4359 matches found
illi Link Party! <= 1.0 - Unauthenticated Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated vistors to perform Cross-Site Scripting attacks. 1. Add a new link party and add its shortcode to a new post. 2. In a new private window, navigate to the post where you added the shortcode. 3...
Ultimate Noindex Nofollow Tool <= 1.1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack Have an admin open an HTML file containing the following: document.forms0.submit;...
Popup Box Pro < 20.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a new popup and add the following payload in the Custom Content: alert1; Save,...
Popup Box Pro < 7.9.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a new popup and add the following payload in the Custom Content: alert1; Save,...
Splashscreen <= 0.20 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.forms0.submit;...
GigPress <= 2.3.29 - Admin+ Stored Cross Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "GigPress Settings" 2. Enter...
Chart.js for WordPress <= 2023.2 - Editor+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to "Charts Settings". 2. For th...
lasTunes <= 3.6.1 - Settings Update via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack ' ' document.forms0...
Chart.js for WordPress <= 2023.2 - Editor+ Stored Cross-Site Scripting in New Chart
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to Charts New Chart HTML 3...
Smart Manager < 8.28.0 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. The vulnerability can be demonstrated using the following POST request: POST...
Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass
Description The plugin is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handleauthrequest' and 'hadleloginrequest'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an...
MapPress Maps for WordPress < 2.88.15 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks As a contributor, create/edit a map with the below payload as title and attach it to a post can be...
popup-builder < 4.2.6 - Admin+ SSRF & File Read
Description The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. 1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site" wit...
MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure
Description The plugin does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts. The fix made in 2.88.15 is not sufficient as it still allowed any authenticated users, such s subscriber to read arbitrary...
Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect
Description The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...
EazyDocs < 2.4.0 - Subscriber+ Arbitrary Posts Deletion and Document Management
Description The plugin re-introduced CVE-2023-6029 https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/ in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9....
FastDup – Fastest WordPress Migration & Duplicator < 2.2 - Directory Listing to Account Takeover and Sensitive Data Exposure
Description The plugin does not prevent directory listing in sensitive directories containing export files. 1 Run backup function http://yoursite/wordpress/wp-admin/admin.php?page=njt-fastdup/ 2 During backup creation, you can intercept the following paths: wordpress/wp-content/plugins/fastdup/lo...
Ultimate Maps by Supsystic < 1.2.16 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Go to the Marker Categories settings of the plugin...
POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API
Description The plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to...
Hubbub Lite < 1.32.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup As admin, enable the 'Floating Sidebar...
WP Customer Area < 8.2.1 - Subscriber+ Account Address Update
Description The plugin does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address. You may get the nonce from your save address form fetch"https://example.com/wp-admin/admin-ajax.php", "headers": "content-type":...
WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak
Description The plugin does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address. Run the below command in the developer console of the browser when being logged in the blog as a subscriber and on your own edit account...
EventON (Free < 2.2.7, Premium < 4.5.5) - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to the EventON Lite settings an...
EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update
Description The plugins do not have authorisation and CSRF in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc To set the Meeting URL to https://attacker.com/ on the Virtual Event with ID 240: curl -X POST --da...
Voting Record <= 2.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack Have an admin open an HTML page containing the following: alert1' document.forms0.submit;...
EventON (Free < 2.2.8, Premium < 4.5.6) - Unauthenticated Arbitrary Post Metadata Update
Description The plugins do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata. Note: Such issue could lead to Unauthenticated Stored XSS due to the lack of sanitisation in...
Voting Record <= 2.0 - Subscriber+ Stored XSS
Description The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks Have a subscriber open an HTML file containing the following: ' ' document.forms0.submit; See the XSS when logged in as an admin and...
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure
Description The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set for example for Zoom curl -X POST --data "eid=240"...
EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Email Address Disclosure
Description The plugins do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog To get the administrator user emails: curl -X POST --data 'userrole=administrator'...
EventON (Free < 2.2.8, Premium < 4.5.5) - Reflected XSS
Description The plugins do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below...
Community by PeepSo < 6.3.1.2 - Reflected XSS
Description The plugin does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open When the register your copy noti...
Contact Form 7 Connector < 1.2.3 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. http://vulnerable-site.tld/wp-admin/admin.php?page=ari-cf7connector-log&format=html&log=...
Community by PeepSo < 6.3.1.2 - User Post Creation via CSRF
Description The plugin does not have CSRF check when creating a user post visible on their wall in their profile page, which could allow attackers to make logged in users perform such action via a CSRF attack 1. Log in as a normal user. 2. Save the content below as an HTML file...
PageLayer < 1.8.0 - Author+ Stored XSS
Description The plugin doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfilteredhtml is disallowed, such as in multi-site WordPress configurations. - As a user with Author+ capabilities, create a new pos...
Product Enquiry for WooCommerce < 3.2 - Reflected XSS
Description The plugin does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page with the code below alert/XSS/'...
Restrict Usernames Emails Characters Plugin < 3.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Access the "Restrict Usernames Emails Characters" settings 2. For the field "The name of...
WP STAGING WordPress Backup Plugin – Migration Backup Restore < 3.2.0 - Unauthorized Sensitive Data Exposure
Description The plugin allows access to cache files during the cloning process which provides unauthorized access to sensitive data 1 When an admin creates a staging site, an attacker can capture a .cache file which reveals sensitive information including: DBname, DBtables, DBcolumns. 2 These fil...
Woostify Sites Library < 1.4.8 - Subscriber+ Arbitrary Options Update to DoS
Description The plugin does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name Login as subscriber, open...
EventON < 4.4.1 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing one of the code below: 2.6.x the cmonth a...
Relevanssi (Free < 4.22.0, Premium < 2.25.0) - Unauthenticated Private/Draft Post Disclosure
Description The plugin allows any unauthenticated user to read draft and private posts via a crafted request https://example.com/?poststatus=draft https://example.com/?poststatus=private...
WP Plugin Lister <= 2.1.0 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. Make an admin open an HTML page containing the following code: ' ' document.forms0.submit...
Biteship for WooCommerce < 2.2.25 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the biteshiperror and biteshipmessage parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs belo...
Wp-Adv-Quiz <= 1.0.4 - Admin+ Stored XSS in Quiz Overview
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Under "WP Adv Quiz - WP Adv Quiz"...
WP Social Bookmark Menu <= 1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. document.forms0.submit;...
WordPress Users <= 1.4 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Create an HTML with the following and open it when logged in as an Editor or above: document.forms0.submit;...
Easy SVG Allow <= 1.0 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. Upload an SVG with the following code: alert"xss"; Access the uploaded file directly to trigger the XSS...
TJ Shortcodes <= 0.1.3 - Contributor+ Stored XSS via Shortcodes
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. junkie-button...
Wp-Adv-Quiz < 1.0.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Add a new quiz. 2. Under the created quiz, click on "Questions". 3. Add a question and...
Site Notes <= 2.0.0 - Admin Note Deletion via CSRF
Description The plugin does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks Have an administrator open the following HTML file:...
MapPress Maps for WordPress < 2.88.14 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the Point of Interest Title and Description options in a map, allowing Contributor and above role to perform Stored Cross-Site Scripting attacks As a contributor, add/edit a Map and search any location you want. Add XSS Payload on Location’s...