4359 matches found
Qards - Server Side Request Forgery (SSRF)
Google Dork: inurl:"plugins/qards" Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way. The vulnerable script...
Qards - Stored Cross-Site Scripting (XSS)
Google Dork: inurl:"plugins/qards" Qards provides you easy option to drag and edit every part and element of your site in the front-end, you will never have to write any code to change the layout or to change any part of the site like the traditional WordPress way. The vulnerable script...
MarketPress <= 3.2.6 - PHP Object Injection
The MarketPress plugin installs to a directory named wordpress-ecommerce versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin. Send an object to the site using the mpglobalcart cookie value and it will be...
Content Timeline <= 4.4.2 - Multiple Blind SQL Injection
Multiple Blind SQL injections in the premium 'Content Timeline' Plugin. One unauthenticated and two authenticated injections. Contacted the author twice without any response. History: 09-16-2017 Contacted the author 09-16-2017 Requested CVE-ID 09-18-2017 CVE-ID Received 09-18-2017 Contacted the...
Student Result or Employee Database <= 1.6.3 - Auth Bypass
The Student Result or Employee Database WordPress plugin was affected by an Auth Bypass security vulnerability. curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer:...
Pinfinity Theme <= 1.9.2 - Reflected Cross-site Scripting (XSS)
The pinfinity WordPress theme was affected by a Reflected Cross-site Scripting XSS security vulnerability. https://website.com/wp/?s=alert1...
WPHRM <= 1.0 - Authenticated SQL Injection
The vulnerability allows an employee users to inject SQL commands. http://localhost/PATH/?hr-dashboard=user&page=message&tab=viewmessage&from=inbox&id=SQL-23+union+select 1,2,3,4,5,SELECT+GROUPCONCATtablename+SEPARATOR+0x3c62723e+FROM+INFORMATIONSCHEMA.TABLES+WHERE+TABLESCHEMA=DATABASE,7,8--%20-...
MailChimp for WordPress <= 4.1.6 - Authenticated Cross-Site Scripting (XSS)
Usage of the output of addqueryarg without escaping in various places in the WordPress Backend leads to reflected XSS vulnerability. URL/wp-admin/admin.php?page=mailchimp-for-wp-integrations&"alert1...
Caldera Forms <= 1.5.4 - Authenticated Cross-Site Scripting (XSS)
Version 1.5.4 and earlier of Caldera Forms is vulnerable to a reflected cross-site scripting vulnerability in the "edit" parameter, which is not properly escaped before being printed in an HTML attribute. An attacker can use this to craft URLs that, when clicked, result in malicious JavaScript...
Participants Database <= 1.7.5.9 - Cross-Site Scripting
Cross site scripting XSS vulnerability in the Wordpress Participants Database plugin 1.7.59 allows attackers to inject arbitrary javascript via the Name parameter. curl -k -F action=signup -F subsource=participants-database -F shortcodepage=/?pageid=1 -F thankspage=/?pageid=1 -F instanceindex=2 -...
SQL Shortcode <= 1.1 - Authenticated SQL Execution
It's not an SQL injection actually, it's just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all. This https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html great article will help understanding how to exploit shortcodes and...
Multiple Plugins - Unauthenticated RCE via PHPUnit
There was an Unauthenticated Remote Code Execution RCE vulnerability in PHPUnit, a widely used testing framework for PHP. This vulnerability has been seen exploited in the wild. curl -X POST --data ""...
WP Like Post <= 1.5.2 - Authenticated SQL Injection
It's possible to inject SQL via several points Client-IP Header for example when using the gslplikepost shortcode. A low-privileged account is necessary for this; subscriber is enough. Found by: Paul Dannewitz Other vulnerabilities submitted to wpvulndb:...
Embed Images in Comments <= 0.5 - Unauthenticated Stored XSS
Unescaped src and href attribute replacements allows breaking out of the generated replacement tags. A comment containing the following "image" http://codeseekah.com/1.jpg"onload="alert1".jpg will generate an alert box...
I Recommend This <= 3.8.1 - Authenticated SQL Injection
Plugin description: "This plugin allows your visitors to simply like/recommend your posts instead of comment on it." Active installs according to https://wordpress.org/plugins/i-recommend-this/: 40.000+ It's possible to inject SQL into the dotrecommends shortcode, if the check for IP addresses is...
Link-Library <= 5.9.13.26 – Authenticated SQL Injection
Type user access: admin user. $GET‘linkid’ is not escaped. http://localhost:8080/wp-admin/admin.php?page=link-library&genthumbsingle=1&linkid=1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,CONCATuserlogin,char58,userpass,17,18,19,20,21,22,23,24,25,26+FROM+wpusers+WHERE+ID=1...
Easy Modal <= 2.0.17 - Authenticated SQL Injection
This can only be exploited by a user who already has access to the admin with a valid nonce. During the security analysis, ThunderScan discovered SQL injection vulnerabilities in the Easy Modal WordPress Plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while bei...
Podlove Podcast Publisher <= 2.5.3 - Authenticated SQL Injection
During the security analysis, ThunderScan discovered SQL injection vulnerability in Podlove Podcast Publisher WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugi...
Pressforward <= 5.2.3 - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise the $SERVER'QUERYSTRING' before outputting it back in the page, leading to a reflected Cross-Site Scripting issue. The issue was initially reported in v4.3.0 but was never fixed, and is still affecting v5.2.3...
WP Support Plus Responsive Ticket System < 8.0.0 - Privilege Escalation
You can login as anyone without knowing password because of incorrect usage of wpsetauthcookie. Username:...
WP Live Chat Support < 7.1.05 - Cross-Site Scripting (XSS)
WP Live Chat Support is vulnerable by sending XSS payloads through chat...
Ultimate Affiliate Pro WordPress Plugin <= v3.6 - Authenticated Stored XSS
Multiple Stored XSS vulnerabilities found logged as a low privileged user. Authenticated Stored XSS: Logged as an affiliate, a low privileged user. Profile Edit Account. Write the payload in the 'Last Name' input area: jaVasCript:/-///'/"/// /oNMouseoVer=alertdocument.domain Other fields may be...
FormCraft - Premium WordPress Form Builder <= v3.2.31 - Authenticated Stored XSS
WordPress FormCraft Premium WordPress Form Builder versions 3.2.31 and below suffer from a persistent Cross-Site Scripting XSS vulnerability. Authenticated Stored XSS: New Form Heading Heading Text input field is vulnerable. The payload will execute when the form is displayed...
WordPress Plugin IBPS Online Exam <= 1.0 - Authenticated SQL Injection / Cross-Site Scripting
Exploit Author: 8bitsec Contact Author: https://twitter.com/8bitsec Stored XSS on exam input textfields and Blind SQL Injection on 'examappUserResult' page 'id' parameter. Authenticated Stored XSS: Logged as a student: Write the payload in the input textfields while attempting an exam. The payloa...
Arabic Font - CSRF & Stored XSS
Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user...
Task Manager Pro <= 1.3.1 - Authenticated Cross-Site Scripting (XSS)
Multiple authenticated XSS vulnerabilities found logged as a low privileged user. Authenticated Stored XSS: Logged as a follower, the lowest privileged user. Write the payload in the 'Add a comment' section Authenticated Reflected XSS On task-edit, task-details, project-details pages:...
WordPress Task Manager Pro <= 1.3.1 - Authenticated SQL Injection
Blind SQL Injection on task-details page task parameter. Logged as a follower: https://localhost/wp/wp-admin/admin.php?page=task-details&task=6+and+sleep1+and+1%3D1...
WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting (XSS)
The WP Statistics WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://mywordpress.com/wp-admin/admin.php?page=wpsreferrerspage&rangeend=123123"alert1a a="...
DSubscribers <= 1.2 - Authenticated SQL Injection
The DSubscribers WordPress plugin was affected by an Authenticated SQL Injection security vulnerability. Proof of Concept: 1 – Login with admin user: 2 – Url attack: http://target/wp-admin/admin.php?page=dsubscribers&action=edit&dsubscribers=0 UNION SELECT 1,2,CONCATuserlogin,char58,userpass FROM...
WP Statistics <= 12.0.8.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Version 12.0.8.1 and below of the WP Statistics WordPress Plugin was found to be vulnerable to Authenticated Reflected Cross-Site Scripting XSS. The 'ip' GET parameter on the 'wpsvisitorspage' page is output to a page without first being validated, sanitised or output encoded. This leads to...
Ultimate Product Catalogue <= 4.2.2 - Authenticated SQL Injection
Type user access: subscriber upwards. $POST‘CatID’ is not escaped. File / Code: Path: /wp-content/plugins/ultimate-product-catalogue/Functions/ProcessAjax.php...
Email Before Download < 4.0 - SMTP Header Injection
Email Before Download https://wordpress.org/plugins/email-before-download/ before version 4.0 was vulnerable to an SMTP header injection which allows abuse of vulnerable website to send spam or phishing emails. In email-before-download.php, the "emailFrom" variable comes directly from the...
All-in-One WP Migration <= 6.45 - Reflected Cross-Site Scripting (XSS)
All-in-One WP Migration is vulnerable to Reflected Cross-Site Scripting on secretkey parameter. http://example.com/wp-admin/admin-ajax.php?action=ai1wmstatus&secretkey="!--...
Viral Optins - Arbitrary File Upload
Affected versions and whether the issue has been remediated is unclear as the vendor website does not exist anymore. Upload!...
Simple Slideshow Manager <= 2.3 – Multiple Vulnerabilities
The Simple Slideshow Manager WordPress plugin was affected by security vulnerability. 3.1 Cross-Site Scripting Vulnerable Function: echo Vulnerable Variable: $GET'name' Vulnerable URL: http://www.vulnerablesite.com/wp-admin/admin.php?page=Acurax-Slideshow-AddImages&name="alert42 3.2 Cross-Site...
WP No External Links <= 3.5.18 – Authenticated Cross-Site Scripting (XSS)
The wp-noexternallinks WordPress plugin was affected by security vulnerability. Cross-Site Scripting: Vulnerable Function: echo Vulnerable Variable: $REQUEST'date1', $REQUEST'date2' Vulnerable URLs:...
Tribulant Newsletters <= 4.6.4.2 – Multiple Vulnerabilities
The Newsletters WordPress plugin was affected by security vulnerability. 3.1 File disclosure Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=newslettershistory&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWIN DOWS%5cwin.ini 3.2 Cross-Site...
All In One Schema.org Rich Snippets <= 1.4.4 - Authenticated Cross-Site Scripting (XSS)
The Schema – All In One Schema Rich Snippets WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://vulnerablesite.com/wp-admin/admin.php?page=richsnippetdashboard&bsfforcesend=true&bsfsendlabel=alert1...
AffiliateWP <= 2.0.9 - Authenticated Cross-Site Scripting (XSS)
The AffiliateWP WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability. http://vulnerablesite.com//wp-admin/admin.php?page=affiliate-wp-referrals&filterfrom=%27%3C%2Fscript%3E%3Cscript%3Ealert%2842%29%3C%2Fscript%3E...
User Access Manager <= 2.0.8 - Authenticated Reflected Cross-Site Scripting (XSS)
Not patched in 2.0.0 despite what the advisory states. http://www.example.com/wp-admin/admin.php?page=uamusergroup&uamaction=editusergroup&userGroupId=1%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%3C%22...
Delightful Downloads <= 1.6.6 - Unauthenticated Path Traversal
Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web...
WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Description Attacker may be able to set the 'From' email header in password reset emails. curl -H "Host: www.evil.com" --data "userlogin=admin&redirectto=&wp-submit=Get+New+Password" http://example.com/wp-login.php?action=lostpassword...
Clean Login <= 1.7.12 - Change Redirect URL CSRF
The Clean Login WordPress plugin was affected by a Change Redirect URL CSRF security vulnerability...
Calendar by WD <= 1.5.51 - Authenticated SQL injection
http://www.defensecode.com/advisories/DC-2017-01-017WordPressSpiderEventCalendarPluginAdvisory.pdf Vulnerable POST URL: http://www.vulnerablesite.com/wpadmin/admin.php?page=SpiderCalendar&task=showmanageevent&calendarid=1 Vulnerable POST Body:...
WordPress Facebook <= 1.0.13 - Authenticated SQL Injection
http://www.defensecode.com/advisories/DC-2017-04-011WordPressFacebookPluginAdvisory.pdf Vulnerable POST URL: http://vulnerablesite.com/wp-admin/admin.php?page=SpiderFacebookmanage Vulnerable POST Body: searcheventsbytitle=&pagenumber=1&serchornot=&ascordesc=1&orderby=type AND SELECT FROM...
Photo Gallery by WD <= 1.3.35 - Authenticated SQL Injection
http://www.defensecode.com/advisories/DC-2017-02-011WordPressWebDoradoGalleryPluginAdvisory.pdf http://www.vulnerablesite.com/wp-admin/admin-ajax.php?action=addAlbumsGalleries&albumid=0%20AND%20SELECT%20%20FROM%20SELECTSLEEP5VvZV&width=700&height=550&bwgitemsperpage=20&bwgnonce=b939983df9&TBifram...
Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF
Description The Avada WordPress theme was affected by a Stored Cross-Site Scripting XSS & CSRF security vulnerability. http://cdn.wphutte.com/Avada/5.1.4/xss.html http://cdn.wphutte.com/Avada/5.1.4/csrf.html...
Row Seats Core <= 2.66 - Unauthenticated PHP Object Injection
The plugin row-seats insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. This vulnerability was patched in version 2.68, information is being released now as a disclosure period has expired. Attac...
Referrer Detector <= 4.2.1.0 - Unauthenticated PHP Object Injection
The plugin referrer-detector insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. The original researcher notified the WordPress Plugins team. Attack is exploitable over HTTP requests to sites with...
Gravitate QA Tracker <= 1.2.1 - Unauthenticated PHP Object Injection
The plugin gravitate-qa-tracker insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over HTTP requests to sites with the gravitate-qa-tracker Plugin. The original researcher...