Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
added 2020/06/03 12:0 a.m.21 views

JobSearch < 1.5.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)

There is a Cross-Site Scripting vulnerability in the JobSearch plugin. https://eyecix.com/plugins/jobsearch/?searchtitle=%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E&ajaxfilter=true&posted=all&sort-by=recent...

1.1AI score
Exploits0References1
wpexploit
wpexploit
added 2020/06/03 12:0 a.m.763 views

AdRotate < 5.8.4 - Authenticated SQL Injection

Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param "id". However, this requires an admin privileged user. NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK. Param "id" is vulneable to SQL Injeciton. Example 1:...

1.6AI score0.01231EPSS
Exploits2References2
wpexploit
wpexploit
added 2020/06/03 12:0 a.m.16 views

Careerfy < 3.9.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)

There is a XSS vulnerability in Careerfy. https://careerfy.net/demo/jobs-listing/?searchtitle=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&location=&locradius=50&sectorcat=...

1.4AI score
Exploits0References1
wpexploit
wpexploit
added 2020/05/29 12:0 a.m.762 views

Blog2Social: Social Media Auto Post & Scheduler < 6.3.1 - Authenticated SQL Injection

SQL Injection in the Blog2Social plugin 6.3.0 for WordPress exists via Re-Share Posts feature. Please refer to the video below for steps to reproduce and demonstration of automatic exploit with sqlmap. - Mega.nz: https://mega.nz/file/mt1gFYTKe3XkA-zY0cCApTYlLZktRZ4Q4vchVhbPsNqQC6CKORo - Drive:...

0.7AI score0.01505EPSS
Exploits2
wpexploit
wpexploit
added 2020/05/29 12:0 a.m.22 views

Multi Scheduler <= 1.0.0 - Arbitrary Record Deletion via CSRF

The lack of CSRF check could allow attacker to delete arbitrary records from the plugin for example Professional ones via a CSRF attack. The issue is not patched, and has ben escalated to WP plugins team on May 29th, 2020 The PoC will be displayed once the issue has been remediated...

4.3CVSS6.4AI score0.01193EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/05/28 12:0 a.m.50 views

Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - Unprotected AJAX's leading to XSS

Nearly all of the AJAX action endpoints in this plugin failed to include permission checks allowing these actions to be executed by anyone authenticated on the site. The greatest impact was the pagelayersavecontent function that allowed pages to be modified and XSS to occur. $wpuser, 'pwd' =...

6.5CVSS0.4AI score0.01089EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/05/28 12:0 a.m.37 views

Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS

A flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection...

6.8CVSS0.5AI score0.00773EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/05/28 12:0 a.m.67 views

Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS)

Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user author+...

3.5CVSS5.5AI score0.00892EPSS
Exploits2
wpexploit
wpexploit
added 2020/05/26 12:0 a.m.21 views

Form Maker by 10Web < 1.13.36 - Authenticated SQL Injection

Authenticated admin+ SQL injection in the Form Maker by 10Web WordPress Plugin 1.13.35 exists via the /wordpress/wp-admin/admin.php?page=blockedipsfm=1" s parameter. Edit WPScanTeam: - Initial reported version 5.4.1 does not exist, confirmed to be 1.13.35 by researcher - May 25th, 2020 - details...

1.3AI score
Exploits0References1
wpexploit
wpexploit
added 2020/05/26 12:0 a.m.96 views

Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 - Unauthenticated File Upload Bypass

Due to the plugin not properly checking the file being uploaded via the dndcodedropzupload AJAX action, an attacker could bypass the checks in place and upload a PHP file. There was a working exploit provided along with this vulnerability. It also requires the Contact Form 7 plugin to be installe...

7.5CVSS0.4AI score0.78751EPSS
Exploits7References4
wpexploit
wpexploit
added 2020/05/25 12:0 a.m.63 views

Official MailerLite Sign Up Forms < 1.4.4 - Unauthenticated SQL Injection

Most methods in the MailerLite plugin do not sanitize user input data which causes SQL injection. Also no single method checks for a nonce token which causes a CSRF issue everywhere. One example would be to inject the payload 1 union all select database,2,3,1,5 into the formid GET parameter of th...

0.8AI score
Exploits0References1
wpexploit
wpexploit
added 2020/05/25 12:0 a.m.25 views

Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS)

Stored XSS "post-auth" in "tittle" field of the "Error Alert" and "Success Alert" sections of the plugin's settings page due to poor sanitization of entered characters. When you enter the payload and save the changes, it is permanently embedded in the html code of the settings page, so all users...

6.4AI score
Exploits0
wpexploit
wpexploit
added 2020/05/22 12:0 a.m.569 views

ThirstyAffiliates < 3.9.3 - Authenticated Stored XSS

The ThirstyAffiliates Affiliate Link Manager WordPress plugin was vulnerable to authenticated stored Cross-Site Scripting XSS. An authenticated attacker, such as an author, could attach an image with malicious JavaScript as its title, which would be executed once viewed by an administrator user...

3AI score0.00653EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/05/18 12:0 a.m.816 views

Ajax Load More < 5.3.2 - Authenticated SQL Injection

The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep5=test. The attacker needs to be authenticated with the editthemeoptions capability, which only administrators have by default...

7.6AI score0.01205EPSS
Exploits1References2
wpexploit
wpexploit
added 2020/05/16 12:0 a.m.646 views

Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)

Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow medium-privileged authenticated attacker contributor+ to inject arbitrary web script or HTML via the 'Description/biography' of a member. https://drive.google.com/file/d/1w5AmyBEOxAmtQ0T3uGKAB3o9w3ihNRAj/view Add a...

1.1AI score0.00656EPSS
Exploits2
wpexploit
wpexploit
added 2020/05/15 12:0 a.m.865 views

Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection

SQL injection in the Photo Gallery 10Web Photo Gallery plugin before 1.5.55 exists via the frontend/models/model.php bwgsearchx parameter. Impact All gallerytype is affected by this bug and any unauthenticated remote attacker can exploit the plugin. Sqlmap payload: sqlmap -u...

2.7AI score0.05418EPSS
Exploits1References1
wpexploit
wpexploit
added 2020/05/13 12:0 a.m.36 views

Easy Testimonials < 3.6 - Authenticated Stored Cross-Site Scripting (XSS)

Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter. Successful exploitation of...

3.5CVSS0.2AI score0.00892EPSS
Exploits2
wpexploit
wpexploit
added 2020/05/13 12:0 a.m.25 views

Site Kit by Google < 1.8.0 - Privilege Escalation to gain Search Console Access

This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. Steps to reproduce: 1. Log in as a subscriber on target WordPress site. 2. View the page source of /wp-admin and command+f to search for...

0.7AI score
Exploits0References1
wpexploit
wpexploit
added 2020/05/11 12:0 a.m.68 views

Page Builder by SiteOrigin < 2.10.16 - CSRF to Reflected Cross-Site Scripting (XSS)

Flaws in the live editor and actionbuildercontent functions of the plugin "allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link...

6.8CVSS0.4AI score0.00809EPSS
Exploits3References1
wpexploit
wpexploit
added 2020/05/09 12:0 a.m.88 views

Chopslider <= 3.4 - Unauthenticated Blind SQL Injection

The id parameter of the getscript/index.php page is not sanitised when used in a SQL statement, leading to an unauthenticated blind SQL Injection issue. Vendor was contacted by researcher, on March 3rd, 2020 but no reply was received. The PoC will be displayed once the issue has been remediated...

7.5CVSS0.6AI score0.95657EPSS
Exploits8References1
wpexploit
wpexploit
added 2020/05/07 12:0 a.m.56 views

Elementor Pro < 2.9.4 - Authenticated Arbitrary File Upload

According to Jerome Bruandet, from NintechNet, the vulnerability, currently exploited by attackers, allows any logged-in user to upload and execute PHP scripts on the blog. Chloe Chamberland from Wordfence also confirmed the issue and added that "This vulnerability is being used in conjunction wi...

6.5CVSS0.1AI score0.08565EPSS
Exploits1References2
wpexploit
wpexploit
added 2020/05/07 12:0 a.m.21 views

Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)

The iframe plugin before 4.5 does not sanitize a URL. iframe src="javascript:alertdocument.cookie" width="100%" height="500"...

4.3CVSS0.9AI score0.02006EPSS
Exploits1
wpexploit
wpexploit
added 2020/05/04 12:0 a.m.34 views

wpForo < 1.7.0 - New Users Set as Admin via CSRF

The plugin did not have CSRF in place in a page, allowing attacker to make a logged in admin set all new users as admins directly https://example.com/wp-admin/admin.php?page=wpforo-usergroups&default=1...

6.8CVSS3.5AI score0.0071EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/05/04 12:0 a.m.35 views

Advanced Order Export For WooCommerce < 3.1.4 - Authenticated Cross-Site Scripting (XSS)

The Advanced Order Export plugin for WooCommerce versions 3.1.4 had a reflected XSS vulnerability due to lack of input sanitization on the woeposttype parameter. This allowed arbitrary HTML and JavaScript injection and execution in the context of the logged in user. On a WooCommerce installation...

4.3CVSS6.1AI score0.01955EPSS
Exploits4References2
wpexploit
wpexploit
added 2020/05/04 12:0 a.m.19 views

wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via s Parameter

The plugin did not escape, validate or escape the 's' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin https://example.com/wp-admin/admin.php?page=wpforo-phrases&s="alert/XSS/...

3.5CVSS1.1AI score0.00709EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/05/04 12:0 a.m.29 views

wpForo < 1.7.0 - Reflected Cross-Site Scripting (XSS) via langid Parameter

The plugin did not escape, validate or escape the 'langid' GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in admin...

4.3CVSS1AI score0.00934EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/04/28 12:0 a.m.31 views

LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"

The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfilteredhtml" capability, allowing an escalated user to insert posts containing...

1.7AI score0.03209EPSS
Exploits5References1
wpexploit
wpexploit
added 2020/04/27 12:0 a.m.27 views

Real-Time Find and Replace < 4.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email...

6.8CVSS0.1AI score0.00809EPSS
Exploits2References2
wpexploit
wpexploit
added 2020/04/27 12:0 a.m.19 views

Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE

The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move rename the png file to a...

0.1AI score
Exploits0References3
wpexploit
wpexploit
added 2020/04/23 12:0 a.m.24 views

MapPress Maps Pro < 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions

The pro version of this plugin registers several AJAX actions that call functions which lack capability checks and nonce checks, specifically the ‘ajaxget’, ‘ajaxsave’, and ‘ajaxdelete’ functions in mappresstemplate.php. As such, it is possible for a logged-in attacker with minimal permissions,...

6.5CVSS0.9AI score0.05606EPSS
Exploits3References1
wpexploit
wpexploit
added 2020/04/22 12:0 a.m.30 views

Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS

=== DESCRIPTION - REFLECTED XSS ======================================== Catch Breadcrumb 1.5.4 plugin for WordPress allow Reflected XSS via a search query when used with one of the theme from the same author: Alchemist & Alchemist PRO, Izabel & Izabel PRO, Chique & Chique PRO, Clean Enterprise &...

4.3CVSS6.2AI score0.03611EPSS
Exploits2References2
wpexploit
wpexploit
added 2020/04/20 12:0 a.m.73 views

GTranslate < 2.8.52 - Unauthenticated Reflected Cross Site Scripting (XSS)

The GTranslate plugin before 2.8.52 for WordPress was vulnerable to an Unauthenticated Reflected XSS vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. The vulnerability was due to outputting the WordPress addqueryarg...

4.3CVSS0.1AI score0.04457EPSS
Exploits1References1
wpexploit
wpexploit
added 2020/04/18 12:0 a.m.12 views

Rank Math 0.9~1.0.42.1 - Missing Access Controls to Disable Competitor Plugins

Missing access controls on the GET requests to deactivate competitors' plugins. This could allow any authenticated users such as subscribers to deactivate the SEO and Sitemap plugins from competitors. The attack could also be performed via CSRF...

5.2AI score
Exploits0References1
wpexploit
wpexploit
added 2020/04/14 12:0 a.m.55 views

Accordion < 2.2.9 - Unprotected AJAX Action to Stored/Reflected XSS

This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: URL Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0...

3.5CVSS0.5AI score0.00766EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/04/13 12:0 a.m.21 views

Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion

The Media Library Assistant plugin before 2.82 for WordPress suffers from a Local File Inclusion vulnerability in mlagallery link=download. The LFI is restricted to the "wp-content" directory...

5CVSS2AI score0.04917EPSS
Exploits4References3
wpexploit
wpexploit
added 2020/04/11 12:0 a.m.19 views

Tickera WordPress Event Ticketing < 3.4.6.9 - Unauthenticated Sensitive Data Exposure

Due to missing authorization controls in the "admininit" hooks, all personal data from registered users of an event could be exported into a downloadable PDF file by every unauthenticated user. The event ID could be read from the page source and/or easily enumerated in sequence. According to the...

0.3AI score
Exploits0
wpexploit
wpexploit
added 2020/04/11 12:0 a.m.10 views

Support Ticket System By Phoeniixx <= 2.7 - Unauthenticated Reflected XSS

Bad user input sanitisation leads to unauthenticated reflected XSS. Edit WPScanTeam: January 27th, 2020 - Report received & WP Plugin team notified January 31st, 2020 - WP plugin team acknowledgement & plugin closed. April 11th, 2020 - No updates, disclosing...

0.9AI score
Exploits0
wpexploit
wpexploit
added 2020/04/08 12:0 a.m.49 views

Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation

The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor nonce check. This enables any logged in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the...

0.7AI score
Exploits0References1
wpexploit
wpexploit
added 2020/04/07 12:0 a.m.28 views

WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)

One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use "template" pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was...

4.3CVSS6.3AI score0.01876EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/04/07 12:0 a.m.29 views

WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)

WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37lpsavepage whi...

3.5CVSS5.4AI score0.00784EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/04/06 12:0 a.m.74 views

Vanguard <= 2.1 - Multiple Cross-Site Scripting (XSS)

The plugin does not sanitise, validate or escape some of its parameters before outputting the back in various place, leading to either Stored or Reflected Cross-Site Scripting issues Put the following payload in the In Products Search box: " POST /search HTTP/1.1 Accept:...

4.3CVSS0.5AI score0.01167EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/04/05 12:0 a.m.26 views

Car Rental System <= 1.3 - Unauthenticated Stored Cross-Site Scripting (XSS)

An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the booking-list and cust-lookup pages. Inject XSS via most fields in the booking form...

4.3CVSS0.9AI score0.01167EPSS
Exploits2References2
wpexploit
wpexploit
added 2020/04/04 12:0 a.m.31 views

Online Hotel Booking System Pro <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details.. The XSS payload is then executed when an authenticated administrator user views the booking on the Customer-booking page. Inject XSS via most fields in the booking form, which will...

4.3CVSS0.7AI score0.01167EPSS
Exploits2References2
wpexploit
wpexploit
added 2020/04/03 12:0 a.m.21 views

WP Last Modified Info < 1.6.6 - Authenticated Stored XSS

When saving a new campaign, a user with administrator capabilities can store scripts in the plugin's options. The code can then be executed on every page or post on the website. An administrator can store scripts in the "Custom Message to Display on Posts" text input field. Reason for this was...

Exploits0References1
wpexploit
wpexploit
added 2020/04/02 12:0 a.m.1092 views

WP Advanced Search < 3.3.6 - Unauthenticated SQL Injection

Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php. After a month of trying to contact the Plugin author Twitter, email, we followed...

0.7AI score
Exploits0
wpexploit
wpexploit
added 2020/04/02 12:0 a.m.42 views

Contact Form 7 Datepicker <= 2.6.0 - Authenticated Stored Cross-Site Scripting (XSS)

Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions such as a subscriber can send a crafted request which will store a malicious JavaScript in the...

3.5CVSS0.5AI score0.00712EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/04/02 12:0 a.m.68 views

Art-Picture-Gallery <= 1.2.9 - Unauthenticated Arbitrary File Upload

Edit WPScanTeam: March 26th, 2020 - Report Received & Vendor Contacted March 30th, 2020 - Escalated to WP Plugins team as no response from vendor March 31st, 2020 - WP Plugins team investigating & Plugin closed April 2nd, 2020 - Disclosure The PoC will be displayed once the issue has been remedia...

7.5CVSS0.6AI score0.97107EPSS
Exploits15
wpexploit
wpexploit
added 2020/04/02 12:0 a.m.23 views

Woocommerce Subscriptions < 3.0.3 - CSRF to Cancel/Re-Activate Subscription

During a blog assessment, we identified a CSRF issue in the Woocommerce Subscriptions plugin, which could allow attackers to cancel and re-activate a logged in user's subscription. Even though the wpnonce parameter was needed in the request, its value was not verified, allowing an empty value to ...

1.4AI score
Exploits0References1
wpexploit
wpexploit
added 2020/03/31 12:0 a.m.238 views

WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint

This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permissioncallback used for capability checking. The endpoint called a function, updatemetadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for...

7.5CVSS0.6AI score0.09106EPSS
Exploits2References1
wpexploit
wpexploit
added 2020/03/31 12:0 a.m.86 views

WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint

The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permissioncallbac...

5.8CVSS6.5AI score0.02072EPSS
Exploits2References1
Total number of security vulnerabilities4359