4359 matches found
Reality < 2.4.0 - Multiple Persistent XSS
----- Persistent XSS on any property page: ----- Vulnerable input fields: 1 - Description & Price - 'PRICE POSTFIX TEXT' and 'SECOND PRICE POSTFIX TEXT'; 2 - Additional Information - 'TITLE' and 'VALUE'; 3 - Location & Map - 'ADDRESS '. Payload Sample: ----- Persistent XSS on user profile page:...
Nexos - Real Estate < 1.6.1 - SQL Injection & Persistent XSS
----- SQL Injection: ----- Vulnerable 'id' parameter is https://listing-themes.com/nexos-wp/wp-admin/admin.php?page=ownlistingaddlisting=8 ----- Persistent XSS: ----- You need a new user account, then go to any property listing on the website and use «ENQUIRY FORM» on the right sidebar...
Selio - Real Estate Directory <= 1.1 - SQL Injection & Persistent XSS
----- SQL Injection: ----- Vulnerable 'id' parameter is https://listing-themes.com/selio-wp/wp-admin/admin.php?page=ownlistingaddlisting=21 ----- Persistent XSS: ----- You need a new user account, then go to any property listing on the website and use 'ENQUIRY FORM' on the right sidebar. Or you...
Qwiz Online Quizzes And Flashcards <= 3.36 - Unauthenticated Reflected Cross Site Scripting
The qname, iqwiz, sessionid and username parameters passed to the registrationcomplete.php file are affected by XSS issues. Plugin has been closed while the issue is being fixed. /wp-content/plugins/qwiz-online-quizzes-and-flashcards/registrationcomplete.php?&qname=alert"XSS"...
Ellipsis Human Presence Technology <= 2.0.8 - Unauthenticated Reflected Cross Site Scripting (XSS)
The 'page' GET parameter of the inc/protected-forms-table.php file was affected by a reflected XSS vulnerability. http://www.example.com/wp-content/plugins/ellipsis-human-presence-technology/inc/protected-forms-table.php?&page="%20alert"XSS"...
Advanced Access Manager < 5.9.9 - Arbitrary File Access/Download
Advanced Access Manager before Version 5.9.9 allows reading arbitrary files without checking whether a user is allowed to read the given file. This way one can download the wp-config.php file and get access to the database, which is publicly reachable on many servers...
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Description According to the WordPress release notes: "Props to Soroush Dalili @irsdl from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting XSS attacks." Thanks to @irsdl's Hacker1 disclosure: JS - Numerical Entities JS - Hex Entities...
ECPay Logistics for WooCommerce <= 1.2.181030 - Unauthenticated Reflected XSS
The CVSStoreName, CVSAddress, CVSTelephone and CVSStoreID from the getChangeResponse.php are affected by reflected XSS issues. The PoC will be displayed once the issue has been remediated...
API Bearer Auth <= 20181229 - Unauthenticated Reflected XSS
The server GET parameter of the swagger/swagger-config.yaml.php file is affected by a reflected XSS issue. /wp-content/plugins/api-bearer-auth/swagger/swagger-config.yaml.php?&server=alert"XSS"...
Portrait-Archiv.com Photostore <= 3.1 - Unauthenticated Reflected XSS
The 'pDetails' GET parameter from the js/imageDetails.php was vulnerable to an unauthenticated reflected XSS attack. http://www.example.com/wp-content/plugins/portrait-archiv-shop/js/imageDetails.php?pDetails=;;alert"XSS"...
UserPro <= 4.9.34 - Unauthenticated Reflected XSS
Edit WPscanTeam: August 26th, 2019 - Envato Notified September 2nd, 2019 - v4.9.34 released, still vulnerable September 24th, 2019 - v4.9.35 and 4.9.35.1 released, fixing the issue...
Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion
The adminInit function of the admin/includes/class.actions.snippets.php file, registered as an admininit hook did not have any CSRF or capability checks for its close action, allowing unauthenticated users to delete arbitrary posts from the blog...
Rencontre < 3.2 - Authenticated Stored XSS via textmail & textanniv Parameters
An authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site. Affected Version Version: alert'XSS'// Encoded-Payload:...
Rencontre < 3.2.2 - Authenticated Stored XSS via facebook parameter & SQL Injection
An authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site. Affected Version Version: alert'XSS'// Encoded-Payload:...
Real Estate 7 < 2.9.1 - Stored XSS & IDOR
The 'Real Estate 7' premium WordPress theme is vulnerable to persistent XSS injection that allows an attacker to inject JavaScript or HTML code into the website front-end. There is also an Insecure Direct Object Reference issue, allowing unauthorized users to edit listings they should not have...
Simple Membership <= 3.8.4 - Cross-Site Request Forgery (CSRF)
CSRF issue in the Bulk Operation menu tab https://youtu.be/HkTD8DhhwhM https://gofile.io/?c=zWYnLM - CSRF html files...
Custom Simple RSS <= 2.0.6 - CSRF
CSRF issue in the Custom Simple Rss Plugin https://youtu.be/R0VrTpjaRg https://gofile.io/?c=jmVseA - CSRF html file...
WP Code Highlight.js < 0.6.3 - CSRF to Stored XSS
Lack of CSRF checks could allow attackers to make a logged in admin create XSS payloads. document.getElementById'hljs'.submit;...
All-in-One WP Migration <= 6.97 - Authenticated Cross-Site Scripting (XSS)
An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup history, so some damage has already been done, but such an attacker could then also insert some XSS in order to compromise other admin users...
Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution
The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by an Authenticated Remote Code Execution security vulnerability. The nonce aicheck in the final request can be obtained by querying the homepage with the AIWPDEBUGGING cookie set to 2. Then, use an account with a role as lo...
One Click SSL <= 1.4.6 - Multiple Issues
Lack of CSRF and authorisation checks in the settings page, as well as AJAX methods such as ajaxenablessl, ajaxscan and so on could allow unauthorised settings change as well as call of the AJAX methods by a low privileged user. Additionally, it could also allow arbitrary site options update due ...
School Management < 57.0 - CSRF and Stored XSS
CSRF and Stored XSS Cross Site Scripting Edit WPScanTeam: June 17th - Issue Reported to Envato June 17th - Envato Support confirmed they are investigating the issue June 28th - New version released, fixing the XSS but not the CSRF. Envato notified July 5th - Demo fixed, new version to be released...
Hybrid Composer <= 1.4.6 - Unauthenticated Options Update
This plugin has a function to update Wordpress options via Ajax and it's set with the following: addaction'wpajaxnoprivhcajaxsaveoption', 'hcajaxsaveoption'; Which means it does not require authentication and is exploitable by anyone on the internet. I've already spoken to the plugin author about...
Gallery Photoblocks < 1.1.43 - Authenticated Reflected XSS
The Gallery PhotoBlocks WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. When logged in with an account with administrator capabilities: https:///wp-admin/admin.php?page=photoblocks-edit&id="...
Appointment Hour Booking <= 1.1.45 - Stored Cross-Site Scripting (XSS)
It is possible for an unauthenticated user to inject malicious JavaScript into a booking form, which will then be executed when an authenticated user views the booking in the WordPress admin interface. POST /booking-form/ HTTP/1.1 Host: test.local User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X...
WP Slimstat <= 4.8.3 - CSRF to Stored XSS and Setting Updates
Lack of CSRF check and sanitisation in the updatesettings function can lead to settings update, as well as Stored XSS issues /wp-admin/admin.php?page=slimconfig&tab=1" method="POST" ' /...
WP Custom Body Class <= 0.7.0 - CSRF to Stored XSS and Settings Update
Lack of CSRF check and sanitisation when updating the plugin's settings could lead to unauthorised settings update as well as stored XSS issues XSS fixed in 0.7.0. CSRF still there - vendor contacted CSRF fixed in 0.7.1 /wp-admin/options-general.php?page=custombodyclass" method="POST" ' /...
Gallery Photoblocks < 1.1.41 - Unauthenticated Reflected XSS
Also Full Path Disclosure depending on the configuration of the server https:///wp-content/plugins/photoblocks-grid-gallery/admin/partials/photoblocks-edit.php?id="...
Zoner - Real Estate <= 4.1 - Reflected & Stored XSS
Weak security measures like bad input fields data filtering has been discovered in the 'Zoner - Real Estate WordPress Theme'. PoC Stored XSS Injection: Register on the demo website and go to https://zoner.fruitfulcode.com/author/yourlogin/?profile-page=myprofile page. Inside any text field type "...
Appointment Booking Calendar < 1.3.19 - Unauthenticated Stored XSS
Lack of authorisation check in the cpabcappointmentssaveedition function can lead to stored XSS via the editionarea parameter when cfwppedit is set to 'js' or 'css' /wp-admin/admin-ajax.php" method="POST" "/ /wp-admin/admin-ajax.php" method="POST" "/ The payload will be triggered in all pages wit...
Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS
Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation notice https:///wp-admin/options-general.php?page=smae&smaeaction=remind&fwurl=Iyc7YWxlcnQoL1hTUy8pOy8v...
Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename
The lack of CSRF, Authorisation and Path Traversal checks in wpajaxdeldir and wpajaxrenamedir AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also...
Server Status by Hostname/IP <= 4.6 - Authenticated SQL Injection
The last time it was checked the plugin was still affected and had been closed. http://www.example.com/wp-admin/admin.php?page=all-servers&id=2+UNION+SELECT+1%2C2%2C3%2C%40%40version+&action=edit...
Newsletter Lite < 4.6.19 - Multiple Issues
- Lack of CSRF, Authorisation and sanitisation checks in the ajaxloadneweditor function, registered as an AJAX method, can lead to an authenticated reflected XSS issue. - Authenticated Directory Traversal leading to RCE XSS: As an authenticated user with a role as low as a Subscriber, open...
WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection
An endpoint of the API, which is exposed when the 'use cache plugin' setting is enabled by default disabled, is vulnerable to an unauthenticated blind SQLi issue. time curl -X POST 'http://host/wp-json/wpstatistics/v1/hit' --data...
Essential Real Estate <= 1.7.1 - XSS
Multiple XSS across the plugin Example: https:///wp-admin/edit.php?poststatus=all&posttype=userpackage&packageuser="&filteraction=Filter&paged=1 https:///wp-admin/edit.php?poststatus=all&posttype=property&propertyauthor="&propertyidentity&filteraction=Filter&paged=1...
Watu Quizz <= 3.1.2.5 - Reflected XSS via question-form.html.php
The Watu Quiz WordPress plugin was affected by a Reflected XSS via question-form.html.php security vulnerability. /wp-admin/admin.php?page=watuquestion&question=1&action=edit&quiz=1"...
Block WP Login <= 1.3.0 - CSRF and Unauthorised Settings Update
Lack of CSRF and authorisation checks in the bwplconfigureslug function registered as an admininit action could allow attacker via CSRF, or unauthenticated using the admin-ajax.php to change the plugin settings located at /wp-admin/options-permalink.php and disable the protection offered. v1.3.1...
WebP Express <= 0.14.4 - Authenticated Stored XSS
Edit - WPScanTeam: The reported issue has been fixed in 0.14.5. Other sanitisation checks have been implemented in newest versions such as 0.14.6 and 0.14.8 while the plugin was closed, so the fixed in is set to 0.14.8 Video POC :...
Live Chat Unlimited <= 2.8.3 - Stored Cross-Site Scripting (XSS)
Weak security measures like bad input field data filtering has been discovered in the 'Live Chat Unlimited'. Go to the demo website https://screets.com/try/lcx/night-bird/ and open chat window by clicking on «Open/close» link, then click on «Online mode» to go online. Use your payload inside inpu...
LiveChat <= 3.7.2 - Unauthenticated Option Update/Reset and Stored XSS
The lack of proper CSRF and Authorisation checks could allow an unauthenticated attacker to update or reset the plugin's settings. Furthermore, when updating the livechatemail option, no sanitisation is performed, leading to a Stored XSS issue in the plugin's settings page. CSRF and XSS fixed in...
iLive <= 1.0.4 - Stored Cross-Site Scripting (XSS)
Info: Weak security measures like bad textarea data filtering has been discovered in the 'iLive - Intelligent WordPress Live Chat Support Plugin'. Current version of this premium WordPress plugin is 1.0.4. Demo Website: https://codecanyon.net/item/ilive-wordpress-live-chat-support-plugin/20496563...
Ultimate Member < 2.0.52 - CSRF and Stored XSS issues
A CSRF vulnerability in adding/editing user roles in Ultimate Member 2.0.49. It also lead to stored XSS. Edit WPScanTeam: July 9th, 2019 - v2.0.50 released and still affected. Escalated to WP Plugins Team July 9th, 2019 - v2.0.51 released, fixing the CSRF but not the XSS July 11th, 2019 - Escalat...
Custom 404 Pro < 3.2.9 - Authenticated Reflected XSS
The Custom 404 Pro WordPress plugin was affected by an Authenticated Reflected XSS security vulnerability. Version...
CP Contact Form with Paypal <= 1.3.01 - Multiple XSS
The CP Contact Form with PayPal WordPress plugin was affected by a Multiple XSS security vulnerability. Version &r=1 fixed in 1.2.98...
Seo By Rank Math <= 1.0.27 - Authenticated Settings Reset
Allows any authenticated user with a role as low as subscriber to reset Settings of the plugin. https://plugins.trac.wordpress.org/browser/seo-by-rank-math/tags/1.0.27/includes/admin/class-options.phpL91...
WP-Members <= 3.2.7 - Cross-Site Request Forgery (CSRF)
No CSRF Protection on Add new Fields. Can also Edit and Delete fields the same way. 1.Download csrfwp-members.html 2.Change URL in html file.FORM ACTION. 3.Submit Request. Video POC : https://drive.google.com/file/d/1TuJK0NjxznjTDmoJF5wbGu2vMAXXikw/view?usp=sharing HTMLFILE :...
Support Board - Chat And Help Desk | Support & Chat <= 1.2.8 Stored XSS
Info: Weak security measures like bad textarea data filtering has been discovered in the «Support Board - Chat And Help Desk | Support & Chat». Demo Website: https://codecanyon.net/item/support-board-chat-and-help-desk/20752085 Backend: https://board.support/desk-demo/?login=true Login / Password...
Slick Popup <= 1.7.1 - Privilege Escalation
Subscriber users are able to create an administrator account with hardcoded login credentials. Hardcoded username "slickpopupteam" and its password is OmakPass13...
FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS
The vulnerable function is exposed to unauthenticated users over wpajaxnoprivfvwpflowplayeremailsignup ajax hook. It saves anything that user provides in email POST parameter. Send POST request to wp-admin/admin-ajax.php with body content: "action=fvwpflowplayeremailsignup&list=1&[email protected]"...