4359 matches found
NextGEN Gallery geo <= 1.0 - Unauthenticated PHP Object Injection
The plugin nextgen-gallery-geo insecurely trusts serialized data submitted over AJAX requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. The original researcher notified the WordPress Plugins team. Attack is exploitable over AJAX calls sites with the...
SiteBuilder Dynamic Components <= 1.0 - Unauthenticated PHP Object Injection
The plugin sitebuilder-dynamic-components insecurely trusts serialized data submitted over AJAX requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over AJAX calls sites with the sitebuilder-dynamic-components Plugin...
My Geo Posts Free <= 1.2 - Unauthenticated PHP Object Injection
The plugin my-geo-posts-free insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. Attack is exploitable over HTTP requests to sites with the my-geo-posts-free Plugin. The original researcher notifi...
AJAX Random Posts <= 0.3.3 - Unauthenticated PHP Object Injection
The plugin ajax-random-posts insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. The original researcher notified WordPress Plugins team. Attack is exploitable over AJAX calls on sites with the...
Answer My Question 1.3 - Cross-Site Scripting (XSS)
The answer-my-question WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. Host: 10.194.0.44 URL: http://10.194.0.44/wp-content/plugins/answer-my-question/modal.php Parameter: Hidden Field id Payload: "alert1...
AccessPress Social Icons < 1.6.8 - Authenticated SQL Injections
During the security analysis, ThunderScan discovered SQL injection vulnerabilities in AccessPress Social Icons WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plug...
Multiple BestWebSoft Plugins - Authenticated Cross-Site Scripting (XSS)
http://www.example.com/wp-admin/admin.php?page=bwspanel&category=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%2842%29%3C%2Fscript%3E...
Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
The Slideshow Gallery WordPress plugin was affected by a Multiple Authenticated Cross-Site Scripting XSS security vulnerability. http://vulnerablesite.com/wp-admin/admin.php?page=slideshowgalleries&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E...
WordPress Ad Widget <= 2.11.0 - Authenticated Local File Inclusion (LFI)
The WordPress Ad Widget WordPress plugin was affected by an Authenticated Local File Inclusion LFI security vulnerability. http://www.example.com/wp-content/plugins/ad-widget/views/modal/index.php?step=php://filter/convert.base64-encode/resource=../wp-config...
Profile Builder < 2.5.8 - Authenticated Stored Cross-Site Scripting (XSS)
Stored Cross-Site Scripting XSS in field minimum password length. history.pushState'', '', '/'...
Adminer <= 1.4.5 - Security Bypass
The plugin is still affected and has been closed. https://example.com/wp-content/plugins/adminer/inc/editor/index.php...
Mobile App Native <= 3.0 - Remote File Upload
The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. $ curl -F "file=@/var/www/shell.php"...
Kama Click Counter <= 3.4.9 - Authenticated Blind SQL Injection
The Kama Click Counter WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability. http://www.example.com/wp-admin/admin.php?page=kama-clic-counter&orderby=linkname&order=ASC%2cselectfromselectsleep30a&paged=1...
Mail Masta 1.0 - Multiple SQL Injection
Multiple SQL Injection vulnerabilities in Mail Masta Plugin version 1.0 for WordPress. The plugin is still affected and has been closed. Please refer to: https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin...
Javo Spot Premium Theme - Unauthenticated Directory Traversal
Print out any file in the via an unauthenticated AJAX request. /wp-admin/admin-ajax.php? jvfrmspotgetjson&fn=../../wp-config.php&callback=jQuery...
Raygun4WP <= 1.8.0 - Unauthenticated Reflected XSS
The Raygun4WP WordPress plugin was affected by an Unauthenticated Reflected XSS security vulnerability. http://www.example.com/wp-content/plugins/raygun4wp/sendtesterror.php?backurl="...
Stop User Enumeration 1.3.5-1.3.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The Stop User Enumeration WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/?author=1...
WordPress 4.7 - User Information Disclosure via REST API
http://www.example.com/wp-json/wp/v2/users...
ByREV WP-PICShield - Cross-Site Request Forgery (CSRF)
The ByREV WP-PICShield WordPress plugin is vulnerable to CSRF. When updating the plugin options, several parameters in the issued POST request are written directly to the .htaccess file within the WordPress root directory. An attacker may be able to insert arbitrary lines into the .htaccess file,...
XCloner - Backup and Restore < 3.1.5 - Authenticated Path Traversal
Authenticated users are able to perform directory listings at any location available to the Wordpress user, leaking filenames of previous backups. This was found in XCloner - Backup and Restore version 3.1.4, but may have been introduced in earlier versions. Attackers can leverage directory...
Xtreme Locator Dealer Locator Plugin 1.5 – Authenticated SQL Injection
Type user access: admins user. $GET‘id’ is not escaped. Is accessible for only admins user. 1 - logged with admin user; 2 - send resquest get; http://www.example.com/wp-admin/admin.php?page=xtreme-locator-settings&id=0+UNION+ALL+SELECT+1%2Cslug%2Cname%2C4%2C5+FROM+wpterms+WHERE+termid%3D1...
ZM Gallery 1.0 – Authenticated Blind SQL Injection
The plugin is still affected and has been closed. Type user access: admin user. $GET‘order’ is escaped wrong. Attack with Blind Injection python sqlmap.py -u "http://www.example.com/wp-admin/admin.php?page=zmgallery&orderby=name&order=desc" --dbs --cookie="cookie of admin user" --level=5...
ZX_CSV Upload 1 – Authenticated SQL Injection
Type user access: admin user. $GET‘id’ is not escaped. URL is accessible for every registered user. 1 – Login with admin user. 2 - Send request post:...
WP Support Plus Responsive Ticket System < 8.0.0 – Authenticated SQL Injection
Type user access: any user. $POST‘catid’ is not escaped. Is accessible for any user...
WP Private Messages 1.0.1 – Authenticated SQL Injection
Type user access: registered user. $GET‘id’ is not escaped. URL is accessible for every registered user. http://www.example.com/wp-admin/users.php?page=wp-private-messages%2Fwpuprivatemessages.php&wpu=read&id=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wpterms+WHERE++termid%3D1&r=recieve...
BP Profile Search <= 4.5.3 - PHP Object Injection
The plugin bp-profile-search insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector. This vulnerability was patched in version 4.6, information is being released now as a disclosure period has expired...
WooCommerce Email Test 1.5 - Order Information Disclosure
When this plugin is installed, any anonymous user can open this url https://www.domainname.de/?woocommerceemailtest=WCEmailCustomerCompletedOrder ..which shows the last most recent order along with all customer details, email address and cart content. This is a severe security/data privacy breach...
WA Form Builder 1.1 - Unauthenticated SQL Injection
$POST ‘waformsId’ is not escaped. WAFormBuilderuioutput is accessible to any user...
Single Personal Message 1.0.3 – Authenticated SQL Injection
Type user access: any user. $GET‘message’ is not escaped. Is accessible for every registered user. http://www.example.com/wp-admin/admin.php?page=simple-personal-message-outbox&action=view&message=0%20UNION%20SELECT%201,2.3,name,5,slug,7,8,9,10,11,12%20FROM%20wpterms%20WHERE%20termid=1...
WP Whois Domain <= 1.0.0 - Unauthenticated Cross-Site Scripting (XSS)
The plugin is still affected and has been closed...
Product Catalog 8 1.2 - Unauthenticated SQL Injection
$POST ‘selectedCategory’ is not escaped. UpdateCategoryList is accessible for any user...
Answer My Question 1.3 - SQL Injection
$POST'id' is not escaped. Url is accessible for any user. Url vulnerable : http://target/wp-content/plugins/answer-my-question/modal.php...
BBS e-Franchise 1.1.1 - Unauthenticated SQL Injection
$GET‘uid’ is not escaped, the URL is accessible for any user. You will have find a post or page that uses the plugin's shortcode...
Mini Cart Plugin 1.00.1 - Authenticated SQL Injection
$REQUESTitem is not escaped. Url is accessible for user collaborator above. Url vulnerable : http://target/wp-admin/edit.php?page=mini-cart/itemform.php=0=edit...
FireStorm Shopping Cart eCommerce Plugin 2.07.02 - Authenticated SQL Injection
$POST ‘pid’ is not escaped. Url is accessible for administrator user. Url with problem: http://localhost:1406/wp/wp-admin/admin.php?page=fssc-products=general=edit=0=0 http://target/wp-admin/admin.php?page=fssc-products&fp=general&f=edit&cid=0&pid=0+UNION+SELECT+name+FROM+wpterms+WHERE+termid=1...
Sirv <= 1.3.1 - Authenticated SQL Injection
$POST ‘id’ is not escaped. sirvgetrowbyid is accessible for every registered user. $id = $POST'rowid'; $row = $wpdb-getrow"SELECT FROM $tablename WHERE id = $id", ARRAYA; $row'images' = unserialize$row'images'; echo jsonencode$row;...
iThemes Security <= 5.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
The 404 detection module needs to be enabled. curl "http://ithemesprotected.target/index.php/2016/09/22/trigger-404/?x=String/YWxlcnQoInRlc3QiKQ==/;x=x.substring1,x.length-1;evalatobx;" -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1...
Appointment Calendar - Stored Cross-Site Scripting (XSS)
When user submist data from appointments there is no validation which leads to stored XSS. curl 'Path to page where appointments calendar short-code is used' -H 'Accept: text/html, /; q=0.01' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type:...
W3 Total Cache <= 0.9.4.1 – Unauthenticated Security Token Bypass
The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce aka security token: $nonce = W3Request::getstring'nonce'; $uri = $SERVER'REQUESTURI'; if wphash$uri == $nonce But the flaw stays in the == operator which is not the one to use when you want to compare...
W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary File Download
When you're creating a support ticket in the plugin page, you can add one or more of your your template themes. Then this file will be send to the author to help him resolving the issue. Now you select one, you send the form and same as for the files before, you will send it to the author to help...
W3 Total Cache <= 0.9.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)
The W3 Total Cache WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability...
N-Media Website Contact Form with File Upload - Arbitrary File Upload
The website-contact-form-with-file-upload WordPress plugin was affected by an Arbitrary File Upload security vulnerability...
WP Front End Profile <= 0.2.1 - Privilege Escalation & Stored Cross-Site Scripting (XSS)
It is possible to modify a POST request to overwrite user meta including 'wpcapabilities' and 'wpuserlevel' which results in a privilege escalation vulnerability. User input is not sanitised or escaped on output resulting in a stored XSS vulnerability. Timeline: 2016-09-12: Vulnerability found...
404 to 301 <= 2.3.0 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description There is a stored XSS in the 404-to-301 WP plugin alertdocument.cookie HTTP/1.1 Host: wordpress Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Windows NT 6.1; WOW64 AppleWebKit/537.36 KHTML, like Gecko Chrome/51.0.2704.103 Safari/537.36 Accept:...
WordPress Zero Spam <= 2.1.1 - Unauthenticated Blind SQL Injection
The WordPress Zero Spam WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability. HTTP request header: Client-IP: '+select0fromselectsleep10v+'...
CYSTEME Finder <= 1.3 - Unauthenticated LFI and Unauthenticated File Upload
CYSTEME does not properly check SESSION Cookies allowing a remote attacker to upload, view, or delete files from any location on the remote file system. - Retrieve all data in the root wordpress directory. This will return JSON. Exploit:...
Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
Plugin is still affected and has been closed http://example.com/wp-content/plugins/mail-masta/inc/campaign/countofsend.php?pl=/etc/passwd...
Akal Theme - Reflected Cross-Site Scripting (XSS)
The premium theme, Akal, suffers from a Reflected Cross-Site Scripting XSS vulnerability in the preview.php file located in framework/brad-shortcodes/tinymce...
Woo Custom Checkout Field <= 1.3.4 - CSRF & Stored XSS
Due to a lack of CSRF mitigation and entity encoding in the ccfinsert function found on line 118 of include/ccf.php and in the output generated by template/datagrid.php, it is possible to store and execute scripts in the context of an admin user...
Woo Email Control <= 1.01 - Reflected Cross-Site Scripting (XSS) & CSRF
Due to a lack of encoding and CSRF mitigation in the testemail function found on line 106 of classes/class-wooctrl.php, it is possible to automate a request to the AJAX handler for the wooctrlsendtestemail action which will reflect the specified script back to the end user...