4359 matches found
Open Graph for Facebook, Google+ and Twitter Card Tags <= 2.2.4.1 - Unauthenticated Cross-Site Scripting (XSS)
The Open Graph and Twitter Card Tags WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability...
iThemes Security <= 7.0.2 - Authenticated SQL Injection
The iThemes Security better-wp-security plugin before 7.0.3 for WordPress allows SQL Injection by attackers with Admin privileges via the logs page. Vulnerability description: iThemes Security appears to be vulnerable to time-based SQL-Injection. Parameter orderby is vulnerable because backend...
Open Graph for Facebook, Google+ and Twitter Card Tags <= 2.2.4 - Authenticated Reflected XSS
There is a reflected XSS vulnerability caused by "Open Graph for Facebook, Google+ and Twitter Card Tags" in the wdfbogerror parameter on a GET request when editing a post. This can be exploited by tricking an authenticated Wordpress administrator into clicking a malicious link. This vulnerabilit...
wpForo Forum <= 1.4.11 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Version 1.4.11, and below, of the wpForo Forum WordPress Plugin were found to be vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability was due to the Plugin using the $SERVER'REQUESTURI' PHP variable to create a URL string that was later output within HTML without any output encodin...
wpForo Forum <= 1.4.9 - Unauthenticated SQL Injection
The wpForo Forum WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability. http://www.example.com/index.php/community/?wpfd=0&wpfob=relevancy&wpfo=desc%2cselectfromselectsleep20a&wpfs=fff&wpfin=entire-posts...
Loginizer 1.3.8-1.3.9 - Unauthenticated Stored Cross-Site Scripting (XSS)
Versions 1.3.8 to 1.3.9 the Loginizer WordPress Plugin were found to be vulnerable to Stored Cross-Site Scripting XSS. The vulnerability was due to the Plugin’s logging functionality using the $SERVER'REQUESTURI' PHP variable to create a URL string that was logged to the database without any inpu...
ProfileGrid – User Profiles, Groups and Communities <= 2.8.5 - Authenticated Code Execution
The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin. Send an authenticated POST request to...
WF Cookie Consent <= 1.1.3 - Authenticated Persistent Cross-Site Scripting (XSS)
The WF Cookie Consent WordPress plugin was affected by an Authenticated Persistent Cross-Site Scripting XSS security vulnerability. 1 Access WordPress control panel. 2 Navigate to the 'Pages'. 3 Add a new page and insert the script you wish to inject into the page title. 4 Now navigate to...
WP with Spritz 1.0 - Unauthenticated File Inclusion
The WP with Spritz WordPress plugin was affected by an Unauthenticated File Inclusion security vulnerability. http://www.example.com/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd...
UK Cookie Consent <= 2.3.9 - Authenticated Stored Cross-Site Scripting (XSS)
A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser. Tested on version 2.3.9 older versions may also be affected 1 Access WordPress control panel. 2...
Responsive Cookie Consent <= 1.7 - Authenticated Stored Cross-Site Scripting (XSS)
A persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site. Tested on version 1.5, 1.6 and 1.7 older versions may also be affected 1...
Outdated VRView Library Used, Leading to Reflected XSS
The vrview = 1.1.3 and wp-vr-view = 1.6 plugins are using an outdated version of the VRView library 2.0.2, which is affected by a reflected cross-site scripting issue. The PoC will be displayed once the issue has been remediated...
WP Background Takeover <= 4.1.4 - Directory Traversal
Allows for an attacker to browse files via the download.php file http://target.com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php...
WP Security Audit Log Plugin <= 3.1.1 - Sensitive Information Disclosure
No protection on the wp-content/uploads/wp-security-audit-log/ which is indexed by google and allows for attackers to possibly find user information bad login attempts Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/...
Super Socializer <= 7.10.6 - Authentication Bypass
You can log in to the site with any user if you know the user's email address. // Steps: // Fill this 3 variable var url = 'http://my-site.com/wordpress/', //website url. Closing slash required email = '[email protected]', //The admin email address to exploit nonce = 'e86377d05a'; // View the...
File Manager <= 5.0.0 - Information Disclosure
The Giribaz File Manager plugin logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If user edits wp-config.php file using this plugin, the wp-config.php contents get added to the file which is not protected and contains database credentials, salts, etc. These files...
Category Order and Taxonomy Terms Order <= 1.5.2.2 - Authenticated PHP Object Injection
Usage of unserialize on user input in the saving request of the orders leads to PHP object injection vulnerability. Send POST request to "URL/wp-admin/admin-ajax.php" with parameters "action=update-taxonomy-order&order=SERIALIZED-OBJECT"...
Custom Permalinks <= 1.1 - Authenticated SQL Injection
Missing checking of user controllable input during Bulk Action in the Custom Permalinks backend page leads to SQL injection vulnerability. Send authenticated POST request to "URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks" with parameters "action=delete&permalinks=1 PAYLOAD -- "...
WP Fastest Cache <= 0.8.7.4 - Blind SQL Injection
Improper escaping of user input when deleting the cache of specific pages leads to SQL injection vulnerability. escsql was used on input but the result was used unquoted in the constructed SQL query. Send GET request to "URL/wp-admin/admin-ajax.php?action=wpfcclearcachecolumn&id=1 PAYLOAD"...
Custom Permalinks <= 1.1 - Cross-Site Scripting (XSS)
User controllable input in the admin page of Custom Permalinks gets output without any escaping. URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks&s=alert1...
Photo Gallery by WD <= 1.3.66 - Cross-Site Scripting (XSS)
User input gets first escaped with eschtml and then urldecoded. This leads to the possibility of reflected XSS with a double url encoded payload...
Swape Theme - Authentication Bypass and Stored XSS
Similar to https://wpvulndb.com/vulnerabilities/8061, but with no authentication The theme suffers from a privilege escalation vulnerability, any user can trigger this vulnerability due to weak permissions checking. An attacker can update options, such as changing user's default role, registratio...
Email Subscribers & Newsletters < 3.4.8 - Unauthenticated Subscriber Download
The Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin WordPress plugin was affected by an Unauthenticated Subscriber Download security vulnerability. POST /?es=export ... option=viewallsubscribers...
BuddyBoss Media <= 3.2.3 - Stored XSS
The album description does not perform input / output validation. According to the researcher: No reply from vendor. Issue not patched. Vulnerability can be exploited by any user. Form not vulnerable to CSRF. '"alert"test";...
Smooth Slider <= 2.8.6 - Authenticated SQL Injection
During the security analysis, ThunderScan discovered SQL injection vulnerability in Smooth Slider WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings...
Service Finder Booking < 3.2 - Unauthenticated Local File Disclosure
The premium Service Finder Booking WordPress plugin was vulnerable to a Local File Disclosure vulnerability that could allow unauthenticated users to include arbitrary files on the server. http://victim.com/wp-content/plugins/sf-booking/lib/downloads.php?file=/index.php...
buddypress-xprofile-custom-fields-type 2.6.3 - Authenticated Arbitrary File Deletion
Type user access: any user registered used in BuddyPress. $POST 'field' . $fieldid . 'hiddenfile' is not escaped. $POST 'field' . $fieldid . 'deleteimg' is not escaped. Code File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php Lines: 452, 472, 496, 513,...
Church Admin 0.33.2.1 - Unauthenticated Directory Traversal
The "key" parameter of download.php from plugins/church-admin/display/download.php is not sanitized and is vulnerable to a directory traversal type of attack. http:///wp-content/plugins/church-admin/display/download.php?key=../../../../../../../etc/passwd...
woocommerce-csvimport 3.3.6 – Authenticated Arbitrary File Deletion
Type user access: any user registered. $POST'filename' is not escaped. Code File: wp-content/plugins/woocommerce-csvimport/export/include/classes/woocsvExport.php Line:64 public function deleteexportfile if isset $POST'filename' @unlink $POST'filename' ; wpdie 0 ; Result: wp-config.php file delet...
AccessPress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload
Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters. OST...
Multiple Mediaburst/Clockwork Plugins - Cross-Site Scripting (XSS)
Reflected XSS via GET parameter "to". Vulnerable Plugins: ------------------------------------------ 1. Clockwork Free and Paid SMS Notifications URL: https://wordpress.org/plugins/mediaburst-email-to-sms/ Version 2.0.3 | By Clockwork 2. Two-Factor Authentication - Clockwork SMS URL:...
RegistrationMagic - Custom Registration Forms <= 3.8.0.4 - Authenticated Reflected XSS
The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by a Custom Registration Forms = 3.8.0.4 - Authenticated Reflected XSS security vulnerability. GET...
RegistrationMagic - Custom Registration Forms <= 3.8.0.4 - Authenticated SQL Injection
The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by a Custom Registration Forms = 3.8.0.4 - Authenticated SQL Injection security vulnerability. GET...
Smart Marketing SMS and Newsletters Forms <= 1.1.1 - Unauthenticated Cross-Site Scripting (XSS)
The Smart Marketing SMS and Newsletters Forms WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. POST /wordpress/wp-content/plugins/smart-marketing-for-wp/admin/partials/custom/egoi-for-wp-formegoi.php HTTP/1.1 Host: 127.0.0.1 Content-Type:...
InLinks 1.0 - Authenticated SQL Injection
SQL injection is POST parameter "keyword" Affected file inlinks/inlinks.php Affected lines: 58 $Keyword = trim$POST'keyword'; 59 $URL = trim$POST'url'; 60 $Rel = trim$POST'rel'; 61 $Target = trim$POST'target'; 62 $tablename = $wpdb-prefix ."URLKeywordsMapping"; 63 $SelectKeywordURLMappingDetails ...
Emag Marketplace Connector 1.0 - Unauthenticated Cross-Site Scripting (XSS)
The Emag Marketplace Connector WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post= "/alert"XSS"...
WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution
WP Support Plus Responsive Ticket System Choose a file ending with .phtml: After doing this, an uploaded file can be accessed at, say: http://example.com/wp-content/uploads/wpsp/1510248571filename.phtml...
WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)
WP Support Plus Responsive Ticket System Choose a file ending with .phtml: After doing this, an uploaded file can be accessed at, say: http://example.com/wp-content/uploads/wpsp/1510248571filename.phtml...
UserPro <= 4.9.17 - Authentication Bypass
The userpro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. 1 - Google Dork inurl:/plugins/userpro 2 - Browse to a site that has the userpro plugin installed. 3 - Append ?upautolog=true to the...
Ultimate Instagram Feed <= 1.3.1 - Authenticated Cross-Site Scripting (XSS)
In regards to https://wpvulndb.com/vulnerabilities/8947, the XSS vulnerability remains in 1.3 and 1.3.1 as the author passes GET'accesstoken' to sanitizetextfield. However, the value is inserted into an attribute of an element, and sanitizetextfield does not filter for quotes single or double...
Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)
Author: OmarK The vulnerability lies in the "accesstoken" parameter and can cause reflected XSS vulnerability. The issue is on the file ultimate-instagram-feed/admin/partials/uif-access-token-display.php line 19: the vulnerable code is the following: echo $GET'accesstoken'; There is an echo of th...
JTRT Responsive Tables <= 4.1 – Authenticated SQL Injection
Type user access: single user. $POST‘tableId’ is not escaped. File / Code: Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php Line : 183 $getTableId = $POST'tableId'; ... $retrievedata = $wpdb-getresults "SELECT FROM $jtrttablesname WHERE jttableIDD = "...
Active Directory Integration <= 1.1.8 - Authenticated SQL Injection
Type user acces: administrator user. Target need have configured ldap and active. Path Request: /wp-content/plugins/active-directory-integration/syncback.php Line : 135 $result = $ADI-bulksyncback $GET'userid' ; $GET‘userid’ is not escaped. Path Method:...
Simple Events Calendar <= 1.3.5 - Authenticated SQL Injection
Type user access: administrator user. $POST‘eventid’ is not escaped. File / Code: Path Request: /wp-content/plugins/simple-events-calendar/simple-events-calendar.php Line : 467 $editevent = $POST'eventid'; $update = $wpdb-getresults " SELECT FROM $tablename WHERE id = $editevent ", "ARRAYA" ;...
Events <= 2.3.4 - Authenticated SQL Injection
Type user access: administrator user. $GET‘editevent’ is not escaped. File / Code: Path Request: /wp-content/plugins/wp-events/wp-events.php Line : 450 – 468 if isset $GET'editevent' $eventeditid = escattr $GET'editevent' ; ... $editevent = $wpdb-getrow "SELECT FROM $wpdb-prefixevents WHERE id =...
Like Button Rating < 2.5.4 - Unauthenticated Arbitrary Blog Settings Change
In the init action, this plugin checked to see if $POST'likebtnimportconfig' is empty. If it’s not empty then it base64-decodes the string, parses it as JSON, and starts changing options. This could allow attackers to change blog settings such as the Site Title. The below form will set the “Site...
Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution
The Shortcodes Ultimate plugin does not sanitize the "filter" argument to the "sumeta", "suuser", and "supost" shortcodes, allowing the filter to be set to the "system" function which runs arbitrary code. This is being exploited in the wild; I discovered this though analysis of modsecurity audit...
Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal
Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web...
pootle button <= 1.1.1 - Authenticated Cross-Site Scripting (XSS)
The pootle button WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://example.com/wp-admin/admin-ajax.php?action=pbtndialog&assetsurl=%22%3E%3Cimg%20src=x%20onerror=alert1%3E...
Invite Anyone <= 1.3.18 - Unauthenticated PHP Object Injection
The plugin invite-anyone insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Similar to previous attacks, you send a cookie named "invite-anyone" with serialized data for your target object...