14603 matches found
WordPress <= 4.4.2 - Script Compression Option CSRF
...
WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
...
Music Store <= 1.0.14 - Referer Header Open Redirect
The Music Store – WordPress eCommerce WordPress plugin was affected by a Referer Header Open Redirect security vulnerability. PoC GET /wp-content/plugins/music-store/ms-core/ms-submit.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Languag...
zM Ajax Login & Register 1.0.9 - Local File Inclusion & XSS
The ZM Ajax Login & Register WordPress plugin was affected by a Local File Inclusion & XSS security vulnerability...
Free Counter 1.1 - Cross-Site Scripting (XSS)
The Free counter WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Post to Twitter <= 0.7 - CSRF & XSS
The post-to-twitter WordPress plugin was affected by a CSRF & XSS security vulnerability...
WP-ViperGB 1.3.10 - XSS Weakness & CSRF
The WP-ViperGB WordPress plugin was affected by a XSS Weakness & CSRF security vulnerability...
AdRotate <= 3.9.4 - clicktracker.php track Parameter SQL Injection
The AdRotate – Ad manager & AdSense Ads WordPress plugin was affected by a clicktracker.php track Parameter SQL Injection security vulnerability...
WordPress 3.4 - 3.5.1 DoS in class-phpass.php
...
Duplicate Post 2.5 - duplicate-post-admin.php User Login Cookie Value SQL Injection
The Yoast Duplicate Post WordPress plugin was affected by a duplicate-post-admin.php User Login Cookie Value SQL Injection security vulnerability...
WordPress 3.5-3.5.1 Multiple Role Remote Privilege Escalation
...
YITH WooCommerce Wishlist < 3.33.0 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 3.33.0 exclusive due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Advanced Access Manager < 6.9.21 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting
Description The plugin does not properly sanitize user-input provided by the addqueryarg function when echoed back into JavaScript code context. PoC http://vulnerable-site.tld/wp-admin/edit-comments.php?%27;alert1//...
Master Slider <= 3.9.10 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's msslide shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject...
MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.2.6 - Unauthenticated SQL Injection
Description The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the...
Canto < 3.0.7 - Unauthenticated RCE
Description The plugin is vulnerable to Remote Code Execution via the 'abspath' parameter due to the use of the includeonce statement on the parameter allowing remote file inclusion. This makes it possible for unauthenticated attackers to execute code on the server...
Enhanced Text Widget < 1.6.6 - Admin+ Stored XSS
Description The plugin does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...
Paid Memberships Pro < 2.12.6 - Missing Authorization via API
Description The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmprorestapigetpermissionscheck...
Comment Blacklist Updater < 1.2.0 - Cross-Site Request Forgery via update_blacklist_manual
Description The Comment Blacklist Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the 'updateblacklistmanual' function. This makes it possible for unauthenticated attackers to...
Olive One Click Demo Import <= 1.0.9 - Authenticated (Administrator+) Arbitrary File Upload in olive_one_click_demo_import_save_file
Description The Olive One Click Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the oliveoneclickdemoimportsavefile function in versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with...
LearnDash LMS < 4.5.3.1 - SQL Injection
Description The plugin does not properly neutralize special elements used in an SQL command, leading to potential SQL injection vulnerability...
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure via the ai-debug-processing-fe URL parameter...
Slimstat Analytics < 5.0.10 - Contributor+ SQL Injection
Description The plugin is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers wit...
eaSYNC <= 1.3.8 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WP-EMail < 2.69.1 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. In the "Email Options" section...
Ultimate Member < 2.6.1 - Form Duplication via CSRF
The plugin does not have CSRF checks when duplicating a form, which could allow attackers to make logged in admins perform such actions via a CSRF attack...
PixelYourSite < 9.6.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitize input and escape output in admin settings, leading to Stored Cross-Site Scripting vulnerabilities. This issue affects multi-site installations and installations with disabled unfilteredhtml...
Google Analytics by Monster Insights < 8.14.1- Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Advanced Custom Fields < 6.1.6 - Reflected XSS
The plugins do not escape the poststatus parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open...
FooGallery < 2.2.41 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
RapidLoad Power-Up for Autoptimize < 1.7.2 - Multiple Subscriber+ Unauthorised AJAX Calls
The plugin does not have authorisation and CSRF checks in multiple AJAX actions, which could allow users with a role as low as subscriber or an attacker making any authenticated user open a malicious page to call them and modify the plugins cache, add a new license, delete logs files, update cach...
Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.3 - Path Traversal
The plugin does not properly check the value of the input "uploaddir", which is modifiable by the user. As a result, by changing the value of this input, it's possible to upload a file anywhere writable in the webserver. PoC 1. Create a contact form and add a "multiple file upload" field. 2. Add...
Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection
The plugin does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query. PoC While logged in as a subscriber, send the following request: await fetch'/wp-admin/admin-ajax.php',method:'POST', headers: 'Content-Type':...
miniOrange WordPress SAML SSO Premium < 12.1.0 - Open Redirect in SSO login
The plugin does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in...
Mongoose Page Plugin < 1.9.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Exploit shortcode: facebook-page-plugin href='test.js' method='sdk' language='" onerror="alert1"'...
White Label CMS < 2.5 - Admin+ PHP Object Injection
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...
WPML < 4.5.14 - CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as change the status of a translation job...
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
The plugin does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address PoC POST / HTTP/1.1...
MultiSafepay < 4.16.0 - Unauthenticated Arbitrary File Access
The plugin does not validate a parameter which could allow unauthenticated users to read arbitrary files on the web server...
weForms < 1.6.14 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC On the dashboard navigate to weForms All Forms Add Form Choose Contact Form; Click Create Form...
GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Get a REST nonce logged in as admin:...
Popup Builder < 4.1.1 - Popup Status Change via CSRF
The plugin does not have CSRF check in place when updating Popup status, which could allow attackers to make a logged in admin update them via a CSRF attack...
Photo Gallery < 1.6.4 - Admin+ Stored Cross-Site Scripting
The plugin does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed PoC Go to Photo Gallery Global Settings Watermark Using the web browser inspector, change the input...
Amelia < 1.0.47 - Unauthenticated Stored XSS via lastName
The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the /src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever...
Formcraft3 < 3.8.28 - Unauthenticated SSRF
The plugin does not validate the URL parameter in the formcraft3get AJAX action, leading to SSRF issues exploitable by unauthenticated users PoC https://example.com/wp-admin/admin-ajax.php?action=formcraft3get=https://wpscan.com...
UpdraftPlus Free < 1.22.3 & Premium < 2.22.3 - Subscriber+ Backup Download
The plugins do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database backup. PoC from io import StringIO import requests import gzip impor...
WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_id
The plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the currentpageid parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information...
Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure
The plugin does not have authorisation in its vczapigetwpusers AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog PoC Open the following URL as a subscriber:...
Advanced iFrame < 2022 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the aiconfigid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue PoC...