Lucene search
K
WpexploitRecent

4359 matches found

wpexploit
wpexploit
•added 2024/01/03 12:0 a.m.•142 views

WordPress Toolbar <= 2.2.6 - Open Redirect

Description The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action...

6.1CVSS6.8AI score0.25679EPSS
Exploits2References1
wpexploit
wpexploit
•added 2024/01/03 12:0 a.m.•169 views

Custom User CSS <= 0.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Create an HTML form with the following content and make a logged in admin open it document.forms0.submit;...

8.8CVSS6.7AI score0.00349EPSS
Exploits2References1
wpexploit
wpexploit
•added 2024/01/02 12:0 a.m.•187 views

Autotitle for WordPress <= 1.0.3 - Settings Update to Stored XSS via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. document.forms0.submit;...

8.8CVSS6.7AI score0.00346EPSS
Exploits2References1
wpexploit
wpexploit
•added 2024/01/01 12:0 a.m.•134 views

Meris <= 1.1.2 - Reflected XSS

Description The theme does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin alert/XSS-areaname/" / alert/XSS-num/' /...

6.1CVSS8.7AI score0.00331EPSS
Exploits1
wpexploit
wpexploit
•added 2023/12/29 12:0 a.m.•179 views

EventPrime < 3.3.6 - Unauthenticated Event Access

Description The plugin lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. 1. Create a password-protected event or a private event then publish it. 2. Access to the URL on a private...

5.3CVSS7.3AI score0.00564EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/29 12:0 a.m.•161 views

WP All Import < 3.7.3 - Admin+ Arbitrary File Upload to RCE

Description The plugin accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code...

7.2CVSS7.2AI score0.01231EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/29 12:0 a.m.•172 views

WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

Description The plugin does not properly check for authorisation, allowing authors to delete and update arbitrary avatar POC request: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: yoursite User-Agent: Mozilla/5.0 X11; Linux aarch64; rv:102.0 Gecko/20100101 Firefox/102.0 Accept:...

4.3CVSS9.6AI score0.00405EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/12/29 12:0 a.m.•219 views

EventON-RSVP < 2.9.5 - Reflected XSS

Description The plugin does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the code below "/...

6.1CVSS6AI score0.0042EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/28 12:0 a.m.•182 views

Product Enquiry for WooCommerce < 3.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Form Customizer: 1. Navigate to...

4.8CVSS5.7AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/28 12:0 a.m.•161 views

Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF

Description The plugin does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack 1. Make an enquiry from the frontend form 2. Go to "Woo Quote Popup Enquiry List" 3. Get the ID of an item 4. Add the ID to the...

4.3CVSS6.7AI score0.00203EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/26 12:0 a.m.•169 views

WP SEO Press < 7.3 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1. Navigate to http://vulnerable-site.tld/wp-admin/admin.php?page=seopress-titles. 2. Input...

4.8CVSS6AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/26 12:0 a.m.•179 views

WP Review Slider < 13.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Add the payload "...

4.8CVSS5.7AI score0.00336EPSS
Exploits1
wpexploit
wpexploit
•added 2023/12/26 12:0 a.m.•145 views

Colibri Page Builder < 1.0.240 - Contributor+ Stored XSS

Description The plugin does not validate and escape some its extendbuilderrenderjs shortcode content before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.4CVSS8.3AI score0.00373EPSS
Exploits1References1
wpexploit
wpexploit
•added 2023/12/25 12:0 a.m.•167 views

Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection

Description The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...

9.8CVSS7.2AI score0.00926EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/25 12:0 a.m.•189 views

Estatik Real Estate Plugin < 4.1.1 - Reflected XSS

Description The plugin does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open one of the URLs below some...

6.1CVSS6AI score0.0042EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/25 12:0 a.m.•169 views

Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update

Description The plugin does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset Run the below command in the developer console of the web browser while...

6.5CVSS6.7AI score0.0061EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/22 12:0 a.m.•167 views

WP Crowdfunding < 2.1.10 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Affected settings: - Crowdfunding...

4.8CVSS5.7AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/22 12:0 a.m.•167 views

easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update

Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D", , "body":...

4.3CVSS6.7AI score0.00405EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•320 views

Post SMTP < 2.6.1 - Authenticated (Administrator+) SQL Injection

Description The Post SMTP plugin for WordPress is vulnerable to time-based SQL Injection via the logid parameter in versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

7.7AI score
Exploits0References1
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•170 views

WP Custom Widget Area <= 1.2.5 - Subscriber+ Menus Creation/Deletion/Update

Description The plugin does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site. Log in as a subscriber, and paste any of the following fetch call in your...

4.3CVSS6.7AI score0.00389EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•185 views

JSM file_get_contents() Shortcode < 2.7.1 - Contributor+ SSRF

Description The plugin does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. wpfgc url="http://127.0.0.1:8084"...

8.8CVSS6.8AI score0.00694EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•172 views

DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export

Description The plugin does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts...

8.1CVSS6.7AI score0.00579EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•194 views

EazyDocs < 2.3.6 - Subscriber+ Arbitrary Posts Deletion and Document Management

Description The plugin does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. 1. Install the...

7.5CVSS6.8AI score0.00248EPSS
Exploits3
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•263 views

Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion

Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. curl --url...

9.8CVSS6.7AI score0.50673EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•171 views

Post SMTP < 2.8.7 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. Make a logged in admin open the following URL:...

6.1CVSS6AI score0.00401EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•133 views

Keap Official Opt-in Forms <= 1.0.11 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. 1. Store the script in non-sanitized...

4.8CVSS5.6AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•196 views

Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed 1 Create a new opt-in form 2 Edit the form, and add a "First name" field. 3 Update the form...

4.8CVSS4.8AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/21 12:0 a.m.•500 views

Post SMTP < 2.8.7 - Admin+ SQL Injection

Description The plugin does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin. In ps-delete-email-logs action: Visit the Post SMTP Email Log page and run the following code in the...

7.2CVSS7.3AI score0.14169EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/18 12:0 a.m.•167 views

Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update

Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks. 1. login, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2. run the following in...

6.5CVSS6.7AI score0.00609EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/18 12:0 a.m.•158 views

Clone < 2.4.3 - Unauthenticated Backup Download

Description The plugin uses buffer files to store in-progress backup informations, which is stored at a publicly accessible, statically defined file path. While a backup job is running, visitors can access one of the following files it might take a couple tries, as the timing needs to be right:...

7.5CVSS6.7AI score0.01961EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/12/18 12:0 a.m.•312 views

WP Blogs' Planetarium <= 1.0 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack document.forms0.submit;...

8.8CVSS8.7AI score0.00348EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/12/18 12:0 a.m.•173 views

Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload

Description The plugin does not prevent users with limited privileges on the site, like subscribers, from momentarily uploading malicious PHP files disguised as ZIP archives, which may lead to remote code execution. from io import BytesIO import requests import zipfile import sys import re if...

8.8CVSS9.1AI score0.01095EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/18 12:0 a.m.•212 views

Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS

Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. 1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2...

5.4CVSS5.8AI score0.00403EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/18 12:0 a.m.•254 views

WP Custom Cursors <= 3.2 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup The PoC will be displayed on February...

4.8CVSS6AI score0.00335EPSS
Exploits1
wpexploit
wpexploit
•added 2023/12/16 12:0 a.m.•312 views

CommentTweets <= 0.6 - Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks HTMLFormElement.prototype.submit.call document.forms0 ;...

8.8CVSS8.8AI score0.0032EPSS
Exploits1References1
wpexploit
wpexploit
•added 2023/12/16 12:0 a.m.•160 views

Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin

Description Any unauthenticated user may send e-mail from the site with any title or content to the admin fetch"http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=getwidsendmail", "headers": "content-type": "application/x-www-form-urlencoded", , "body": "datasubject=Urgent WordPress update neee...

7.5CVSS6.8AI score0.00563EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/15 12:0 a.m.•221 views

Duplicator < 1.3.0 - Unauthenticated RCE

Description The plugin does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server. Steps to Reproduce Setup Download WAMP with the following...

9.8CVSS7AI score0.00916EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/15 12:0 a.m.•151 views

Email Subscription Popup < 1.2.20 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open " /...

6.1CVSS6AI score0.00442EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/14 12:0 a.m.•151 views

WP Crowdfunding < 2.1.9 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 1. Add a "Campaign Search" widget to your site via Appearance Customise Widgets for...

6.1CVSS6AI score0.0042EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/14 12:0 a.m.•127 views

WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS

Description The plugin does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. v3.8.15 partially fixed the issue as the wrong capability chec...

6.1CVSS6.9AI score0.00219EPSS
Exploits1
wpexploit
wpexploit
•added 2023/12/14 12:0 a.m.•932 views

Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE

Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and export...

8.8CVSS7.3AI score0.0137EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/13 12:0 a.m.•162 views

Debug Log Manager < 2.3.0 - Sensitive Logs Exposure

Description The plugin contains a Directory listing vulnerability was discovered, which allows you to download the debug log without authorization and gain access to sensitive data https://yoursite/wordpress/wp-content/uploads/debug-log-manager/...

7.5CVSS6.7AI score0.00647EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/12/13 12:0 a.m.•332 views

Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update

Description The plugin does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the process, which may lead to Object...

8.8CVSS8.9AI score0.0056EPSS
Exploits1
wpexploit
wpexploit
•added 2023/12/12 12:0 a.m.•321 views

Prime Mover < 1.9.3 - Directory Listing to Sensitive Data Exposure

Description The plugin does not prevent directory listing in sensitive directories containing export files. http://127.0.0.1/wordpress/wp-content/uploads/prime-mover-export-files/1/ 0 Go to packages and crate new If there is no backup now 1 Go to this URL manualy 2 Use Exploit...

7.5CVSS6.7AI score0.39867EPSS
Exploits1References1
wpexploit
wpexploit
•added 2023/12/12 12:0 a.m.•278 views

WP Go Maps < 9.0.28 - Unauthenticated Stored XSS

Description The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site. Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&mapid=1...

6.1CVSS6.7AI score0.00619EPSS
Exploits2References1
wpexploit
wpexploit
•added 2023/12/12 12:0 a.m.•239 views

Ni Purchase Order(PO) For WooCommerce <= 1.2.1 - Admin+ File Upload to Remote Code Execution

Description The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell. 1. Create a malicious file exploit.php with the contents 2. Visit...

7.2CVSS6.7AI score0.00876EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/12 12:0 a.m.•277 views

Backup Migration < 1.3.8 - Unauthenticated RCE

Description The plugin is vulnerable to Remote Code Execution via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated...

9.8CVSS10AI score0.97846EPSS
Exploits14References1
wpexploit
wpexploit
•added 2023/12/11 12:0 a.m.•341 views

Burst Statistics (Free < 1.5.0, Pro < 1.5.1) - Unauthenticated SQL Injection

Description The plugins do not properly sanitise and escape the url parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated users, such as subscribers curl 'https://example.com/burst-statistics-endpoint.php' \ -H 'content-type:...

9.8CVSS8AI score0.0069EPSS
Exploits1References1
wpexploit
wpexploit
•added 2023/12/11 12:0 a.m.•347 views

WP TripAdvisor Review Slider < 11.9 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to Get TripAdvisor Reviews optio...

4.8CVSS5.7AI score0.00402EPSS
Exploits2
wpexploit
wpexploit
•added 2023/12/11 12:0 a.m.•517 views

Popup Builder < 4.2.3 - Unauthenticated Stored XSS

Description The plugin does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. 1 Create a popup using the plugin 2 Run the following curl command, switching $POPUPID with that popup's ID: curl --url...

6.1CVSS9AI score0.01999EPSS
Exploits4References1
Total number of security vulnerabilities4359