14602 matches found
WP Chat App < 3.4.5 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Ultimate Addons for WPBakery < 3.19.18 - Cross-Site Request Forgery
Description The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.19.17. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform...
Sayfa Sayaç <= 2.6 - Unauthenticated SQL Injection
Description The Sayfa Sayaç plugin for WordPress is vulnerable to SQL Injection via the in versions up to, and including, 2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated...
E2Pdf < 1.20.26 - Admin+ Arbitrary File Upload
Description The plugin does not properly validate upload files via the importaction function, allowing users having access to the plugin by default admin to upload arbitrary files...
Google Calendar Events < 3.2.8 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Contact Form Email < 1.3.42 - Captcha Bypass
Description The Contact Form Email plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.3.41. This makes it possible for unauthenticated attackers to bypass the Captcha Verification...
ProfilePress < 4.13.2 Cross-Site Request Forgery via 'admin_notice'
Description The ProfilePress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.13.1. This is due to missing or incorrect nonce validation on the 'adminnotice' function. This makes it possible for unauthenticated attackers to dismiss admin notices...
Popup by Supsystic < 1.10.20 - Missing Authorization to Sensitive Information Exposure
Description The Popup by Supsystic plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.19 via the getWpCsvList action. This makes it possible for authenticated attackers with subscriber level access or higher to extract sensitive data...
WoodMart < 7.2.5 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WCFM Marketplace < 3.4.12 - Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify shipping method details/products, delete arbitrary posts, as well as lead to privilege escalation...
All in One SEO Pack < 4.3.0 - Contributor+ Stored XSS
The plugin does not sanitise and escape multiple parameters, which could allow users with a role as low as contributor to perform Stored XSS attacks...
Cloak Front End Email < 1.9.2 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC email name='" onmouseover="alert1"...
Hide My WP < 6.2.9 - Unauthenticated SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. PoC curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For:...
User Post Gallery <= 2.19 - Unauthenticated RCE
The plugin does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. PoC Invoke the following curl command to execute the "id" command via PHP's exec function: curl -i...
Table of Contents Plus < 2212 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC toc...
Videojs HTML5 Player < 1.1.9 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post videojsvideo...
WP OAuth2 Server <= 1.0.1 - Authentication Bypass
The plugin does not properly check for authentication, which could allow attackers to bypass it...
Feed Them Social < 2.9.8.6 - Unauthenticated PHAR Deserialisation
The plugin does not validate the ftsurl parameter, which could lead to PHAR deserialisation when an attacker manage to upload a malicious file and a suitable gadget chain is present...
uDraw < 3.3.3 - Unauthenticated Arbitrary File Access
The plugin does not validate the url parameter in its udrawconverturltobase64 AJAX action available to both unauthenticated and authenticated users before using it in the filegetcontents function and returning its content base64 encoded in the response. As a result, unauthenticated users could re...
Page Builder KingComposer <= 2.9.6 - Open Redirect
The plugin does not validate the id parameter before redirecting the user to it via the kcgetthumbn AJAX action available to both unauthenticated and authenticated users PoC https://example.com/wp-admin/admin-ajax.php?action=kcgetthumbn=https://wpscan.com...
Popup | Custom Popup Builder < 1.3.1 - Unauthenticated Denial of Service
The plugin autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog PoC 1 Create a popup as admin and access the popup page as unauthenticated 2 Send data on the form and interce...
All In One SEO < 4.1.5.3 - Authenticated Privilege Escalation
The plugin is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like...
WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC 1. go to Forms. 2. go to Add New Form 3. In th title put 4. Save...
Request a Quote < 2.3.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfilteredhtml capability is disallowed. PoC As admin, put the below payloads in the related vulnerable field/s and save them the...
3D Cover Carousel <= 1.0 - Reflected Cross-Site Scripting
Description The plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the /cover-carousel.php file which allows attackers to inject arbitrary web scripts...
Astra Pro Addon < 3.5.2 - Unauthenticated SQL Injection
The plugin did not properly sanitise or escape some of the POST parameters from the astrapaginationinfinite and astrashoppaginationinfinite AJAX action available to both unauthenticated and authenticated user before using them in SQL statement, leading to an SQL Injection issues PoC Via...
Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)
The settings page of the plugin did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/options-general.php?page=moove-taxonomy-settings=" onMouseOver="alert1;...
Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User
Low privileged users could use the AJAX action "cppluginsdobuttonjoblatercallback" from multiple plugins of the WP-Buy vendor, to install any plugin including a specific version from the WordPress repository, which helps attackers install vulnerable plugins and could lead to more critical...
WP Smart Import < 1.0.1 - Auhenticated Server-side Request Forgery
The plugin is affected by an authenticated server-side request forgery SSRF vulnerability in versions before 1.0.1...
WordPress < 5.4.2 - Authenticated XSS in Block Editor
Description Props to Sam Thomas jazzy2fives for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor...
LearnPress < 3.2.6.9 - Privilege Escalation to "LP Instructor"
The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The "LP Instructor" role grants the "unfilteredhtml" capability, allowing an escalated user to insert posts containing...
Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
Malicious eval is being inserted into the wpoptions table, in the optionname: socialwafaresettings, in the Twitter field. When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval is still in t...
Plainview Activity Monitor <= 20161228 - Remote Command Execution (RCE)
The Plainview Activity Monitor WordPress plugin was affected by a Remote Command Execution RCE security vulnerability...
Booking Calendar <= 2.1.7 - Authenticated Stored XSS & CSRF
The Booking calendar, Appointment Booking System WordPress plugin was affected by an Authenticated Stored XSS & CSRF security vulnerability...
Newspaper Theme 6.4–6.7.1 - Privilege Escalation
Description The Newspaper WordPress theme was affected by a Privilege Escalation security vulnerability...
WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
...
YITH WooCommerce Compare <= 2.0.9 - Unauthenticated PHP Object injection
The YITH WooCommerce Compare WordPress plugin was affected by an Unauthenticated PHP Object injection security vulnerability...
Gwolle Guestbook <= 1.5.3 - Remote File Inclusion (RFI)
The Gwolle Guestbook WordPress plugin was affected by a Remote File Inclusion RFI security vulnerability...
WordPress <= 4.3 - Publish Post & Mark as Sticky Permission Issue
...
XCloner - Backup and Restore 3.1.2 - XSS & Command Execution
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin was affected by a Backup and Restore 3.1.2 - XSS & Command Execution security vulnerability...
WordPress Slider Revolution Shell Upload
Description Note: The Construct, Echelon, Fusion, Method, Modular and Myriad affected themes are from the Mysitemyway, who went out of business, and the themes have been forked by BackStop Themes who does not use Revslider...
WPML <= 3.1.7.2 - Multiple Vulnerabilities (Including SQLi)
The sitepress-multilingual-cms WordPress plugin was affected by a Multiple Vulnerabilities Including SQLi security vulnerability...
Import any XML or CSV File to WordPress <= 3.2.3 - RCE
WP All Import does not properly verify that a user has permission to execute functions. Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways...
WP Symposium <= 14.11 - Unauthenticated Shell Upload
The wp-symposium WordPress plugin was affected by an Unauthenticated Shell Upload security vulnerability...
WP Symposium <= 14.10 - XSS & SQL Injection
The wp-symposium WordPress plugin was affected by a XSS & SQL Injection security vulnerability...
WordPress Slider Revolution - Local File Disclosure
Description Note: The Construct, Echelon, Fusion, Method, Modular and Myriad affected themes are from the Mysitemyway, who went out of business, and the themes have been forked by BackStop Themes who does not use Revslider...
Magazine Basic - wp-content/themes/magazine-basic/view_artist.php id Parameter SQL Injection
The Magazine Basic WordPress theme was affected by a wp-content/themes/magazine-basic/viewartist.php id Parameter SQL Injection security vulnerability...
WordPress 1.5 wp-trackback.php tb_id Parameter SQL Injection
...
Smart Recent Posts Widget <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The Smart Recent Posts Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Poll Maker <= 3.4 - Authenticated (Subscriber+) Arbitrary File Upload
Description The WP Poll Maker – Best WordPress Poll Plugin for Voting Contest plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level acces...