14602 matches found
Ecwid Ecommerce Shopping Cart < 6.12.5 - Cross-Site Request Forgery
Description The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.4. This is due to missing nonce validation on several functions hooked via AJAX in the /includes/class-ecwid-admin-storefront-page.php. This...
Events Addon for Elementor < 2.1.3 - Missing Authorization
Description The Events Addon for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the naeventsbwsettingssavefunc, naeventsbwtogglesubmitfunc, naeventsprosettingssavefunc, naeventsprotogglesubmitfunc and naeventsuwsettingssavefun...
Backup Migration < 1.4.0 - Unauthenticated Path Traversal to Arbitrary File Deletion
Description The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated...
Photo Gallery by 10Web < 1.8.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Widget
Description The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...
10to8 Online Appointment Booking System < 1.1.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Qode Essential Addons < 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Description The Qode Essential Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the installplugin function in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level acce...
Mollie Payments for WooCommerce < 7.3.12 - Authenticated (Shop Manager+) Arbitrary File Upload
Description The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in one of its functions in all versions up to, and including, 7.3.11. This makes it possible for authenticated attackers, with Shop Manager access to...
Porto Theme - Functionality < 2.12.1 - Missing Authorization
Description The Porto Theme - Functionality plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown function in versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to perform an unauthorized...
Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
Description The plugin allows forum administrators, who may not be WordPress super-administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files e.g. .php, .phtml, potentially leading to remote code execution. PoC Any user who has the rights to modify t...
Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. PoC Make sure you have Elementor installed and a page or post edited with Elementor. Here's the python script that will execute the...
Cab Grid < 1.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Ensure Contact Form 7 is...
PrePost SEO <= 3.0 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add XSS payload to plugin's "Account API key" setting: ...
Snow Monkey Forms < 5.0.7 - Unauthenticated Path Traversal
The plugin does not validate file path, allowing unauthenticated users to upload files to arbitrary folders...
Transbank Webpay REST < 1.6.7 - Admin+ SQLi
The plugin does not properly sanitise and escape the orderby parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Store Locator WordPress < 1.4.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
Chained Quiz < 1.3.2.1 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ipf, emailf, dnf, pointsf and datef parameters before outputting them back in the chainedquizlist page, leading to a Reflected Cross-Site Scripting...
Blog2Social < 6.9.12 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi
The plugin does not sanitise and escape the month parameter before using it in a SQL statement via the getmonthlytimetable AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data...
WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE
The plugin allows users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution. PoC As a contributor or above, add...
WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type
The is vulnerable to SQL Injection due to insufficient escaping and parameterization of the currentpagetype parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information...
Popup Builder < 4.0.7 - Admin+ SQL Injection
The plugin does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection PoC...
Custom Dashboard & Login Page < 7.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Note: v6.9.5 made the settings only available to admin with the unfilteredhtml capability, however existing payloads were...
WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the woofredrawelements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin-ajax.php?action=woofdrawproductsredrawelements=%3Cimg%20src%20onerror=alert/XSS/%3E...
SEO Redirection < 8.2 - Subscriber+ SQL Injection
The importFromRedirection AJAX action of the plugin, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
The parameters $cachepath, $wpcachedebugip, $wpsupercachefrontpagetext, $cachescheduledtime, $cacheddirectpages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to...
Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title
The plugin did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117 PoC...
OpenID Connect Generic Client 3.8.0-3.8.1 - Reflected Cross Site Scripting (XSS) via Login Error
The plugin did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration. PoC...
Process Steps Template Designer < 1.3 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin did not properly check its CSRF nonce in the FontAwesomeField.save method, which could allow attackers to make logged in users capable of editing posts change the Step Icon of arbitrary Process Steps. Due to the lack of sanitisation of the submitted Step icon value, it could also lead ...
WordPress < 5.4.2 - Authenticated XSS via Media Files
Description Props to Luigi – gubello.me for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files...
WPML < 4.3.7 - Authenticated Cross Site Request Forgery leading to Remote Code Execution
The sitepress-multilingual-cms WPML WordPress plugin before version 4.3.7 has CSRF due loose comparison, that leads to remote code execution...
Email Subscribers & Newsletters < 4.2.3 - Multiple Issues
- Unauthenticated File Download leading to Information Disclosure - Blind SQL Injection in INSERT statement - Insecure Permissions on Dashboard and Settings - CSRF on Settings - Send Test Emails from the Administrative Dashboard as an Authenticated User with a role of Subscriber and above -...
Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by a SQL Injection & XSS security vulnerability...
WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection
An endpoint of the API, which is exposed when the 'use cache plugin' setting is enabled by default disabled, is vulnerable to an unauthenticated blind SQLi issue. PoC time curl -X POST 'http://host/wp-json/wpstatistics/v1/hit' --data...
GoUrl Bitcoin Payment Gateway < 1.4.14 - Shell Upload
The GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership WordPress plugin was affected by a Shell Upload security vulnerability...
Coming Soon <= 1.1.18 - Authenticated Stored XSS & CSRF
The Coming Soon Page – Responsive Coming Soon & Maintenance Mode WordPress plugin was affected by an Authenticated Stored XSS & CSRF security vulnerability...
WordPress 2.9.2-4.8.1 - Open Redirect
Description An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman ysx...
WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
...
Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
Plugin is still affected and has been closed PoC http://example.com/wp-content/plugins/mail-masta/inc/campaign/countofsend.php?pl=/etc/passwd...
Custom Content Type Manager <= 0.9.8.5 - Remote Code Execution
CCTM plugin can be used by an administrator to achieve arbitrary PHP remote code execution...
WordPress <= 1.5.1.2 - XMLRPC SQL Injection
...
Photo Gallery <= 1.2.8 - Multiple Authenticated Reflected XSS
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by a Multiple Authenticated Reflected XSS security vulnerability. PoC /wp-admin/admin-ajax.php?action=addImages=700=550=jpg,jpeg,png,gif=bwgaddpreviewimageby=name";...
Photo Gallery <= 1.2.8 - Blind SQL Injection
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by a Blind SQL Injection security vulnerability...
Polylang 1.5.1 - User Description H&ling Stored XSS
The Polylang WordPress plugin was affected by an User Description H Stored XSS security vulnerability...
Login With Ajax - Cross-Site Scripting (XSS)
The Login With Ajax WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
WordPress <= 1.5.1.2 - XMLRPC Eval Injection
...
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.4.3 - Missing Authorization to Unauthenticated Settings Reset
Description The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wtpklistresetsettings function in all versions up to, and including, 4.4.2. This makes it...
Royal Elementor Addons and Templates < 1.3.88 - Multiple Cross-Site Request Forgery
Description The plugin is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.87. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform actions on the site via forged requests grant...
Avada < 7.11.2 - Author+ Arbitrary File Upload via Zip Extraction
Description The theme is vulnerable to arbitrary file uploads due to missing file type validation when extracting zip files in the 'processupload' and 'regenerateiconfiles' functions. This makes it possible for authenticated attackers with author permissions to upload arbitrary files on the...