File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE
Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager confirmed with v6.8, which was the latest version available in wordpress.org. File lib/php/connector.minimal.php can be by default opened directly, and this file loads...
Ceceppa Multilingua <= 1.5.17 - Authenticated Reflected Cross-Site Scripting
The tab GET parameter in the plugin's settings is vulnerable to reflected XSS attacks. The PoC will be displayed once the issue has been remediated...
Recall Products <= 0.8 - Authenticated SQL Injection
The Manufacturer POST parameter is vulnerable to SQL injection when submitting a deletion request. The PoC will be displayed once the issue has been remediated...
WP Floating Menu < 1.4.1 - Authenticated Reflected Cross-Site Scripting
The id GET parameter used by WP Floating menu does not correctly sanitise user input before reflecting the parameter back to the user, resulting in a reflected XSS vulnerability. Other sanitisation have been added to prevent other XSS issues as well as potential SQL injections...
Bulk Change <= 1.0 - Authenticated Reflected Cross-Site Scripting
The Bulk Change page under Tools Bulk Posts Change has an 's' GET parameter echoed to a text input tag value without being sanitised, leading to a cross-site scripting issue. /wp-admin/tools.php?page=bulk-change%2Fbulk-change.php&perpage=10&dosearch=Search+...&changeposttype&bctpaction&s="alertXS...
Subscribe Sidebar <= 1.3.1 - Authenticated Reflected Cross-Site Scripting
The 'status' GET parameter in subscribesidebar.php, which is displayed in the plugin's option page, is vulnerable to reflected XSS attacks. /wp-admin/options-general.php?page=subscribesidebar.php&status=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E...
Chamber Dashboard Business Directory < 3.3.1 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise user input when creating or editing a business in the dashboard, allowing high privilege users Editor+ to set XSS payloads in various fields. Login as an editor or admin, then add/edit a business and set the phone number as " The payload will then be executed in the...
Real Estate 7 < 3.0.5 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Real Estate 7 theme v3.0.4 for WordPress. Vulnerable parameters: ctsqftfrom, ctsqftto, ctlotsizefrom, ctlotsizeto, ctmls. Edit WPScanTeam: The issue has been hot-fixed in 3.0.4. So the fixed in has been set to 3.0.5 the next...
Quiz and Survey Master < 7.0.2 - Unauthenticated Arbitrary File Upload
Because the plugin doesn't validate the name of the uploaded file, an unauthenticated user could upload a PHP script with a double extension, e.g., script.php.jpg, and execute it on HTTP servers running a configuration such as Apache + PHP FastCGI. Edit WPScanTeam: This appears to be due to an...
Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload
The aoccssimport AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing POST /wp-admin/admin-ajax.php HTTP/1...
RSVPMaker < 7.8.2 - Unauthenticated SQL Injection
The plugin does not sanitise user input before using it in a SQL statement in the signedupajax AJAX action. Note: Even though the reported SQL Injection was fixed in v7.8.2, other additional sanitisation was implemented in v7.8.3 to 7.8.6. sqlmap -u "https://localhost/?action=signedup&eventcount=...
WooCommerce - NAB Transact < 2.1.2 - Payment Bypass
The plugin does not validate the origin of payment processor status requests, allowing orders to be marked as fully paid by issuing a specially crafted GET request during the ordering workflow. When presented with a payment screen, instead of submitting payment information, issue the following GE...
WP Customer Reviews < 3.4.3 - Multiple Unauthenticated and Low Priv Authenticated Stored XSS
Multiple stored cross-site scripting vulnerabilities in WP Customer Reviews 3.4.2 and lower allow remote attackers to inject arbitrary JavaScript code or HTML. If WP Customer Reviews is enabled on a page, an unauthenticated attacker can exploit XSS via review form's parameters: - Reviewer Name -...
Elegant Testimonial <= 1.1.6 - Multiple Authenticated Stored Cross-Site Scripting
The name, company and text fields used while adding a testimonial to a page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a user loads a page where the plugin shortcode is used. All WordPress websites...
Change WordPress Login Logo < 1.1.5 - Authenticated Stored Cross-Site Scripting
The height, and width fields used to update the custom logo was found to be vulnerable to stored XSS, as they did not sanitize user input properly before publishing the changes. It is triggered when a user loads the login page. Set the following payload as Height or Width in the plugin's settings...
Click to Top < 1.2.8 - Authenticated Stored Cross-Site Scripting
The Type scroll text field in the plugin settings page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the changes. It is triggered when a user loads any page on the website. All WordPress websites using Click to top WordPress Plugin...
Internal Links Manager < 2.1.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS)
Due to lack of user input filtering and validation, the "Add New Link" and "All Links" features are vulnerable to cross-site scripting. The following fields are vulnerable: Internal Title title, Link Title titleattr. Issues were reported to vendor and WP plugins team by reporter. Edit WPScanTeam:...
Home Villas <= 2.2 - Multiple Cross-Site Scripting Issues
An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the Home Villas theme through 2.2 for WordPress. Edit WPScanTeam: July 27th, 2020 - Confirmed & Escalated to Envato July 28th, 2020 - Envato Investigating August 17th, 2020 - No updates, disclosing...
Responsive Lightbox2 < 1.0.3 - Authenticated Stored Cross-Site Scripting
The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using...
Geo Magazine <= 2.0 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Geo Magazine theme through 2.0 for WordPress. Edit WPScanTeam: July 27th, 2020 - Confirmed & Escalated to Envato July 28th, 2020 - Envato Investigating August 17th, 2020 - No updates, disclosing The PoC will be displayed once th...
Sell Photo <= 1.0.5 - Authenticated Stored Cross-Site Scripting
The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin. The PoC will be...
Colorbox Lightbox <= 1.1.2 - Authenticated Stored Cross-Site Scripting
The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using...
Fancy Lightbox < 1.0.2 - Authenticated Stored Cross-Site Scripting
The ‘hyperlink’ field in used while linking a remote resource Image, Video or web page from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used...
Easy Media Download < 1.1.5 - Authenticated Stored Cross-Site Scripting
The ‘Button Text’ field in used while posting a file download was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Easy...
NextGEN Gallery Sell Photo <= 1.0.4 - Authenticated Stored Cross-Site Scripting
The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin. The PoC will be...
Sell Media < 2.4.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
A Cross-site scripting XSS vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter aka $searchterm or the Search field. https://example.com/sell-media-search/?keyword="alert/XSS/...
Quiz and Survey Master < 7.0.1 - Unauthenticated Arbitrary File Deletion
This flaw allows users to delete arbitrary files like a site’s wp-config.php file which could effectively take a site offline and allow an attacker to take over the vulnerable site. history.pushState'', '', '/'...
Quiz and Survey Master < 7.0.1 - Arbitrary File Upload
This flaw made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution. Set-up quiz that accepts file uploads, then upload file and change content-type to one set as approved. history.pushState'', '', '/' function submitRequest var xhr = new...
Nova Lite < 1.3.9 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The theme did not properly sanitise the search query, leading to an unauthenticated reflected Cross-Site Scripting issue /?s=%3Cimg%20src%20onerror=alert/XSS/%3E...
Ultimate Member < 2.1.7 - Unauthenticated Open Redirect
The Ultimate Member WordPress plugin was vulnerable to an Unauthenticated Open Redirect vulnerability, affecting the registration and login pages where the "redirectto" GET parameter was used. https://www.example.com/register/?redirectto=https://www.evil.com/...
Add From Server <= 3.3.3 - Authenticated Path Traversal to Arbitrary File Access
An authenticated attacker with low permission can read arbitrary files on server using Path Traversal. The plugin author states that this is by design and that the plugin should not be used. Please refer to the references. http://example.com/wp-admin/upload.php?page=add-from-server&adirectory=/...
File Manager < 6.5 - Backup File Directory Listing
The File Manager WordPress plugin could expose backup files if the web server had Directory Listing enabled. The File Manager WordPress plugin, version 6.4 and lower, failed to restrict external access to the fmbackups directory with a .htaccess file. This resulted in the ability for...
Cardoza WordPress Poll <= 36 - Authenticated SQL Injection
The Cardoza WordPress Poll plugin was vulnerable to authenticated SQL Injection in the "pollid" POST parameter when submitting a poll deletion request. action=deletepoll&pollid=SELECT 2822 FROM SELECTSLEEP5gsJu...
RSS Feed Widget < 2.8.1 - Authenticated Cross-Site Scripting (XSS)
The RSS Feed Widget WordPress plugin version 2.8.0 and below was vulnerable to Authenticated Cross-Site Scripting XSS within the "t" GET parameter. http://www.example.com/wp-admin/admin.php?page=rfwoptions&t=1"alert"xss"...
Admin Menu <= 1.1 - Authenticated Cross-Site Scripting (XSS)
The Admin Menu WordPress plugin, versions 1.1 and below, were vulnerable to Authenticated Cross-Site Scripting XSS within the "role" GET parameter. http://www.example.com/wp-admin/admin.php?page=admin-menu-pro&role=alertString.fromCharCode88,83,83...
Ultimate Appointment Booking & Scheduling < 1.1.10 - Authenticated Cross-Site Scripting (XSS)
The Ultimate Appointment Booking & Scheduling WordPress plugin, versions 1.1.9 and older, were vulnerable to Authenticated Cross-Site Scripting XSS within multiple parameters...
Konzept < 2.5 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Konzept theme through 2.3 for WordPress. /?s=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%60XSS%60%3B%3E...
FoodBakery < 2.0 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the FoodBakery theme through 1.9 for WordPress. Note: The issue was hot patched in 1.9. As a result, there are two 1.9 versions out there, one vulnerable and one with the patch...
The Official WordPress Facebook Chat Plugin < 1.6 - Authenticated Options Change to Chat Takeover
This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. Obtain PageID from a test Facebook Page found under page - about - pageID. Use this...