14602 matches found
WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication
The duplicate method, hooked to the admininit action did not have any CSRF and authorisation checks, allowing unauthorised users such as unauthenticated ones to duplicate arbitrary downloads PoC As an unauthenticated or authenticated user, open the following URL to duplicate the Download with id...
Outdated php-mod/curl Library - Unauthenticated Reflected Cross-Site Scripting (XSS)
The original submission stated that the HT Slider Range for Amazon affiliates plugin for WordPress had a reflected XSS vulnerability. After investigation WPScanTeam, the cause was found to be test files from the php-mod/curl library, which was missing appropriate response headers before outputtin...
Wyzi < 2.4.3 - Reflected Cross-Site Scripting (XSS)
The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature PoC https://example.com/business/?keyword=%22%3E%3Cimg%20src=x%20onerror=alert/XSS/%3Easd&wyz-loc-filter-txt;=&loc-filter-txt;=&loc-filter-lat;=&loc-filter-lng;===0...
Good LMS < 2.1.5 - Unauthenticated SQL Injection
The Good LMS WordPress plugin was vulnerable to Unauthenticated SQL Injection in its 'id' parameter of the gdlrlmscancelbooking action. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 action=gdlrlmscancelbooking=SELECT 1337 FROM SELECTSLEEP10MrMV...
Postie <= 1.9.40 - Post Submission Spoofing & Stored XSS
"The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings. However through the email sender's spoofing technique, it was possible to bypass the plugin settings and publish a post as having been sent by a...
Animate It < 2.3.6 - XSS
The Animate It! WordPress plugin was affected by a XSS security vulnerability...
Visitors Traffic Real Time Statistics < 1.13 - CSRF to Stored XSS/SQLi
A CSRF vulnerability in the plugin gives attackers the possibility to craft an AJAX request, which lets blog administrators alter plugin settings. Due to a lack of encoding for malicious data when displaying it in the admin backend, there is a Stored XSS. Also, as the user input coming from the...
WPML Translation Management <= 2.4.1 - PHP Object Injection
The wpml-translation-management WordPress plugin was affected by a PHP Object Injection security vulnerability...
WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
...
Peter's Login Redirect <= 2.9.0 - Cross-Site Scripting (XSS) & CSRF
The Peter's Login Redirect WordPress plugin was affected by a Cross-Site Scripting XSS & CSRF security vulnerability...
WordPress <= 4.2.3 - Timing Side Channel Attack
...
WordPress <= 4.2.3 - wp_untrash_post_comments SQL Injection
...
SEO SearchTerms Tagging 2 <= 1.535 - XSS & Authenticated SQL Injection
Plugin is still affected and has been closed...
Aviary Image Editor Add-on For Gravity Forms <= 3.0beta - Unauthenticated File Upload
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php. An unauthenticated user can upload any file to the system, including PHP files. upload.php does not check that the user is authenticated and a simple POST request will allow arbitrary...
Awesome Support < 3.1.7 - XSS & Shortcodes Allowed in Replies
The Awesome Support – WordPress HelpDesk & Support Plugin WordPress plugin was affected by a XSS & Shortcodes Allowed in Replies security vulnerability...
WordPress 3.9-4.1.1 - Same-Origin Method Execution
...
WordPress SEO by Yoast <= 2.0.1 - Cross-Site Scripting (XSS)
The wordpress-seo-premium WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
VideoWhisper Video Presentation 3.31.17 - Remote File Upload
Vendor marked as won't fix. See references...
Creative Contact Form <= 0.9.7 - Shell Upload
The Creative Contact Form WordPress plugin was affected by a Shell Upload security vulnerability...
Social Sharing Toolkit 2.1.1 - Unspecified XSS
The Social Sharing Toolkit WordPress plugin was affected by an Unspecified XSS security vulnerability...
CommentLuv 2.92.3 - Cross Site Scripting
The CommentLuv WordPress plugin was affected by a Cross Site Scripting security vulnerability...
GD Star Rating 1.9.22 - Cross-Site Request Forgery (CSRF)
The gd-star-rating WordPress plugin was affected by a Cross-Site Request Forgery CSRF security vulnerability...
Organizer <= 1.2.1 - Cross Site Scripting / Path Disclosure
Plugin is still affected and has been closed...
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation
Description The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of th...
WP Migrate Pro < 2.6.11 - Unauthenticated PHP Object Injection
Description The WP Migrate Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.10 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerab...
LoginPress Pro < 3.0.0 - Captcha Bypass
Description The plugin is vulnerable to Bypass, allowing unauthenticated attackers to bypass the Captcha Verification...
WP SMS < 6.6.3 - Cross-Site Request Forgery
Description The WP SMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.6.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request grante...
Malware Scanner < 4.7.3 and Web Application Firewall < 2.1.2 - Unauthenticated Privilege Escalation
Description The plugin does not prevent unauthenticated users from resetting any account's password, allowing them to takeover sites by resetting one of its administrators' password. PoC curl --url 'http://vulnerable-site.tld/wp-login.php' --data...
File Manager < 7.2.2 - Sensitive Information Exposure via Backup Filenames
Description The plugin is vulnerable to Sensitive Information Exposure due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where...
Brave Popup Builder < 0.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping...
E2Pdf < 1.20.24 - Authenticated(Administrator+) SQL Injection
Description The E2Pdf – Export To Pdf Tool for WordPress plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to 1.20.24 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...
Frontend Admin by DynamiApps Plugin < 3.18.4 - Unauthenticated Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaxaddattachment' function, allowing unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible...
Menu Image, Icons made easy < 3.11 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Simple Counter <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Description The Simple Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
Duplicator < 1.3.0 - Unauthenticated RCE
Description The plugin does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server. PoC Steps to Reproduce Setup Download WAMP with the...
JetBlocks For Elementor < 1.3.8.1 - Reflected Cross Site Scripting
Description The JetBlocks for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
Porto Theme - Functionality < 2.12.1 - Unauthenticated SQL Injection
Description The Porto Theme - Functionality plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.11.1 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on an existing SQL query. This makes it possible for unauthenticate...
UserPro < 5.1.5 - Missing Authorization to Arbitrary Shortcode Execution via userpro_shortcode_template
Description The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userproshortcodetemplate' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An...
User Submitted Posts < 20230914 - Unauthenticated Arbitrary File Upload
Description The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uspattachimages function in versions up to, and including, 20230902. This makes it possible for unauthenticatedattackers to upload arbitrary files as long a...
Master Slider Pro <= 3.6.5 - Unauthenticated PHP Object Injection
Description The Master Slider Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.5 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable...
Paid Memberships Pro < 2.12.4 - Subscriber+ Arbitrary File Upload
Description The plugin does not properly validate file type in its pmpropaypalexpresssessionvarsforuserfields function, which could allow any authenticated users, such as subscriber to upload arbitrary files on the server. Note: Exploitation of the issue requires 2Checkout deprecated since versio...
Canto < 3.0.5 - Unauthenticated Remote File Inclusion
Description The Canto WordPress plugin was affected by an Unauthenticated File Inclusion security vulnerability...
Ninja Forms < 3.6.26 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
AN_GradeBook <= 5.0.1 - Subscriber+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber PoC Access the following URL to demonstrate SQLi:...
Getwid < 1.8.4 - Subscriber+ SSRF
The plugin does not validate a parameter via the getremotecontent REST API endpoint before making a request to it, which could allow any authenticated users, such as subscriber to perform SSRF attack. Note: We do not consider flushing of cache to be a security issue, therefore CVE-2023-1910 has n...
Abandoned Cart Lite for WooCommerce < 5.15.0 - Authentication Bypass
The plugin does not use adequate cryptographic practices to secure its cart link decoding process, allowing unauthenticated attackers to bypass authentication and login as customers who have abandoned their carts...
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site,...
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.6.6 - File Upload and File deletion via CSRF
The plugin is lacking CSRF and validation when uploading or deleting files, which could allow attackers to make a logged-in admin upload or delete files via a CSRF attack...
MStore API < 3.9.2 - Authentication Bypass
The plugin does not properly verify the user provided when syncing their cart via its REST API, allowing unauthenticated users to login as an arbitrary user by providing their ID...
Easy Digital Downloads < 3.1.1.4.2 - Unauthenticated Privilege Escalation
The plugin does not have authorisation and CSRF in its AJAX action, allowing unauthenticated users to call it, one in particular could allow them to reset any account's password by knowing the username...