4359 matches found
WordPress Toolbar <= 2.2.6 - Open Redirect
Description The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...
Custom User CSS <= 0.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Create an HTML form with the following content and make a logged in admin open it document.forms0.submit;...
Autotitle for WordPress <= 1.0.3 - Settings Update to Stored XSS via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. document.forms0.submit;...
Meris <= 1.1.2 - Reflected XSS
Description The theme does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin alert/XSS-areaname/" / alert/XSS-num/' /...
EventPrime < 3.3.6 - Unauthenticated Event Access
Description The plugin lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. 1. Create a password-protected event or a private event then publish it. 2. Access to the URL on a private...
WP All Import < 3.7.3 - Admin+ Arbitrary File Upload to RCE
Description The plugin accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code...
WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR
Description The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar POC request: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: yoursite User-Agent: Mozilla/5.0 X11; Linux aarch64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept:...
EventON-RSVP < 2.9.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the code below "/...
Product Enquiry for WooCommerce < 3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Form Customizer: 1. Navigate to...
Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF
Description The plugin does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack 1. Make an enquiry from the frontend form 2. Go to "Woo Quote Popup Enquiry List" 3. Get the ID of an item 4. Add the ID to the...
WP SEO Press < 7.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=seopress-titles. 2. Input...
WP Review Slider < 13.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add the payload "...
Colibri Page Builder < 1.0.240 - Contributor+ Stored XSS
Description The plugin does not validate and escape some its extendbuilderrenderjs shortcode content before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection
Description The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...
Estatik Real Estate Plugin < 4.1.1 - Reflected XSS
Description The plugin does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs below some...
Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update
Description The plugin does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset Run the below command in the developer console of the web browser while...
WP Crowdfunding < 2.1.10 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Affected settings: - Crowdfunding...
easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update
Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D", , "body":...
Post SMTP < 2.6.1 - Authenticated (Administrator+) SQL Injection
Description The Post SMTP plugin for WordPress is vulnerable to time-based SQL Injection via the logid parameter in versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...
WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update
Description The plugin does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site. Log in as a subscriber, and paste any of the following fetch call in your...
JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF
Description The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. wpfgc url="http://127.0.0.1:8084"...
DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export
Description The plugin does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts...
EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management
Description The plugin does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. 1. Install the...
Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion
Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. curl --url...
Post SMTP < 2.8.7 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open the following URL:...
Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Store the script in non-sanitized...
Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1 Create a new opt-in form 2 Edit the form, and add a "First name" field. 3 Update the form...
Post SMTP < 2.8.7 - Admin+ SQL Injection
Description The plugin does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin. In ps-delete-email-logs action: Visit the Post SMTP Email Log page and run the following code in the...
Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks. 1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2. run the following in...
Clone < 2.4.3 - Unauthenticated Backup Download
Description The plugin uses buffer files to store in-progress backup informations, which is stored at a publicly accessible, statically defined file path. While a backup job is running, visitors can access one of the following files it might take a couple tries, as the timing needs to be right:...
WP Blogs' Planetarium <= 1.0 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.forms0.submit;...
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload
Description The plugin does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. from io import BytesIO import requests import zipfile import sys import re if...
Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. 1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2...
WP Custom Cursors <= 3.2 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The PoC will be displayed on February...
CommentTweets <= 0.6 - Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks HTMLFormElement.prototype.submit.call document.forms0 ;...
Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin
Description Any unauthenticated user may send e-mail from the site with any title or content to the admin fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=getwidsendmail", "headers": "content-type": "application/x-www-form-urlencoded", , "body": "datasubject=Urgent WordPress update neee...
Duplicator < 1.3.0 - Unauthenticated RCE
Description The plugin does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server. Steps to Reproduce Setup Download WAMP with the following...
Email Subscription Popup < 1.2.20 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open " /...
WP Crowdfunding < 2.1.9 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a "Campaign Search" widget to your site via Appearance Customise Widgets for...
WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS
Description The plugin does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. v3.8.15 partially fixed the issue as the wrong capability chec...
Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE
Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and export...
Debug Log Manager < 2.3.0 - Sensitive Logs Exposure
Description The plugin contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sensitive data https://yoursite/wordpress/wp-content/uploads/debug-log-manager/...
Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update
Description The plugin does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the process, which may lead to Object...
Prime Mover < 1.9.3 - Directory Listing to Sensitive Data Exposure
Description The plugin does not prevent directory listing in sensitive directories containing export files. http://127.0.0.1/wordpress/wp-content/uploads/prime-mover-export-files/1/ 0 Go to packages and crate new If there is no backup now 1 Go to this URL manualy 2 Use Exploit...
WP Go Maps < 9.0.28 - Unauthenticated Stored XSS
Description The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site. Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&mapid=1...
Ni Purchase Order(PO) For WooCommerce <= 1.2.1 - Admin+ File Upload to Remote Code Execution
Description The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell. 1. Create a malicious file exploit.php with the contents 2. Visit...
Backup Migration < 1.3.8 - Unauthenticated RCE
Description The plugin is vulnerable to Remote Code Execution via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated...
Burst Statistics (Free < 1.5.0, Pro < 1.5.1) - Unauthenticated SQL Injection
Description The plugins do not properly sanitise and escape the url parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated users, such as subscribers curl 'https://example.com/burst-statistics-endpoint.php' \ -H 'content-type:...
WP TripAdvisor Review Slider < 11.9 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to Get TripAdvisor Reviews optio...
Popup Builder < 4.2.3 - Unauthenticated Stored XSS
Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...