4359 matches found
CM Pop-Up banners < 1.4.11 - Authenticated Stored XSS
When saving a new campaign, a user with editpages capabilities can store scripts in the campaign’s pop-up content. The code can then be executed on every page on the website. A user with the editpages capability can store any script in the pop-up's content. The content is serialized and then save...
Xenon Theme <= 1.3 - Unauthenticated Cross-Site Scripting (XSS)
The premium Xenon WordPress theme was found to be vulnerable to Unauthenticated Cross-Site Scripting XSS in the "q" parameter of the /data/typeahead-generate.php page. The affected version of the plugin was 1.3 and below, however, the vendor fixed the vulnerability but did not bump the version...
Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit
The plugin uses an outdated PHPUnit library, which is known to be affected by an unauthenticated RCE issue. February 28th, 2020 - Ticket sent to vendor via https://support.cedcommerce.com/open.php March 6th, 2020 - Update requested to vendor also realised that the ticket was closed w/o reason giv...
Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)
Multiple plugins were found to be vulnerable to the Dompdf unauthenticated Local File Inclusion LFI vulnerability CVE-2014-2383...
Grimag < 1.1.1 - Open Redirection
Description The Grimag WordPress theme was affected by an Open Redirection security vulnerability. /wp-content/themes/Grimag/go.php?https://example.com...
Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints
These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions 23 that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions. Al...
Custom Post Type UI < 1.7.4 - CSRF to Stored XSS
The Custom Post Type UI WordPress plugin was vulnerable to Cross-Site Request Forgery CSRF and Stored Cross-Site Scripting XSS within the "Import Post Types" functionality in the "Tools" tab. This functionality allows users to import "Post Types" from other websites, or from backup, as JSON. This...
Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation
"The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users" providing subscriber-level users and above with the ability to escalate their privileges. POST /wp-admin/admin-ajax.php?importpage=wordpresshfusercsv&step=3...
Brizy - Page Builder < 1.0.114 - Unauthenticated Site Settings Update
Edit WPscanTeam The plugin fails to restrict access to the site settings page, allowing unauthenticated users to change them, such as site title, description as well as put XSS payload in the footer, leading to Unauthenticated Stored XSS issues. As we saw probes in the wild checking for the issue...
WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)
Arbitrary database queries can be executed in an unauthenticated context of the "WP-Advanced-Search Plugin". E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution RCE would be possible in the end. PoC: Update th...
Booked < 2.2.6 - Broken Authentication to Export Users Data in CSV
The plugin allows users to Book Appointment by providing their PII such as Email, Name, Phone Number and Personal Message. The vulnerability allows anyone to Dump all records of users and their appointment details in CSV as an unauthenticated user. The user also gets registered as a WP User after...
Export Users to CSV <= 1.4.2 - CSV Injection
An attacker can register themselves as a subscriber in a WordPress website and provide malicious payloads formula into the user account details field. When an authenticated admin uses the Export Users to CSV plugin to export the details of all the users into a CSV file and open it, the payload ge...
Pricing Table by Supsystic < 1.8.2 - Unauthenticated Stored XSS
No permission check on the ImportJSONTable endpoint allows for malicious javascript to be injected by unauthenticated users...
Pricing Table by Supsystic < 1.8.1 - Cross-Site Request Forgery to XSS and Setting Changes
CSRF can be exploited against any of the functionalities in the Pricing Table by Supsystic WordPress plugin in vulnerable versions. One example:...
Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The hmapsprem WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...
Pricing Table by Supsystic < 1.8.2 - Insecure Permissions on AJAX Actions
An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or...
Ultimate Membership Pro < 8.7 - Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation
While confirming the issues from https://wpvulndb.com/vulnerabilities/10086 have been remediated, two CSRF issues were identified, allowing attackers to make logged in administrator delete arbitrary accounts, as well as create a new administrator account. Other CSRF may be present but haven't bee...
Ultimate Membership Pro < 8.6.2 - Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy
Version 8.6.1 attempted fo fix multiple critical issues mainly lack of authorisation checks, allowing low privileges users to call the admin functions of the plugin, leading to PII disclosure and login bypasses. However, the fixes were not sufficient: - An indeedIsAdmin check was added to all AJA...
CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing
Lack of origin authentication CWE-346 at IPN callback processing function allow even unauthorized attacker to remotely replace critical plugin settings merchant id, secret key etc with known to him and therefore bypass payment process eg. spoof order status by manually sending IPN callback reques...
Chained Quiz < 1.1.9.1 - Authenticated Stored XSS
WordPress Plugin Plugin Chained Quiz latest 1.1.9 and before suffers from a Stored XSS vulnerability in the sendername, adminsubject and usersubject POST parameter when an admin completes the setting for plugin as a result, the severity is very low POST /wp-admin/admin.php?page=chainedquizoptions...
Duplicator 1.3.24 & 1.3.26 - Unauthenticated Arbitrary File Download
The issue is being actively exploited, and allows attackers to download arbitrary files, such as the wp-config.php file. According to the vendor, the vulnerability was only in two versions v1.3.24 and v1.3.26, the vulnerability wasn't present in versions 1.3.22 and before...
ThemeREX Addons - Remote Code Execution
"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts." Note WPScanTeam: There are major version inconsistencies in the trxaddons shipped with the affected themes. As a result, a...
wpCentral < 1.5.1 - Improper Access Control to Privilege Escalation
The flaw allowed anybody to escalate their privileges to those of an administrator, as long as subscriber-level registration was enabled on a given WordPress site with the vulnerable plugin installed. 1. Log in as Subscriber. 2. Scrape the page /wp-admin/index.php for the connection key. i.e. vie...
Fruitful Theme < 3.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The Fruitful WordPress theme, version 3.8 and possibly below, was affected by an unauthenticated Reflected Cross-Site Scripting XSS vulnerability. The vulnerability was patched in version 3.8.1 of the Theme, although the changelog file only mentions: "Bug fix: Fixed issues on comment form" Add a...
ThemeGrill Demo Importer < 1.6.3 - Auth Bypass & Database Wipe
There is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator. Edit WPScanTeam: v1.6.2 was released with an insufficient fix, allowing attackers to still exploit the issue using a CSR...
Profile Builder and Profile Builder Pro < 3.1.1 - User Registration With Administrator Role
The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin's forms. The vulnerability only exists in the Plugin's own generated Registration Form or Profile Edit Form. This mean...
Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection
Authenticated time-based SQL injection via the ascdesc, listfiltercount, and sortBy parameters. Form the original advisory see references: POST /wp-admin/admin.php?page=participants-database HTTP/1.1 Host: redacted....cause User-Agent: Mozilla/5.0 X11; Linux x8664; rv:68.0 Gecko/20100101...
Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities
Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Authenticated using a low privilege account, such as subscriber Remote Code Execution on default Installation, as well as PII disclosure such as emails, IP addresses, hashed passwords, usernames, User-Agent and so o...
WP Fastest Cache < 0.9.0.3 - Cross-Site Request Forgery (CSRF) Arbitrary File Deletion
The plugin did not have a CSRF nonce check on the "wpfcdeletecurrentpagecache" action, allowing CSRF attacks against authenticated users to delete arbitrary files, including the wp-config.php file. document.form.submit;...
Merge + Minify + Refresh < 1.10.7 - Authenticated Arbitrary File Delete
The plugin relied on the isadmin check, without checking the user's capabilities, when deleting arbitrary files. The functionality was also vulnerable to Cross-site Request Forgery CSRF allowing attackers to delete arbitrary files by tricking authenticated users into visiting a page they...
Tutor LMS < 1.5.3 - Cross-Site Request Forgery (CSRF)
Tutor LMS WordPress plugin is vulnerable to Cross-Site Request Forgery CSRF attacks. As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF attack to approve an attacker-controlled instructor account can be performed by having the admin visit...
Htaccess by BestWebSoft < 1.8.2 - CSRF to edit .htaccess
The Htaccess by BestWebSoft WordPress plugin was affected by a CSRF to edit .htaccess security vulnerability...
Auth0 < 3.11.3 - Unauthenticated Reflected XSS via wle Parameter
XSS via a wle parameter associated with wp-login.php. WP/wp-login.php?wle=%22%20onEvent%3DX186697040Y2Z%20...
Registration Magic < 4.6.0.3 - Authenticated SQL Injection via Form_id
The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by an Authenticated SQL Injection via Formid security vulnerability. https://example.com/wp-admin/admin.php?page=rmanalyticsshowform&rmformid=selectfromselectsleep20a&rmtr=30...
Elementor Page Builder < 2.8.5 - Authenticated Reflected XSS
The Elementor Website Builder WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. /wp-admin/admin.php?page=elementor-system-info&lndan%22%3e%3cscript%0csrc%3d//0x7f000001%3e%3c/script%3e=1...
Portfolio Filter Gallery < 1.1.3 - CSRF & Reflected XSS
Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks. v1.0.8 fixed the reflected XSS, however no CSRF check on delete and deleteallcategory actions v1.1.0 released, no additional fix...
Code Snippets < 2.14.0 - CSRF to RCE
This "flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site." function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST", "http://waftesting.vhx.cloud:8080/wp-admin/admin.php?page=import-snippets", true;...
CarSpot < 2.2.3 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'CarSpot – Dealership Wordpress Classified Theme', tested version — v2.2.0: - Authenticated Persistent XSS - Registration Form/User Profile - Authenticated Persistent XSS - Ad Post - IDOR leading to arbitrary deletion of ads Edit WPScanTeam: January...
WP DS FAQ Plus < 1.4.2 - Stored Cross-Site Scripting (XSS)
Weak security checks in the Question form. https://www.youtube.com/watch?v=UPYitCT9xtk...
wpCentral < 1.4.8 - Privilege Escalation
There’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege, or alter/upload any file, or adjust any plugin and interact with the site in many other ways. In wpcentral.php, AJAX actions are registered. However, it's only checking whether or not the...
Contact Form Clean and Simple < 4.7.1 - Authenticated Stored XSS
The Contact Form Clean and Simple WordPress plugin was vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. This code will then be executed on every page with the contact form on the front-end. By checking the...
AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution
Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...
Contextual Adminbar Color < 0.3 - Authenticated Stored Cross-Site Scripting Issue
The variable $message is not escaped : $message = sanitizetextfield $currentsettings'message' ; Then, it's printed in a value attribute : value="" Edit WPScanTeam: Put the payload below in the custom message field in the plugin's settings page Tools Adminbar Settings: " onfocus=alert2...
Batch-Move Posts <= 1.5 - Broken Authentication leading to Unauthenticated Stored XSS
An attacker can add a Cross-Site Scripting XSS payload remotely without any authentication. The Payload gets triggered when an Admin visits the settings page of the plugin. Edit WPScanTeam: The plugin is still affected and has been closed. Vulnerable code is from lines 68 to 84. The code gets the...
Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS
Lack of CSRF checks and sanitisation on the plugin's settings page could allow XSS attacks via CSRF. document.getElementById'csrf'.submit;...
WP Database Reset < 3.15 - Privilege Escalation
This flaw "allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request." Login as a subscriber then send the following request:...
Chained Quiz < 1.1.8.2 - Unauthenticated Reflected XSS
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the 'totalquestions' POST parameter when a user completes a quiz. The code in question accepts the 'totalquestions' parameter without escaping the special characters: models/quiz.php $output =...
Resim Ara <= 3.0 - Unauthenticated Reflected XSS
The WordPress plugin team was notified on January 17th, 2020. Note: There were inconsistencies between the versions from the readme.txt 3.0, the plugin file 1.0 as well as tags 1.0 to 3.0...
Reality < 2.5.3 - Unauthenticated Reflected XSS
Reflected XSS was discovered in the «Reality | Estate Multipurpose WordPress Theme», tested version — v2.5.1 Edit WPScanTeam: January 16th, 2020 - Report Received & Envato Contacted January 17th, 2020 - Envato Investigating February 6th, 2020 - Envato Contacted Again for Updates February 7th, 202...
WP Database Reset < 3.15 - Unauthenticated Database Reset
This flaw "allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state." URL/wp-admin/admin-post.php?db-reset-tables%5B%5D=comments&db-reset-code=11111&db-reset-code-confirm=11111 Where you can set db-reset-tables%5B%5D to any database table you wan...