4359 matches found
LearnDash < 3.1.2 - Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.
Reflected Cross Site Scripting XSS issue on the ldprofile search field. First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released same day. This report is based on an email LearnDash sent out to their users on January 14, 2020. From the Original Researcher Jinson...
ListingPro < 2.5.4 - Unauthenticated Reflected Cross-Site Scripting
Reflected XSS was discovered in the «ListingPro - WordPress Directory Theme», tested version — v2.5.3 Edit - WPScanTeam: January 13th, 2020 - Report Received & Envato Contacted January 13th, 2020 - Envato Investigating January 15th, 2020 - Theme updated, v2.5.4, fixing the issue ----- Info: -----...
Real Estate 7 < 2.9.5 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'Real Estate 7 WordPress', tested version — v2.9.4: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - Authenticated Persistent Self-XSS - IDOR - Information Exposure Edit WPScanTeam: January 12th - Report Received & Envato Contacted...
Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass
It is possible to login as an administrator on the site due to logical mistakes in the code. The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parserequest function calls the function decodeserverrequestwptc which check if the raw POST payload contains a certa...
InfiniteWP Client < 1.9.4.5 - Authentication Bypass
As per agreement between the researcher and developer, details will be released on January 14th. It is possible to login as any administrator on the site due to logical mistakes in the code. The issue resides in the function iwpmmbsetrequest which is located in the init.php file. This checks if t...
Travel Booking < 2.7.8.6 - Reflected & Persistent XSS Issues
Reflected & Persistent XSS vulnerability was discovered in the 'Travel Booking WordPress Theme', tested version — v2.7.8.5 Edit WPScanTeam: January 11th, 2020 - Report received & Envato contacted January 12th, 2020 - Report updated with Reflected XSS, Envato notified again. January 12th, 2020 -...
Computer Repair Shop < 2.0 - Authenticated Stored XSS
Computer Repair Shop is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. Fixed in version 2.0. The plugin's options provided a basic HTML validation, which could be bypassed by copying + pasting malicious code into the...
Houzez < 1.8.4 - Unauthenticated Cross-Site Scripting (XSS)
Two Reflected XSS vulnerability were discovered in the «Houzez - Real Estate WordPress Theme», tested version — v1.8.3.1 Edit WPScanTeam: January 11th, 2020 - Report received & Envato Contacted January 12th, 2020 - Envato Investigating January 27th, 2020 - v1.8.4 released, fixing the issue. -Demo...
Video on Admin Dashboard < 1.1.4 - Authenticated Stored XSS
Video on Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. A user can insert a simple script in the Widget Title text field, e.g. "alert'XSS';. Every specified user role by the plugin will now be targeted...
EasyBook < 1.2.2 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'EasyBook – Directory & Listing WordPress Theme', tested version — v1.2.1: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 -...
TownHub < 1.0.6 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'TownHub - Directory & Listing WordPress Theme', tested version — v1.0.2: - Unauthenticated XSS - Authenticated Persistent XSS - IDOR Edit WPScanTeam: December 27h, 2019 - Envato Contacted January 5th, 2020 - Envato Investigating January 6th, 2020 -...
CityBook < 2.3.4 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'CityBook - Directory & Listing WordPress Theme', tested version — v2.3.3: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR Edit WPScanTeam: December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January...
Minimal Coming Soon & Maintenance Mode < 2.15 - CSRF to Stored XSS and Setting Changes
This plugin had no nonce checks on any of the settings to verify that a request came from a legitimate source, such as a logged in administrative user. Therefore, creating a CSRF to stored XSS in addition to significant setting changes. alert1" /...
Minimal Coming Soon & Maintenance Mode < 2.15 - Insecure Permissions: Enable and Disable Maintenance Mode
There was a flaw that allowed any authenticated user with subscriber permissions or above the ability to enable and disable maintenance mode on a vulnerable site by sending a simple request. Login as a user with subscriber or above permissions and send the following request to enable maintenance...
Minimal Coming Soon & Maintenance Mode < 2.17 - Insecure permissions: Export Settings/Theme Change
There was a flaw that would allow any user logged in as a subscriber or above to export the plugin settings as a .txt file or modify the theme of the maintenance page on a vulnerable site. Login with subscriber or above permissions and send the following request to export the plugin settings:...
Ultimate FAQ < 1.8.30 - Unauthenticated Reflected XSS
The HTML code generated by the FAQ shortcode does not sanitise the DisplayFAQ GET parameter, leading to an unauthenticated reflected Cross-Site Scripting issue on pages where such shortcode is used. Append the following payload on a page where a FAQ is embedded: ?DisplayFAQ=...
WP Simple Spreadsheet Fetcher For Google < 0.3.7 - Arbitrary API Key update via CSRF
The lack of Cross-Site Request Forgery CSRF checks on the plugin's settings page could allow CSRF attacks to set an arbitrary API key...
WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
Description A JavaScript payload such as "javascript:alert1" in a URL could cause a Cross-Site Scripting XSS vulnerability. According to the commit message see references: "wpksesbadprotocol makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this work...
WooCommerce Conversion Tracking < 2.0.5 - CSRF to XSS
The settings page of the plugin is lacking CSRF checks as well as input sanitisation, leading to stored XSS. ' /...
Donorbox 7.1~7.1.1 - Stored Cross-Site Scripting via Shortcode
In Donorbox WordPress plugin, one can perform an XSS attack via the included shortcode by inserting arbitrary HTML attributes. This vulnerability was introduced in v7.1 and fixed in v7.1.2. donate url='/?" autofocus onfocus="alertwindow" abitraryAttributeToValidateShortcodeParsing="'...
WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS
A minor authenticated stored XSS vulnerability was found in the "Styles for Skiplinks when they have focus" section of the WP Accessibility plugin. 1 Navigate to the Settings page of the plugin https://example.com/wp-admin/options-general.php?page=wp-accessibility/wp-accessibility.php 2 Select th...
bbPress Members Only <= 1.2.1 - CSRF on Optional Settings page
The plugin does not prevent Cross-Site Request Forgery attacks on its 'Optional Settings' page...
bbPress Login Register Links On Forum Topic Pages <= 2.7.5 - CSRF to Stored XSS
Lack of CSRF checks in the plugin's settings allow arbitrary change of the settings, which can also lead to stored XSS issues. The payload below will result in a stored XSS in the 'Style Customize' page. " /...
Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes
The REST routes are missing permission callbacks, allowing unauthenticated/unauthorised users to call them. Affected endpoints: - wp-json/featured-image-from-url/v2/enablefakeapi - wp-json/featured-image-from-url/v2/disablefakeapi - wp-json/featured-image-from-url/v2/nonefakeapi -...
Rencontre <= 3.2.2 - Multiple CSRF
The plugins is affected by multiple CSRF issues, allowing arbitrary changes of the plugin's settings. November 3rd, 2019 - WordPress Plugin Team Notified November 5th, 2019 - WP Plugins Team acknowledgments of the issue. December 2nd, 2019 - v3.2.2 released, none of the CSRF have been fixed as th...
301 Redirects - Easy Redirect Manager <= 2.40 - Authenticated Arbitrary Redirect Injection and Modification, XSS, and CSRF
The weaknesses allow for any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability, in addition to XSS and CSRF. " /...
WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
Description The function wptargetedlinkrel can be used in a particular way to result in a Stored Cross-Site Scripting XSS vulnerability. This is a PoC for a Stored XSS...
Superlist <= 2.9.2 - Stored Cross-Site Scripting (XSS)
Persistent XSS was discovered in the 'Superlist - Directory WordPress Theme', the version tested was v2.9.2. Edit WPScanTeam: December 2nd, 2019 - Envato Contacted December 2nd, 2019 - Envato Investigating December 12th, 2019 - No updates, disclosing The PoC will be displayed once the issue has...
ListingPro < 2.0.14.5 - Reflected & Persistent Cross-Site Scripting
Reflected & Persistent XSS was discovered in the 'ListingPro - WordPress Directory Theme'. Current version is 2.0.14.2 August 9th 2019. Edit WPScanTeam: November 29th, 2019 - Envato Informed November 29th, 2019 - Envato Investigating December 4th, 2019 - v2.0.14.3 Released, fixing the reflected X...
WP Maintenance <= 5.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
No nonce protection on form submissions leading to CSRF and no input/output sanitization allowing for XSS when CSRF is exploited. input type="hidden" name="wpmaintenancesocialop...
Sassy Social Share <= 3.3.3 - Cross-Site Scripting (XSS)
AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such. PoC URL uses unauthenticated action "heateorssssharingcount": http://WORDPRESSDOMAINHERE/wp-admin/admin-ajax.php?action=heateorssssharingcount&urls=...
Quiz And Survey Master < 6.3.5 - Authenticated Reflected XSS
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. https://domain.tld/wp-admin/admin.php?page=mlwquizoptions&quizid=...
Safe SVG < 1.9.6 - XSS Protection Bypass
By using entities in payload XSS will success to bypass the protection of the Safe SVG Plugin Video POC for Video PoC for v1.9.5 : https://www.youtube.com/watch?v=hnQA2hc-4k...
Tidio Live Chat <= 4.1.0 - CSRF to Stored XSS
A CSRF vulnerability in the Tidio Live Chat WordPress Plugin var xhr = new XMLHttpRequest; xhr.open"POST", "https://wordpress.local/wp-admin/admin-ajax.php?action=tidiochatsavekeys", true; xhr.setRequestHeader"Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8";...
WP Google Review Slider <= 6.1 - Authenticated SQL Injection
tid parameter vulnerable to SQLi. Note WPScanTeam: v6.1 has been pathed directly in the tags https://plugins.trac.wordpress.org/browser/wp-google-places-review-slider/tags/6.1/admin/partials/templatesposts.phpL58. However the the issue can be verified with v6.0 sqlmap identified the following...
About Author <= 1.3.9 - Authenticated Stored Cross-Site Scripting (XSS)
Wordpress About Author plugin with a version lower or equal with 1.3.9 is affected by an authenticated Stored Cross-site scripting XSS vulnerability. Stored Cross-site scripting XSS: - Using an Wordpress user, access /wp-admin/post-new.php?posttype=aboutauthor About Author Add new - Insert in...
JobMonster < 4.5.2.9 - Unauthenticated Reflected Cross-Site Scripting
In the theme JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. Note WPScanTeam: It's unclear which exact version fixed the issue, but the lowest we were able to test and confirm remediation was 4.5.2.9...
Groundhogg <= 1.3.11.3 - Authenticated SQL Injection
Wordpress Groundhogg plugin with a version lower than 1.3.11.3 is affected by an Authenticated SQL Injection vulnerability. Exploit Title: Wordpress Groundhogg /wp-admin/admin.php?page=ghbulkjobs&action=ghexportcontacts&optinstatus%5B0%5D=selectfromselectsleep20a&optinstatus%5B1%5D=0 - The respon...
Groundhogg <= 2.0.8.1 - Authenticated Reflected XSS
Wordpress Groundhogg plugin with a version lower than 2.0.8.1 is affected by an authenticated Reflected Cross-site scripting XSS vulnerability. Exploit Title: Wordpress Groundhogg /wp-admin/admin.php?page=ghbulkjobs&action=ghexportcontactsalert1 - The response will contain: bulkaction:...
Sliced Invoices <= 3.8.2 - Multiple Vulnerabilities
- Unauthenticated information disclosure, allowing attackers to access arbitrary invoices and quotes containing PII - Authenticated SQL injection and information disclosure - Additional issues, such as lack of CSRF and Authorisation checks on AJAX methods used to search invoices. -...
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
Description This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WPQuery. http://wordpress.local/?static=1&order=asc...
Popup-Maker < 1.8.12 - Multiple Vulnerabilities
An attacker can partially control the arguments of the doaction, during the initialization of the PUMSite . Because of this, an attacker can call any method which contains an action starting from popmake or pum . This will lead to successful execution of functions which do not require arguments...
All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Page Exposure
The All In One WP Security & Firewall plugin suffers from open redirect and exposure of the actual URL of the "hidden login page" feature. Edit WPScanTeam October 3rd, 2019 - Email sent to dev via https://wpsolutions-hq.com/contact/ October 8th - Dev ACK & investigating it October 8th - v4.4.2...
Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)
By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart. curl -i -s -k -X $'POST' \ -H...
Visualizer < 3.3.1 - Blind Server-Side Request Forgery (SSRF)
This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint. curl -i -s -X $'POST' \ -H $'Host: 192.168.158.128:8000' \ --data-binary $'"url":"http://db:3306"' \ $'http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data' See the references for...
Zoner < 4.2 - Persistent XSS & IDOR
----- Persistent XSS: ----- 'Address' input field on the 'Local information' block is vulnerable so you can use your payload to steal admin cookies or do some redirects etc. ----- IDOR: ----- POST request https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=deletepropertyactid=XXX=YYY...
Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export
The lack of proper authorisation when exporting data from the plugin could allow unauthenticated users to get information about the posts and page of the blog, including their author's username and email. The plugin is still affected and has been closed. curl...
InJob < 3.3.8 - Reflected & Persistent XSS
Multiple XSS vulnerabilities have been founded in the 'InJob | Multi-purpose for recruitment WordPress Theme' theme v3.3.6. Edit WPScanTeam: September 16th, 2019 - Envato Contacted September 16th, 2019 - v3.3.7 released. XSS still present October 11th, 2019 - Envato contacted again for updates...
Poll, Survey, Form & Quiz Maker by OpinionStage < 19.6.25 - Unauthenticated Cross-Site Scripting (XSS)
This vulnerability has been seen actively exploited in the wild. http://www.example.com/wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email="alert1...
Checklist <= 1.1.5 - Unauthenticated Reflected XSS
The fill parameter of the images/checklist-icon.php file is affected by a reflected XSS issue wp-content/plugins/checklist/images/checklist-icon.php?&fill="alert"XSS"...