14602 matches found
Premmerce Product Filter for WooCommerce < 3.7.3 - Missing Authorization
Description The Premmerce Product Filter for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.7.2. This makes it possible for authenticated attackers, with subscriber-level access and above, t...
InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.23 - Unauthenticated Arbitrary File Upload
Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for...
WPvivid Backup and Migration < 0.9.69 - Unauthenticated SQLi & DoS
Description The plugin is vulnerable to unauthorized access due to a missing capability check on the getrestoreprogress and restore functions, allowing unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS...
Currency Converter Widget < 3.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The Currency Converter Widget – Exchange Rates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...
JetEngine < 3.2.5 - Authenticated (Contributor+) Privilege Escalation
Description The JetEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.2.4. This is due to an unknown issue. This makes it possible for authenticated attackers, with contributor-level access and above, to gain elevated privileges...
MW WP Form < 5.0.2 - Unauthenticated Arbitrary File Upload
Description The plugin does not properly handle unauthorised files from being uploaded, only logging the issue without stopping the process, allowing unauthenticated users to upload arbitrary files to the server when the 'Saving inquiry data in database' settings is enabled in the plugin...
Astra Bulk Edit < 1.2.8 - Missing Authorization
Description The Astra Bulk Edit plugin for WordPress is vulnerable to unauthorized missing authorization due to a missing capability check on the savepostbulkedit function in versions up to, and including, 1.2.7. This makes it possible for attackers with contributor-level access or higher to bulk...
UserPro < 5.1.2 - Sensitive Information Disclosure via Shortcode
Description The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible fo...
UserPro < 5.1.2 - Authentication Bypass to Administrator
Description The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log ...
Garden Gnome Package < 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ggpkg' shortcode in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
Autocomplete Location field Contact Form 7 < 3.0 - Admin+ Store Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "Contact Google Place API...
wordpress publish post email notification < 1.0.2.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Forminator < 1.25.0 - Unauthenticated Arbitrary File Upload
Description The plugin does not validate files to be uploaded before writing them on the server, allowing unauthenticated users to upload arbitrary files and lead to RCE...
what3words Address Field < 4.0.0 - Admin+ Sensitive Information Disclosure
Description A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the function enqueuescripts of the file w3w-autosuggest/public/class-w3w-autosuggest-public.php of the component Setting Handler. T...
Booking Calendar Contact Form < 1.2.41 - Unauthenticated Reflected Cross-Site Scripting
Description Unauth. Reflected Cross-Site Scripting XSS vulnerability in CodePeople Booking Calendar Contact Form plugin = 1.2.40 versions...
LMS by Masteriyo < 1.6.8 - Information Exposure
The plugin does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. PoC curl -i -s -k -X $'GET' \ -H $'Host: localhost:8000' -H $'sec-ch-ua: ' -H $'Accept:...
WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR
The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and address PoC As unauthenticated, see the source of...
Forminator < 1.24.1 - Unauthenticated Race Condition on poll vote
The plugin does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. PoC 1. Create a poll and publish a page with a poll. 2. Visit the page with the...
WP ERP < 1.12.4 - Admin+ SQL Injection
The plugin does not properly sanitise and escape the type parameter in the erp/v1/accounting/v1/people REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC Sign in as an admin. In WP Admin, run the following code i...
Premium Addons PRO < 2.8.25 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
GN Publisher < 1.5.6 - Reflected XSS
The plugin does not sanitise and escape the tab parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...
Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF
The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack PoC...
GiveWP < 2.24.1 - Unauthenticated SQLi
The plugin does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks PoC 1 Create a post/page that contains the "Donor Wall" block. 2 Using the default donation form, send a test donation 3 In a terminal, edit and ru...
Duplicator < 1.4.7 - Unauthenticated Backup Download
The plugin discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating. PoC Find the URL of the actual installer...
Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it PoC As unauthenticated: wget "https://example.com/?p=1" --header "Referer: " -O- The XSS will be...
Videos sync PDF <= 1.7.4 - Unauthenticated LFI
The plugin does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues PoC https://example.com/wp-content/plugins/video-synchro-pdf/reglages/MenuPlugins/tout.php?p=LFI...
iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process,...
Ninja Forms File Uploads Extension < 3.3.13 - Unauthenticated Stored Cross-Site Scripting
The plugin is vulnerable to stored cross-site scripting due to missing sanitization of the files filename parameter found in the /includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites...
Akismet Privacy Policies <= 2.0.1- Reflected Cross-Site Scripting
The plugin does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/options-general.php?page=akismetprivacynoticesettingsgroup=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E...
Perfect Brands for WooCommerce < 2.0.5 - Subscriber+ Arbitrary Brand Creation
The plugin does not have authorisation and CSRF checks in some of its AJAX actions, which could allow any authenticated users, such as subscriber to create arbitrary brands...
WP HTML Mail < 3.1 - Unprotected REST-API Endpoint
The plugin is vulnerable to setting changes and stored cross-site scripting due to misconfigured authorization controls on the /themesettings REST API endpoint...
LiteSpeed Cache < 4.4.4 - Admin+ Reflected Cross-Site Scripting
The plugin does not escape the qcres parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting PoC As admin, enter the following payload in the Domain Key setting of the plugin: Then open...
WP Mail Logging < 1.10.0 - Outdated Redux Framework
The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues CVE-2021-38312 and CVE-2021-38314, and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314 PoC The first endpoint we can identify is...
WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
The plugin was reported to be affected by a critical Unauthenticated SQL Injection vulnerability...
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
The user registration functionality of the plugin allowed arbitrary user meta to be supplied, including wpcapabilities, during registration which made it possible for users to register as an administrator. PoC 'Hax0r', 'regemail' = '[email protected]', 'regpassword' = 'password', 'regpasswordpresen...
Smart Slider 3 < 3.5.0.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may...
WP Statistics < 13.0.8 - Unauthenticated SQL Injection
The plugin relied on using the WordPress escsql function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones. PoC...
ElementsKit and ElementsKit Pro < 2.2.0 - Contributor+ Stored XSS
The Elements kit lite and Elements kit pro WordPress Plugins 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “fun fact” widget accepts an “ekitfunfacttitlesize” parameter. Although...
Paid Membership Pro < 2.5.3 - Unauthorised Order Information Disclosure
The pmprogetorderjson AJAX action, available to authenticated user did not check for authorisation, allowing any authenticated users to retrieve arbitrary order information such as customer names, email addresses, and order numbers via the orderid parameter. PoC...
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing. PoC...
Limit Login Attempts Reloaded < 2.17.4 - Login Rate Limiting Bypass
When the plugin is configured with a custom header in its Trusted IP Origins setting e.g X-Forwarded-For, attackers could bypass the protection offered by tampering the header sent in requests...
Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload
The aoccssimport AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. PoC https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing POST /wp-admin/admin-ajax.php...
bbPress < 2.6.5 - Unauthenticated Privilege Escalation when New User Registration enabled
Raphael Karger discovered an unauthenticated privilege escalation issue when new user registration is enabled...
WP Cost Estimation < 9.644 - Arbitrary File Upload and Delete
The WPEstimationForm WordPress plugin was affected by an Arbitrary File Upload and Delete security vulnerability...
Buddyforms < 2.2.8 - SQL Injection
The Contact – Registration – Post Form Builder & FrontEnd Editor BuddyForms – Making WordPress Forms A Breeze WordPress plugin was affected by a SQL Injection security vulnerability...
flickrRSS <= 5.3.1 - XSS and CSRF
The flickr-rss WordPress plugin was affected by a XSS and CSRF security vulnerability...
WordPress <= 4.4.2 - Script Compression Option CSRF
...
WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
...
User Submitted Posts <= 20151113 - Stored Cross-Site Scripting (XSS)
The User Submitted Posts WordPress plugin was affected by a Stored Cross-Site Scripting XSS security vulnerability...
Music Store <= 1.0.14 - Referer Header Open Redirect
The Music Store – WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability. PoC GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Languag...