14602 matches found
Autoptimize < 2.8.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues PoC Adds the following payloads in the API Key settings /wp-admin/options-general.php?page=aocritcss " -- PoC 1...
Discount Rules for WooCommerce < 2.2.1 - Multiple Authorization Bypass
On August 20th 2020 WebARX disclosed multiple vulnerabilities affecting the Discount Rules for WooCommerce WordPress plugin, which were patched in version 2.1.0 see references. Some time after, the Wordfence Threat Intelligence Team discovered several additional authorization bypass vulnerabiliti...
Data Tables Generator By Supsystic < 1.9.92 - Insecure Permissions on AJAX Actions
The Data Tables Generator by Supsystic WordPress plugin was affected by an Insecure Permissions on AJAX Actions security vulnerability...
Popup Builder < 3.64.1 - Multiple Issues
"One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of...
All In One SEO Pack < 3.2.7 - Stored Cross-Site Scripting (XSS)
The All in One SEO Pack WordPress plugin was affected by a Stored Cross-Site Scripting XSS security vulnerability...
Woody Ad Snippets <= 2.2.4 - Multiple issues leading to RCE
Unauthenticated options import and unauthenticated stored XSS issues which could lead to Remote Code Execution...
Site Editor <= 1.1.1 - Local File Inclusion (LFI)
The site-editor WordPress plugin was affected by a Local File Inclusion LFI security vulnerability...
WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
...
WordPress <= 4.0 - CSRF in wp-login.php Password Reset
Description WordPress 4.0.1 adds a CSRF token called 'rpkey' to the password reset form on wp-login.php. Prior versions are vulnerable to CSRF...
WordPress <= 4.0 - Long Password Denial of Service (DoS)
...
Customify Site Library <= 0.0.9 - Unauthenticated Remote Code Execution
Description The Customify Site Library plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.0.9. This makes it possible for unauthenticated attackers to execute code on the server...
Molongui < 4.7.8 - Authenticated (Author+) Insecure Direct Object Reference
Description The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.7.7 due to missing validation on a user controlled key. This makes it possible for authenticated...
Essential Addons for Elementor < 5.9.14 - Unauthenticated Private/Draft Posts Access
Description The plugin is vulnerable to Sensitive Information Exposure via the loadmore function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts...
Astra < 4.6.9 - Contributor+ Stored XSS
Description The theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in...
Ninja Tables < 5.0.7 - Contributor+ Table Data Access
Description The plugin is vulnerable to unauthorized access of data due to a missing capability check on the dragAndDropExport function. This makes it possible for authenticated attackers, with contributor-level access and above, to export table data...
All In One WP Security < 5.2.5 - Protection Bypass of Renamed Login Page via URL Encoding
Description The All-In-One Security AIOS – Security and Firewall plugin for WordPress is vulnerable to protection bypass on the login page in all versions up to and including 5.2.4. This makes it possible for unauthenticated attackers to visit the login page in cases where it has been renamed by...
AMP for WP – Accelerated Mobile Pages < 1.0.92.1 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode
Description The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.0.92 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
Enable Media Replace < 4.1.5 - Reflected Cross-Site Scripting
Description The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXELDEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ...
Contact Form to Any API < 1.1.7 - Subscriber+ API Entry Record Deletion
Description The plugin does not have authorisation check when deleting CF7 API entry records, which could allow any authenticated users, such as subscriber to delete them...
Pre-Publish Checklist < 1.1.2 - Insecure Direct Object Reference to Arbitrary Post '_ppc_meta_key' Update
Description The Pre-Publish Checklist plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.1.1 via the ppcmetaboxajaxaddhandler and ppcmetaboxajaxdeletehandler functions due to missing validation on a user controlled key. This can allow...
Slider Revolution < 6.6.15 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...
LiteSpeed Cache < 5.7 - Contributor+ Stored XSS
Description The plugin does not escape the cache attribute of its esi shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Simple Tooltips <= 2.1.4 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Bookly < 21.6 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks...
LearnPress Plugin < 4.2.0 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the order by parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
Chained Quiz < 1.3.2.3 - Admin+ Stored XSS
The plugin does not sanitise and escape its facebookappid and apikey settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
The plugin allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. PoC 1. Craft a custom zip...
Comment License < 1.4.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users PoC curl 'https://example.com/index.php?restroute=/xs-donate-form/payment-redirect/3' \ --data '"id": "SELECT 1 FROM...
Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion
The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues CVE-2021-32682, and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, a...
Sync iCloud COS < 2.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the 本地文件夹 or URL前缀 settings of the plugin: " style=animation-name:rotation...
TI WooCommerce Wishlist < 1.40.1 - Unauthenticated Blind SQL Injection
The plugins do not sanitise and escape the itemid parameter before using it in a SQL statement via the wishlist/removeproduct REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks PoC time wget...
Noptin < 1.6.5 - Open Redirect
The plugin does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue PoC https://example.com/?noptinns=emailclick=https://wpscan.com...
GTranslate < 2.9.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the body parameter in the urladdon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCESALT and NONCEKEY PoC...
The Plus Addons for Elementor Pro < 5.0.7 - Unauthenticated SQL Injection
The "WP Search Filters" widget of the plugin does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection PoC The request requires a nonce created with wpcreatenonce"theplus-searchfilter” which can be retrieved from a page where the widge...
Simple JWT Login < 3.3.0 - Insecure Password Creation
The plugin can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the strshuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation...
MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple
The plugin had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. PoC The plugin must have a valid purchase code for the request to work curl -X GET --header 'Content-Type: application/json' --header...
Login by Auth0 < 4.0.0 - Multiple Vulnerabilities
CVE-2020-5391 - CSRF controls missing for domain field CVE-2020-5392 - Stored XSS in Settings page CVE-2020-6753 - Stored XSS in multiple pages CVE-2020-7947 - CSV injection vulnerabilities CVE-2020-7948 - Insecure direct object reference...
Safe SVG <= 1.9.4 - Denial of Service
The Safe SVG WordPress plugin was affected by a Denial of Service security vulnerability...
Photo Gallery by 10Web <= 1.5.30 - SQL Injection
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by a SQL Injection security vulnerability...
Elementor Pro < 2.0.10 - XSS
The elementor-pro WordPress plugin was affected by a XSS security vulnerability...
Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS
WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example. PoC The following parameters are vulnerable in fwsenddata function: fwdataid1...
WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
...
Lightbox Plus <= 2.7.2 - CSRF to XSS
The lightbox-plus WordPress plugin was affected by a CSRF to XSS security vulnerability...
WP Super Cache <= 1.4.4 - PHP Object Injection
The WP Super Cache WordPress plugin was affected by a PHP Object Injection security vulnerability...
Post video players <= 1.136 - Authenticated Stored Cross-Site Scripting (XSS)
The Post video players, slideshow albums, photo galleries and music / podcast playlist WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass
...
XCloner - Backup and Restore < 3.1.1 - Multiple Actions CSRF
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin was affected by a Backup and Restore 3.1.1 - Multiple Actions CSRF security vulnerability...
myGallery <= 1.4b4 - Unauthenticated File Inclusion
The MySliderGallery WordPress plugin was affected by an Unauthenticated File Inclusion security vulnerability. PoC This vulnerability has been seen exploited in the wild with the following payload:...
Pods < 3.1 - Contributor+ Remote Code Execution
Description The plugin is vulnerable to Remote Code Execution via shortcode, allowing authenticated attackers, with contributor level access or higher, to execute code on the server...