4359 matches found
JobSearch < 1.5.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
There is a Cross-Site Scripting vulnerability in the JobSearch plugin. https://eyecix.com/plugins/jobsearch/?searchtitle=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E&ajaxfilter=true&posted=all&sort-by=recent...
AdRotate < 5.8.4 - Authenticated SQL Injection
Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param "id". However, this requires an admin privileged user. NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK. Param "id" is vulneable to SQL Injeciton. Example 1:...
Careerfy < 3.9.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)
There is a XSS vulnerability in Careerfy. https://careerfy.net/demo/jobs-listing/?searchtitle=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&location=&locradius=50§orcat=...
Blog2Social: Social Media Auto Post & Scheduler < 6.3.1 - Authenticated SQL Injection
SQL Injection in the Blog2Social plugin 6.3.0 for WordPress exists via Re-Share Posts feature. Please refer to the video below for steps to reproduce and demonstration of automatic exploit with sqlmap. - Mega.nz: https://mega.nz/file/mt1gFYTKe3XkA-zY0cCApTYlLZktRZ4Q4vchVhbPsNqQC6CKORo - Drive:...
Multi Scheduler <= 1.0.0 - Arbitrary Record Deletion via CSRF
The lack of CSRF check could allow attacker to delete arbitrary records from the plugin for example Professional ones via a CSRF attack. The issue is not patched, and has ben escalated to WP plugins team on May 29th, 2020 The PoC will be displayed once the issue has been remediated...
Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - Unprotected AJAX's leading to XSS
Nearly all of the AJAX action endpoints in this plugin failed to include permission checks allowing these actions to be executed by anyone authenticated on the site. The greatest impact was the pagelayersavecontent function that allowed pages to be modified and XSS to occur. $wpuser, 'pwd' =...
Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS
A flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection...
Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user author+...
Form Maker by 10Web < 1.13.36 - Authenticated SQL Injection
Authenticated admin+ SQL injection in the Form Maker by 10Web WordPress Plugin 1.13.35 exists via the /wordpress/wp-admin/admin.php?page=blockedipsfm=1" s parameter. Edit WPScanTeam: - Initial reported version 5.4.1 does not exist, confirmed to be 1.13.35 by researcher - May 25th, 2020 - details...
Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 - Unauthenticated File Upload Bypass
Due to the plugin not properly checking the file being uploaded via the dndcodedropzupload AJAX action, an attacker could bypass the checks in place and upload a PHP file. There was a working exploit provided along with this vulnerability. It also requires the Contact Form 7 plugin to be installe...
Official MailerLite Sign Up Forms < 1.4.4 - Unauthenticated SQL Injection
Most methods in the MailerLite plugin do not sanitize user input data which causes SQL injection. Also no single method checks for a nonce token which causes a CSRF issue everywhere. One example would be to inject the payload 1 union all select database,2,3,1,5 into the formid GET parameter of th...
Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS)
Stored XSS "post-auth" in "tittle" field of the "Error Alert" and "Success Alert" sections of the plugin's settings page due to poor sanitization of entered characters. When you enter the payload and save the changes, it is permanently embedded in the html code of the settings page, so all users...
ThirstyAffiliates < 3.9.3 - Authenticated Stored XSS
The ThirstyAffiliates Affiliate Link Manager WordPress plugin was vulnerable to authenticated stored Cross-Site Scripting XSS. An authenticated attacker, such as an author, could attach an image with malicious JavaScript as its title, which would be executed once viewed by an administrator user...
Ajax Load More < 5.3.2 - Authenticated SQL Injection
The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep5=test. The attacker needs to be authenticated with the editthemeoptions capability, which only administrators have by default...
Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)
Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker contributor+ to inject arbitrary web script or HTML via the 'Description/biography' of a member. https://drive.google.com/file/d/1w5AmyBEOxAmtQ0T3uGKAB3o9w3ihNRAj/view Add a...
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection
SQL injection in the Photo Gallery 10Web Photo Gallery plugin before 1.5.55 exists via the frontend/models/model.php bwgsearchx parameter. Impact All gallerytype is affected by this bug and any unauthenticated remote attacker can exploit the plugin. Sqlmap payload: sqlmap -u...
Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter. Successful exploitation of...
Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access
This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. Steps to reproduce: 1. Log in as a subscriber on target WordPress site. 2. View the page source of /wp-admin and command+f to search for...
Page Builder by SiteOrigin < 2.10.16 - CSRF to Reflected Cross-Site Scripting (XSS)
Flaws in the live editor and actionbuildercontent functions of the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link...
Chopslider <= 3.4 - Unauthenticated Blind SQL Injection
The id parameter of the getscript/index.php page is not sanitised when used in a SQL statement, leading to an unauthenticated blind SQL Injection issue. Vendor was contacted by researcher, on March 3rd, 2020 but no reply was received. The PoC will be displayed once the issue has been remediated...
Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload
According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog. Chloe Chamberland from Wordfence also confirmed the issue and added that "This vulnerability is being used in conjunction wi...
Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)
The iframe plugin before 4.5 does not sanitize a URL. iframe src="javascript:alertdocument.cookie" width="100%" height="500"...
wpForo < 1.7.0 - New Users Set as Admin via CSRF
The plugin did not have CSRF in place in a page, allowing attacker to make a logged in admin set all new users as admins directly https://example.com/wp-admin/admin.php?page=wpforo-usergroups&default=1...
Advanced Order Export For WooCommerce < 3.1.4 - Authenticated Cross-Site Scripting (XSS)
The Advanced Order Export plugin for WooCommerce versions 3.1.4 had a reflected XSS vulnerability due to lack of input sanitization on the woeposttype parameter. This allowed arbitrary HTML and JavaScript injection and execution in the context of the logged in user. On a WooCommerce installation...
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via s Parameter
The plugin did not escape, validate or escape the 's' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin https://example.com/wp-admin/admin.php?page=wpforo-phrases&s="alert/XSS/...
wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via langid Parameter
The plugin did not escape, validate or escape the 'langid' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin...
LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"
The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfilteredhtml" capability, allowing an escalated user to insert posts containing...
Real-Time Find and Replace < 4.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email...
Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move rename the png file to a...
MapPress Maps Pro < 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions
The pro version of this plugin registers several AJAX actions that call functions which lack capability checks and nonce checks, specifically the ‘ajaxget’, ‘ajaxsave’, and ‘ajaxdelete’ functions in mappresstemplate.php. As such, it is possible for a logged-in attacker with minimal permissions,...
Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS
=== DESCRIPTION - REFLECTED XSS ======================================== Catch Breadcrumb 1.5.4 plugin for WordPress allow Reflected XSS via a search query when used with one of the theme from the same author: Alchemist & Alchemist PRO, Izabel & Izabel PRO, Chique & Chique PRO, Clean Enterprise &...
GTranslate < 2.8.52 - Unauthenticated Reflected Cross Site Scripting (XSS)
The GTranslate plugin before 2.8.52 for WordPress was vulnerable to an Unauthenticated Reflected XSS vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. The vulnerability was due to outputting the WordPress addqueryarg...
Rank Math 0.9~1.0.42.1 - Missing Access Controls to Disable Competitor Plugins
Missing access controls on the GET requests to deactivate competitors' plugins. This could allow any authenticated users such as subscribers to deactivate the SEO and Sitemap plugins from competitors. The attack could also be performed via CSRF...
Accordion < 2.2.9 - Unprotected AJAX Action to Stored/Reflected XSS
This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0...
Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion
The Media Library Assistant plugin before 2.82 for WordPress suffers from a Local File Inclusion vulnerability in mlagallery link=download. The LFI is restricted to the "wp-content" directory...
Tickera WordPress Event Ticketing < 3.4.6.9 - Unauthenticated Sensitive Data Exposure
Due to missing authorization controls in the "admininit" hooks, all personal data from registered users of an event could be exported into a downloadable PDF file by every unauthenticated user. The event ID could be read from the page source and/or easily enumerated in sequence. According to the...
Support Ticket System By Phoeniixx <= 2.7 - Unauthenticated Reflected XSS
Bad user input sanitisation leads to unauthenticated reflected XSS. Edit WPScanTeam: January 27th, 2020 - Report received & WP Plugin team notified January 31st, 2020 - WP plugin team acknowledgement & plugin closed. April 11th, 2020 - No updates, disclosing...
Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation
The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the...
WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)
One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use "template" pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was...
WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)
WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37lpsavepage whi...
Vanguard <= 2.1 - Multiple Cross-Site Scripting (XSS)
The plugin does not sanitise, validate or escape some of its parameters before outputting the back in various place, leading to either Stored or Reflected Cross-Site Scripting issues Put the following payload in the In Products Search box: " POST /search HTTP/1.1 Accept:...
Car Rental System <= 1.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the booking-list and cust-lookup pages. Inject XSS via most fields in the booking form...
Online Hotel Booking System Pro <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details.. The XSS payload is then executed when an authenticated administrator user views the booking on the Customer-booking page. Inject XSS via most fields in the booking form, which will...
WP Last Modified Info < 1.6.6 - Authenticated Stored XSS
When saving a new campaign, a user with administrator capabilities can store scripts in the plugin's options. The code can then be executed on every page or post on the website. An administrator can store scripts in the "Custom Message to Display on Posts" text input field. Reason for this was...
WP Advanced Search < 3.3.6 - Unauthenticated SQL Injection
Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php. After a month of trying to contact the Plugin author Twitter, email, we followed...
Contact Form 7 Datepicker <= 2.6.0 - Authenticated Stored Cross-Site Scripting (XSS)
Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions such as a subscriber can send a crafted request which will store a malicious JavaScript in the...
Art-Picture-Gallery <= 1.2.9 - Unauthenticated Arbitrary File Upload
Edit WPScanTeam: March 26th, 2020 - Report Received & Vendor Contacted March 30th, 2020 - Escalated to WP Plugins team as no response from vendor March 31st, 2020 - WP Plugins team investigating & Plugin closed April 2nd, 2020 - Disclosure The PoC will be displayed once the issue has been remedia...
Woocommerce Subscriptions < 3.0.3 - CSRF to Cancel/Re-Activate Subscription
During a blog assessment, we identified a CSRF issue in the Woocommerce Subscriptions plugin, which could allow attackers to cancel and re-activate a logged in user's subscription. Even though the wpnonce parameter was needed in the request, its value was not verified, allowing an empty value to ...
WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint
This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permissioncallback used for capability checking. The endpoint called a function, updatemetadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for...
WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint
The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permissioncallbac...