14602 matches found
Adserve 0.2 - adclick.php SQL Injection Exploit
The wp-adserve WordPress plugin was affected by an adclick.php SQL Injection Exploit security vulnerability...
Multiple BestWebSoft Plugins - Authenticated Cross-Site Scripting (XSS)
PoC http://www.example.com/wp-admin/admin.php?page=bwspanel=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%2842%29%3C%2Fscript%3E...
WordPress Uninstall <= 1.1 - WordPress Deletion via CSRF
Any registered user can delete all WordPress database tables and files. PoC This request makes it possible: http://wp.dev/wp-admin/admin-ajax.php?action=uninstall...
WP < 6.2.1 - Directory Traversal via Translation Files
Description WordPress is affected by a directory traversal via the wplang parameter, which could allow attacker to load arbitrary translation files...
Launcher: Coming Soon & Maintenance Mode <= 1.0.10 - Multiple Stored XSS
The Launcher: Coming Soon & Maintenance Mode WordPress plugin was affected by a Multiple Stored XSS security vulnerability...
WordPress < 6.4.3 - Admin+ PHP File Upload
Description WordPress allows high privileged users Admin / Super Admin on Mulsitite to upload PHP files directly via the plugin/theme upload feature. Note: Such issue is only a concern on hardened blogs where such users are not allowed to install plugins/themes...
WP < 6.0.2 - SQLi via Link API
Description The getbookmarks function does not validate and escape a parameter before using it in a SQL statement, which could lead to SQL injection when user input is passed to it directly or via wplistbookmarks for example...
WordPress < 6.4.3 - Deserialization of Untrusted Data
Description WordPress does not sanitizes options when installing and upgrading itself before serializing them, which could allow high privileged users such as admin to perform PHP Object Injection attack...
Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
The plugin does not check for valid image files upon import, leading to an arbitrary file upload which may be escalated to Remote Code Execution in some server configurations. By default, the import functionality is only available to Admin users. However, the plugin may be configured to allow...
WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
Description WordPress does not properly escape the "file" attribute in the "Template Part block" allowing high-privileged users to perform Path Traversal on Windows servers, leading to arbitrary File Reads...
WP Rocket <= 2.10.3 - Local File Inclusion (LFI)
Requires older versions of PHP that are vulnerable to null byte injection...
ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget
The plugin's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $POST as $GET which meant that in some cases this could be replicated with just $GET parameters and no need...
WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
Description A user with the ability to upload files like an Author can exploit an XML parsing issue in the Media Library leading to XXE attacks. WordPress used an audio parsing library called ID3 that was affected by an XML External Entity XXE vulnerability affecting PHP versions 8 and above. Thi...
WP < 6.2.2 - Shortcode Execution in User Generated Data
Description WordPress allows shortcode to be executed in user generated data via block themes, which could allow unauthenticated users to execute shortcode via comments for instance...
WordPress 5.4 to 5.8 - Data Exposure via REST API
Description On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities. The official blog post states: "Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API."...
tiny-url <= 1.3.2 - XSS in ZeroClipboard
The Tiny URL WordPress plugin was affected by a XSS in ZeroClipboard security vulnerability...
WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
Description WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. PoC...
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
Description The Latest Posts block in the WordPress editor can be exploited in a way that exposes password-protected posts and pages via the posts REST API when the "edit" context was used. This requires at least contributor privileges. PoC 1. As one user, create a new password protected post...
WP < 6.0.3 - Email Address Disclosure via wp-mail.php
Description WordPress discloses the sender's email address via wp-mail.php...
Sitemap < 4.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC pagelist...
Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
The Akismet WordPress plugin, between versions 2.5.0 and 3.1.4, was found to be affected by an Unauthenticated Stored Cross-Site Scripting XSS vulnerability...
WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
Description WordPress versions 3.7 to 5.7.1 were using a vulnerable version of the PHPMailer library, which was affected by a PHP Object Injection vulnerability through Phar Deserialization via addAttachment with a UNC pathname. To fix the vulnerability the PHPMailer library was updated from...
WP < 6.0.3 - SQLi in WP_Date_Query
Description WP does not properly sanitize the relation passed to WPDateQuery, which could lead to SQL injection...
WooCommerce < 7.9 - Unauthenticated Sensitive Information Disclosure
Description The plugin does not properly apply CORS on some of its API endpoints, allowing attackers to leak customers PII information...
Smush < 3.9.9 - Admin+ Reflected Cross-Site Scripting
The plugin does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious...
WordPress < 5.4.1 - Unauthenticated Users View Private Posts
Description This could have allowed unauthenticated users to view private posts by manipulating time and date queries...
WP < 6.0.3 - CSRF in wp-trackback.php
Description There is no CSRF check in the wp-trackback.php which could allow attackers to make user perform unwanted actions via a CSRF attack...
Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators. PoC...
WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
Description WordPress does not properly escape URL attributes in the HTML API, allowing high-privileged users to perform Stored Cross-Site Scripting XSS attacks...
WordPress < 5.8 - Plugin Confusion
Description WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.o...
WordPress < 5.5.2 - XML-RPC Privilege Escalation
Description The release notes state: "Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC."...
WordPress < 5.8.3 - Super Admin Object Injection in Multisites
Description On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection...
WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments
Description Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions...
NOSpamPTI 2.1 - wp-comments-post.php comment_post_ID Parameter SQL Injection
The nospampti WordPress plugin was affected by a wp-comments-post.php commentpostID Parameter SQL Injection security vulnerability...
Contact Form 7 < 5.3.2 - Unrestricted File Upload
The popular WordPress plugin, Contact Form 7 was found to be vulnerable to Unrestricted File Upload. PoC Append a unicode special character from U+0000 null to U+001F us to a filename and upload it via the ContactForm7 upload feature...
WP < 6.2.1 - Contributor+ Content Injection
Description WordPress does not properly sanitise block attributes, which could allow users with a role of Contributor and above to perform content injection in comments on blog using a theme compatible with a block editor...
WordPress < 5.5.2 - Unauthenticated DoS Attack to RCE
Description The release notes state: "Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE." The attack consisted of creating a DoS condition on the MySQL database, which would make WordPress think that it has not been installed, presenting the installation wizard. The...
WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package
Description The @wordpress/url package used in WordPress and the Gutenberg plugin is affected by a Prototype Pollution issue...
WP < 6.2.1 - Thumbnail Image Update via CSRF
Description WordPress does not have CSRF check when updating the thumbnail image associated with existing attachments, which could allow attackers to make logged in admins update them via a CSRF attack...
WordPress < 5.8.3 - SQL Injection via WP_Query
Description Due to improper sanitization in WPQuery, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way...
WP 5.6-6.3.1 - Reflected XSS via Application Password Requests
Description WordPress does not sanitise and escape the successurl and rejecturl parameters before outputting it back in the page when requesting application passwords, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
LayerSlider <= 6.2.0 - CSRF / Authenticated Stored XSS & SQL Injection
The LayerSlider WordPress plugin was affected by a CSRF / Authenticated Stored XSS & SQL Injection security vulnerability...
WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
Description The REST Terms/Tags Endpoint does not have proper authorisation in place, which could allow unauthorised users to access sensitive information...
WP < 6.5.2 - Unauthenticated Stored XSS
Description WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such attack. However, if the blog is using the mentioned settings in the comment template...
BookingPress < 1.0.11 - Unauthenticated SQL Injection
The plugin fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpressfrontgetcategoryservices AJAX action available to unauthenticated users, leading to an unauthenticated SQL Injection PoC - Create a new "category" and...
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 - Contributor+ Stored Cross-Site Scripting via Shortcode
Description The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes insufficient input sanitization and output escaping on user supplied attributes. This makes it...
WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
Description When a user requested a password reset link, but did not use it and instead reset their password by logging in, the password reset link would still be usable. This could give an attacker a larger attack window to obtain the password reset link. However, the attacker must first have...
Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)
The ZebraForm PHP library v2.9.8 latest and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file. There is currently no patch available and the removal of this library is recommended. PoC Via $GET'form': Via $GET'control': POST...
WP OAuth Server ( Login with WordPress ) < 4.0.1 - Authentication Bypass
The plugin is affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the client’s...
Lightweight Accordion < 1.5.15 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Exploit Additional CSS classes for "Lightweight...