4359 matches found
Elegant Themes (Divi 3.0 - 4.5.2, Extra 2.0 - 4.5.2, Divi Builder 2.0 - 4.5.2) - Authenticated Arbitrary File Upload
Description This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. Usage: php poc.php url username password filetoupload Once the file is...
Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download
The lack of authorisation checks in the handledownloads function, hooked to admininit could allow unauthenticated users to download arbitrary files from the blog using a path traversal payload. /wp-admin/admin-post.php?algwcpifdownloadfile=../../../../../wp-config.php...
JobCareer < 3.5 - Multiple Cross-Site Scripting (XSS)
An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the JobCareer theme through 3.4 for WordPress. Unauthenticated Reflected XSS - Vulnerable parameters: jobtitle, specialisms, location Authenticated Persistent XSS on Employer Profile - «Complete Address...
Reality < 2.5.6 - Multiple Reflected Cross-Site Scripting (XSS)
An Unauthenticated & Authenticated Reflected XSS vulnerabilities was discovered in the Reality theme through 2.5.3 and 2.5.5 for WordPress. Unauthenticated Reflected XSS: http://reality.inwavethemes.com/properties/?status=&keyword=1%22--%3E&label=1%22--%3E%3Cimg%20src=x%20onerror=alertXSS%3E v...
Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload
This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Content-Length: 774 Accept: / X-Requested-With: XMLHttpRequest User-Agent:...
Real Estate 7 < 3.0.4 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Real Estate 7 theme v3.0.2 and v3.0.3 for WordPress. 3.0.3 - https://example.com/?ctkeyword=%22%3E%3Cimg%20src%20onerror%3Dalert%28%2FXSS%2F%29%3E 3.0.4 -...
CarePlus <= 1.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)
An Unauthenticated Reflected XSS vulnerability was discovered in the CarePlus theme through 1.2 for WordPress. https://example.com/?s=%22%20autofocus%20onfocus=alertXSS;%20%22%3E...
JobSearch < 1.5.6 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the JobSearch plugin v1.5.5 for WordPress. https://example.com/?%22%3E%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E=%3E...
Careerfy < 4.4.0 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Careerfy Job Board theme v4.3.0 for WordPress. https://example.com/jobs-listing/?%22%3E%3C%2Fa%3E%3C%2Fli%3E%3C%2Ful%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E=%3E...
Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting
The template name is not properly sanitised when output back, leading to a stored XSS issue. Go to templates tab, click on "add new', and select page or section Then add XSS payload such as " on "name your template" field and hit create template...
JobSearch < 1.5.5 - Unauthenticated Reflected Cross-Site Scripting
An Unauthenticated Reflected XSS vulnerability was discovered in the JobSearch plugin v1.5.4 for WordPress. https://eyecix.com/plugins/jobsearch/?jobtype=%3Cimg%20src%3Dx%20onerror%3Dalert%28%60XSS%60%29%3E...
Careerfy < 4.3.0 - Unauthenticated Reflected Cross-Site Scripting
An Unauthenticated Reflected XSS vulnerability was discovered in the Careerfy Job Board theme v4.2.0 for WordPress. https://careerfy.net/careerbooster/jobs-listing/?jobtype=%3Cimg%20src=x%20onerror=alertXSS;%3E...
Email Subscribers & Newsletters < 4.5.1 - Cross-site Request Forgery in send_test_email()
An attacker could exploit this issue by convincing a user to click a specially crafted URL, which will send emails from the affected user’s WordPress email account. function run var targetUrl = "http://example.com/webpage"; var email = "[email protected]"; var subject = "PoC"; var content = "add...
Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()
An authenticated high privilege attacker could exploit this issue an gain access to the DBMS. import requests import time import sys def loginurl, username, password: wplogin = "%s/wp-login.php" % url wpadmin = "%s/wp-admin/" % url s = requests.Session headers = 'Cookie':'wordpresstestcookie=WP...
All in One SEO Pack < 3.6.2 - Authenticated Stored Cross-Site Scripting
This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page. "Exploit Post", "content" = "\nTest2\n", "status"="pending"; $postdata = jsonencode$data; //Get...
Golo < 1.3.3 - Unauthenticated Reflected XSS
An Unauthenticated Reflected XSS vulnerability was discovered in the Golo theme v1.3.2 for WordPress. https://example.com/?s=%22%3E%3Cimg+src%3Dx+onerror%3DalertXSS%2F%2F%22%3E&posttype=place...
Email Verification for WooCommerce < 1.8.2 - Loose Comparison to Authentication Bypass
The plugin is affected by a loose comparison issue, which could allow any user to log in as administrator. An attacker can manipulate $GET'algwcevverifyemail' and set this payload: eyJpZCI6MSwiY29kZSI6MH0= Example: https://example.com/my-account/?algwcevverifyemail=eyJpZCI6MSwiY29kZSI6MH0= after...
Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Workup – Job Board WordPress Theme», tested version — v2.1.5...
Findus - Directory Listing < 1.1.15 - Authenticated Persistent XSS
Authenticated Persistent XSS vulnerability was discovered in the «Findus - Directory Listing WordPress Theme», tested version — v1.1.14. Injected payload will trigger in the admin dashboard, in the «My listings» page and on listing page itself. POST /submit-listing/ HTTP/1.1 Host: example.com...
Workio – Job Board < 1.0.3 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Workio – Job Board WordPress Theme», tested version — v1.0.1. https://www.demoapus-wp1.com/workio/jobs-grid-v1/?filter-title=%22%3E%3Cimg%20src=x%20onerror=alertXSS%3E...
Kormosala – Job Board < 1.0.23 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Kormosala – Job Board WordPress Theme», tested version — v1.0.22...
Prolisting - Directory Listing < 1.27 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Prolisting - Directory Listing WordPress Theme», tested version — v1.2. https://demoapus.com/prolisting/listings/?searchdistance=%22%3E%3Cimg%20src=x%20onerror=alertXSS%3E...
Jetapo < 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
An Unauthenticated Reflected XSS vulnerability was discovered in the Jetapo theme through 1.0.0 for WordPress. https://jetapo.inwavethemes.com/jobs/?location=%22%20autofocus%20onfocus=alertXSS;%20%22%3E...
Findgo - Directory Listing < 1.3.32 - Unauthenticated Reflected and Authenticated Stored XSS
Multiple Cross-Site Scripting XSS vulnerabilities were discovered in the «Findgo - Directory Listing WordPress Theme», tested version — v1.3.30. PoC Unauthenticated Reflected XSS: https://demoapus.com/findgo/listings/?searchdistance=%22%3E%3Cimg%20src=x%20onerror=alertXSS%3E PoC Authenticated...
SendPress Newsletter < 1.20.7.13 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple Stored Cross-Site Scripting within SendPress Newsletter Settings due to improper input sanitation. The vulnerable fields are: - From Name - From Email - Where to send Test Email https://www.dropbox.com/s/slnc6oj1ryssvuz/sendpress-xss.mp4?dl=0 Payloads - v alert1337/// - v 1.20.7.13: "...
WP-Live Chat by 3CX < 8.2.0 - Authenticated Stored Cross-Site Scripting
There is a Stored Cross-Site Scripting XSS in WP-Live Chat by 3CX v. 8.1.9 By 3CX within the Quick Response function. Due to the nature of this vulnerability, a malicious attack with access to a WordPress multisite and permissions to this plugin can craft a malformed JavaScript payload...
Form Maker by 10Web < 1.13.40 - Authenticated Reflected XSS
The 'Form Maker by 10Web' WordPress plugin is vulnerable to XSS in the 'blockedipsfm' page. A logged-in site administrator who follows a crafted link will trigger arbitrary JavaScript code to be run in their browser in the context of their privileged account on the WordPress site...
Newsletter < 6.7.7 - Authenticated Stored Cross-Site Scripting
An Authenticated Stored Cross-Site Scripting XSS was discovered within the Company Info "Motto" field. When creating a new newsletter using an empty template with the header module, the XSS would execute. This was later fixed in version: 6.7.7...
InJob < 3.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)
An Authenticated subscriber+ Reflected XSS vulnerability was discovered in the InJob theme through 3.4.0 for WordPress. https://example.com/dashboard/?iwjtab=%22%3E%3Cimg%20src=x%20onerror=alertXSS;%3E...
SRS Simple Hits Counter <= 1.0.4 - Unauthenticated Blind SQL Injection
Alex Peña from Tenable discovered a blind SQL injection which could allow unauthenticated remote attackers to retrieve data from the DBMS. Note: The vendor attempted a fix in v1.0.4, which is incomplete. The PoC will be displayed once the issue has been remediated...
Travel Booking < 2.8.4 - Unauthenticated SQL Injection
Unauthenticated SQL Injection via the locationid parameter sqlmap --url="https://example.com/search-rental-full-map/?locationid=1" -dbs --random-agent --time-sec=8 03:13:37 INFO resuming back-end DBMS 'mysql' sqlmap resumed the following injection points from stored session: --- Parameter:...
Travel Booking < 2.8.4 - Unauthenticated Cross-Site Scripting (XSS)
Unauthenticated Reflected XSS via the childnumber parameter https://example.com/search-on-sidebar/?childnumber=%22%20autofocus%20%27--%3E--!%3E%3CInput/Autofocus//Onfocus=alertXSS//%3E...
Monalisa < 2.1.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
An Unauthenticated Reflected XSS vulnerability was discovered in the Monalisa theme through 2.1.2 for WordPress. https://example.com/reservation/?state=1%22--%3E%3Cimg%20src=x%20onerror=alertXSS;%3E...
Mailster Gravity Forms < 2.4.9 - Unauthenticated Stored Cross-Site Scripting (XSS)
Mailster 1 is a newsletter plugin for WordPress. It allows to create, send and track the newsletter campaigns. Compass Security identified a stored Cross-Site Scripting XSS vulnerability affecting the administration interface. Successful exploitation requires no authentication and can be performe...
JobSearch < 1.5.3 - Multiple Cross-Site Scripting Issues
An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin through 1.5.1 and 1.5.2 for WordPress. Authenticated Persistent XSS on the Candidate and Employer Profile pages. An Authenticated Persistent XSS @ Job Page will trigger on t...
Careerfy < 4.1.0 - Multiple Cross-Site Scripting (XSS) Issues
An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the Careerfy Job Board theme through 3.9.0 and 4.0.0 for WordPress. Authenticated Persistent XSS on the Candidate and Employer Profile pages. An Authenticated Persistent XSS @ Job Page will...
CareerUp < 2.3.1 - Unauthenticated Reflected Cross-Site Scripting
There are unauthenticated reflected Cross-Site Scripting XSS vulnerabilities in CareerUp theme, via the filter parameters. Edit WPScanTeam May 27th, 2020 - Vendor Contacted by Original Submitter. May 29th, 2020 - v2.3.0 Released. Unclear if issue fixed. June 18th, 2020 - Another submitter Vlad...
Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS
Multiple cross-site scripting vulnerabilities in Testimonials Widget 3.5.1 and lower allow remote attackers to inject arbitrary Javascript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL Successful exploitation of this vulnerability would allow...
Payment Form For Paypal Pro < 1.1.65 - Unauthenticated SQL Injection
The 'query' parameter allowed for any unauthenticated user to perform SQL queries with result output to a web page in JSON format. https://example.com/?cffaction=getdatafromdatabase&query=SELECT%20%20from%20wpposts...
ACF to REST API < 3.3.0 - Unauthenticated Arbitrary wp_options Disclosure
The plugin does not properly check for authorisation and allowed options to be retrieved from the wp-json/acf/v3/options/ endpoint. This could allow unauthenticated attacker to retrieve arbitrary values from the wpoptions table, such as a list of active plugins. List all active plugins of the blo...
Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection
Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7. June 17th, 2020 - Confirmed & Escalated to Envato. June 19th, 2020 - v1.8 released. Fixing the issues. PoC Unauthenticated Reflected XSS:...
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 - Authenticated Stored Cross Site Scripting (XSS)
Authenticated stored cross-site scripting issues in some of the plugin settings, requiring high privileges. Affected fields are in the settings of the plugin and will be triggered when the common soon page is displayed either the preview or normal one: Logo: x' onerror='alert/XSS/ Headlines:...
WP-Pro-Quiz <= 0.37 - CSRF Leading to Arbitrary Quiz Deletion
Abusing this Cross-Site Request Forgery CSRF issue, an unauthenticated attacker could make a logged in admin delete any quiz on vulnerable website. The PoC will be displayed once the issue has been remediated...
All in One Support Button < 1.8.8 - Authenticated Stored Cross-Site Scripting
The lack of CSRF and Capability checks on AJAX calls, such as arcontactussavemenuitem, could allow low-privilege users to perform stored XSS attacks. The payloads will then be triggered in frontend pages. The Vendor attempted a fix with v1.8.1, by adding capability and some sanitisation checks...
Travel Booking < 2.8.2 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «Travel Booking WordPress Theme», tested version — v2.8.1. Edit WPScanTeam June 17th, 2020 - Confirmed & Escalated to Envato. June 18th, 2020 - v2.8.2 released, fixing the issue...
CityBook < 2.4.4 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «CityBook - Directory & Listing WordPress Theme», tested version — v2.4.3. Edit WPScanTeam June 17th, 2020 - Confirmed & Escalated to Envato June 18th, 2020 - v2.4.4 released, fixing the issue...
TownHub < 1.3.0 - Unauthenticated Reflected XSS
Unauthenticated Reflected XSS vulnerability was discovered in the «TownHub - Directory & Listing WordPress Theme», tested version — v1.2.9. Edit WPScanTeam June 17th, 2020 - Confirmed & Escalated to Envato June 18th, 2020 - v1.3.0 released, fixing the issue...
Testimonial Rotator < 3.0.3 - Authenticated Stored Cross-Site Scripting (XSS)
A Stored XSS vulnerability has been found in the 'Author Information' textarea in testimonials from the plugin, which could allow an authenticated medium-privileged user contributor+ to inject arbitrary JavaScript. The XSS will be triggered for anyone visiting public posts or testimonial page...
SportsPress < 2.7.2 - Authenticated Stored Cross-Site Scripting
Any user with the role of administrator or League Manager is able to store XSS payloads in the custom delimiter setting of events pages. This will then execute on all events pages on the website. Video PoC: https://youtu.be/J8QZ8S6CiS8...
Elementor Page Builder < 2.9.10 - Authenticated Stored XSS
The Elementor Page Builder plugin is susceptible to stored XSS. An author user can create custom links containing XSS payloads or apply custom attributes to widgets which results in XSS. javascript:alert1, JaVaScript:alert1, javas cript:alert1 @keyframes x...