14602 matches found
WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
Description The function wptargetedlinkrel can be used in a particular way to result in a Stored Cross-Site Scripting XSS vulnerability. PoC This is a PoC for a Stored XSS...
WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
Description WordPress users with lower privileges like contributors can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticate...
GiveWp < 2.5.5 - Authentication Bypass
The weakness allowed unauthenticated users to bypass API authentication methods and potentially access personally identifiable user information PII like names, addresses, IP addresses, and email addresses which should not be publicly accessible...
NextGEN Gallery < 2.0.77.3 - CSRF & Arbitrary File Upload
There are two vulnerabilities which can allow an attacker to gain full access over the web application. The vulnerabilities lie in how the application validates user uploaded files and lack of security measures preventing unwanted HTTP requests...
allure-real-estate-theme-for-placester <= 0.1.1 - XSS in ZeroClipboard.swf
The Allure Real Estate Theme for Placester WordPress theme was affected by a XSS in ZeroClipboard.swf security vulnerability...
java-trackback <= 0.2 - XSS in ZeroClipboard
The java-trackback WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability...
Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Author+ Upload to RCE
Description The plugin is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files PoC Note: This must be tested on a web server running Apache 1 Create a new post 2 Add e-Learning block to the post and upload...
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor < 2.8.3 - Unauthenticated SQL Injection
Description The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied...
popup-builder < 4.2.6 - Admin+ SSRF & File Read
Description The plugin does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. PoC 1. Create a multi-site wordpress setup, i.e. using docker-containers, and setup a second "site"...
Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion
Description The plugin does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. PoC curl --url...
PowerPack Pro for Elementor < 2.9.24 - Reflected Cross-Site Scripting
Description The PowerPack Pro for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.9.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...
JetElements For Elementor < 2.6.13.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Download
Description The JetElements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on an unknown function in all versions up to, and including, 2.6.13. This makes it possible for unauthenticated attackers to download arbitrary attachments...
Booster for WooCommerce < 7.1.2 - Authenticated (Subscriber+) Information Disclosure via Shortcode
Description The Booster for WooCommerce for WordPress is vulnerable to Information Disclosure via the 'wcjgetoption' shortcode in versions up to, and including, 7.1.1 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers,...
UserPro < 5.1.2 - Insecure Password Reset Mechanism
Description The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function userproprocessform. The function uses...
UserPro < 5.1.5 - Authenticated (Subscriber+) Privilege Escalation
Description The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userproupdateuserprofile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber,...
WooCommerce < 8.1.1 - Shop Manager+ User Metadata Disclosure
Description The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data PoC As a shop manager or product vendor admin: Edit an order/creat...
FluentSMTP < 2.2.5 - Unauthenticated Stored Cross-Site Scripting
The plugin does not adequately sanitize and escape input in the email subject, making it possible to inject arbitrary web scripts that execute when a user accesses the affected page...
Metform Elementor Contact Form Builder < 3.3.2 - Unauthenticated Permalink Structure Update
The plugin does not properly implement capability checks on the permalinksetup function, leading to unauthorized permalink structure updates...
LiteSpeed Cache <= 5.3 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
BackupBuddy < 8.8.3 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting PoC Make a logged in admin/SA open one of the URL below: v -...
Bootstrap Shortcodes <= 3.4.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a Contributor+ create a new post and...
Html5 Audio Player < 2.1.12 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC h5apinlineplayer src="invalid'...
Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection
The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present PoC To simulate a gadget chain, put the following code in a plugin class Evil public function wakeup : void...
WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
Description There is a lack of escaping of the meta keys and values in themeta function, which could lead to Cross-Site Scripting issue...
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS
The plugin uses the wrong content type for, and does not properly escape the response from the ai1wmexport action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Po...
Duplicator < 1.4.7.1 - Unauthenticated System Information Disclosure
The plugin does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. PoC 1. curl 'http://example.com/wp-content/backups-dup-lite/dup-installer/main.installer.php?view=1' 2. curl -d view...
Google Tag Manager for WordPress < 1.15.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the s parameter before outputting it back in a page when the search data is included in the data layer related settings is Basic data Search data...
Tatsu < 3.3.12 - Unauthenticated RCE
The plugin addcustomfont action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover,...
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin PoC The nonce value of the stmlmsregister request must be retrieved from the ajax page. for this you should check the home page POST...
Conversios.io < 4.6.2 - Subscriber+ SQL Injection
The plugin does not sanitise, validate and escape the syncprogressivedata parameter for the tvcajaxproductsyncbantchwise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks. Note: The vendor was notified multiple times since November 6t...
WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
Description An unprivileged user could make a post sticky via the REST API. Authenticated users who do not have the rights to publish a post were able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass...
WordPress 3.7-4.9.4 - Use Safe Redirect for Login
Description Use safe redirects when redirecting the login page if SSL is forced...
WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
Description A cross-site scripting XSS vulnerability was discovered in the visual editor. Reported by Rodolfo Assis @brutelogic of Sucuri Security...
Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak
Description The plugin does not protect file download's passwords, leaking it upon receiving an invalid one. PoC 223 being the ID of a password protected download: curl -X POST --data 'wpdmID=223=json=wpdmgetlink=wpdmajaxcall=123322' https://example.com/wp-json/wpdm/validate-password The response...
Elements kit Elementor addons < 2.9.2 - Missing Authorization
Description The plugin is vulnerable to unauthorized admin notice dismissal due to a missing capability check on the dismissajaxcall function, making it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices intended for admins...
ProductX – Gutenberg WooCommerce Blocks < 3.0.0 - Missing Authorization via option_data_save
Description The ProductX – Gutenberg WooCommerce Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the optiondatasave function in versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with...
Tilda Publishing <= 0.3.21 - Missing Authorization
Description The Tilda Publishing plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on several functions hooked via AJAX actions such as 'ajaxexportfile,' 'ajaxsync,' 'ajaxgetkeys,' 'ajaxswitcherstatus,' and more in versions ...
WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute
Description The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a featured image 'alt' attribute in versions up to, and including, 8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
The plugin does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog. PoC To set the us...
WooCommerce Product Vendors < 2.1.79 - ShopManager+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as ShopManager PoC As ShopManager, open the URL below...
WPCode Lite < 2.0.9 - Arbitrary Log File Deletion via CSRF
The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcodeactivatesnippets capability delete arbitrary log files on the server, including outside of the blog folders PoC Ma...
NextGEN Gallery < 3.29 - Thumbnail Deletion via CSRF
The plugin does not have CSRF checks when deleting Thumbnail, which could allow attackers to make logged in users with the editPost capability to perform such action via a CSRF attack...
Wicked Folders < 2.18.17 - Subscriber+ Folder Structure Update
The plugin does not have authorisation check when managing its folder structure such as moving, deleting, creating etc folders, which could allow any authenticated users, such as subscriber to perform such actions...
MonsterInsights < 8.9.1 - Stored Cross-Site Scripting via Google Analytics
The plugin does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics. PoC 1. Open a WP page with the plugin and Google analytics installed and search for...
Carousel, Slider, Gallery by WP Carousel < 2.5.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
Newspaper < 12 - Reflected Cross-Site Scripting
Description The theme does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting PoC Affected parameter: acts.tdatts.imagesize...
Coming Soon - Under Construction <= 1.2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC As admin, put the following payload in the "More text information" settings of the plugin: The XSS will be...
Pie Register < 3.7.1.6 - Unauthenticated Arbitrary Login
The plugin has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username PoC /pie-register-login/ is the login page of the plugin, ie the one with pieregisterlogin v 3.7.1.5 POST /pie-register-login/...
EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution
The plugin does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code PoC As a contributor, create/edit a post and put the below code while in Code Editor mode: \n aa \n Save or Preview the...
wpForo Forum < 1.9.7 - Open Redirect
The plugin did not validate the redirectto parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimat...