14602 matches found
MStore API < 3.9.2 - Authentication Bypass
The plugin does not properly verify the user provided when syncing their cart via its REST API, allowing unauthenticated users to login as an arbitrary user by providing their ID...
Easy Digital Downloads < 3.1.1.4.2 - Unauthenticated Privilege Escalation
The plugin does not have authorisation and CSRF in its AJAX action, allowing unauthenticated users to call it, one in particular could allow them to reset any account's password by knowing the username...
Booking Manager < 2.0.29 - Subscriber+ SSRF
The plugin does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network. PoC As an admin: Type in an internal URL for example...
Advanced Custom Fields < 5.12.5 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. PoC Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...
Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS
The plugin does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks PoC import requests import sys import re if lensys.argv != 4: print'USAGE: python %s ' %...
0mk Shortener <= 0.2 - Stored XSS via CSRF
Description The plugin does not have CSRF check in its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
Metform Elementor Contact Form Builder < 3.2.0 - Unauthenticated Stored XSS
The plugin does not sanitize and escape some of its submitted entry data when outputting them back in the admin dashboard, which could allow unauthenticated attackers to perform Stored XSS attacks against an admin viewing the malicious entry PoC Setup as admin: Create a new form using MetForm...
ShortPixel Adaptive Images < 3.6.3 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin PoC https://example.com/?SPAIVJS=%3C/script%3E%3Cimg%20src%3D1%20onerror%3Dalert/XSS/;%3E...
Mapwiz <= 1.0.1 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. PoC POST /wp-admin/admin.php?page=myplug/muyplg.php HTTP/1.1...
Easy Digital Downloads 3.1.0.2 & 3.1.0.3 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the s parameter before using it in a SQL statement via the edddownloadsearch AJAX action , leading to a SQL injection exploitable by unauthenticated users PoC curl...
Advanced Coupons for WooCommerce Coupons < 4.5.0.1 - Notice Dismiss via CSRF
The plugin does not have CSRF check when dismissing notices, which could allow attackers to make logged in users dismiss the Getting Started notice via a CSRF attack...
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options. PoC - Install the plugin and set the API creds to: - Key:...
Ocean Extra < 2.0.5 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import intentionally or not a malicious Customizer Styling file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the followin...
Download Manager < 3.2.50 - Contributor+ PHAR Deserialization
The plugin does not validate a parameter, which could allow users with a role as low as contributor to perform PHAR deserialisation when a suitable gadget chain is also present...
NEX-Forms < 7.9.7 - Authenticated SQLi
The plugin does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin setting...
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. PoC The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid...
Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC Against any authenticated user: https://example.com/wp-admin/admin-ajax.php?action=ftsencrypttokenajaxtoken=%3Cimg%20src=x%20onerror=alert/XSS/%3E...
Translatepress Multilinugal < 2.3.3 - Admin+ SQLi
The plugin is vulnerable to an authenticated SQL injection. By adding a new language via the settings page containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected. PoC To exploit the vulnerability, someone must send a...
FreeMind WP Browser <= 1.2 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when updating its setting, and does not have sanitisation as well as escaping in some of them, which could allow attackers to make a logged in admin put a Cross-Site Scripting payload in them via CSRF attack...
Login with phone number < 1.3.8 - Multiple Admin+ Stored XSS
The plugin does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Plugin settings Style Settings button border radius or other field put to input field:...
GiveWP < 2.21.0 - Donor Information Disclosure
The plugin exposes a REST endpoint to unauthenticated users and disclosing donor information...
Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure
The plugin does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 104 Accept: application/json, text/javascript, /; q=0.01...
SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting
The plugin does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=sqbulkseo=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+xxx=pp...
WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion
The plugin does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment PoC Log in as any user with privileges as low as Subscriber...
WPCargo < 6.9.0 - Unauthenticated RCE
The plugin contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE PoC import sys import binascii import requests This is a magic string that when treated as pixels and compressed using the png algorithm, will cause to be written ...
WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via IP
The plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information...
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS
The plugin does not have authorisation and CSRF checks in the ppomsettingspanelaction AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues PoC 1. Use the new settings panel...
WP Import Export < 3.9.16 - Unauthenticated Sensitive Data Disclosure
The plugins are vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpieprocessfiledownload found in the /includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or...
WCFM - WooCommerce Multivendor Marketplace < 3.4.12 - Unauthenticated SQL Injection
The wcfmajaxcontroller AJAX action of the plugin, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections PoC v 3.4.11 POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
OptinMonster < 2.6.5 - Unprotected REST-API Endpoints
OptinMonster was missing appropriate capability checks on several REST-API endpoints which made it possible for unauthenticated attackers, and in some instances authenticated with low privileges, to perform unauthorized actions, as well as access sensitive information such as the...
Ninja Forms < 3.6.4 - Admin+ SQL Injection
The plugin does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks PoC POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh,en;q=0.5...
MicroCopy <= 1.1.0 - Authenticated SQL Injection
The edit functionality in the plugin makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. PoC GET...
Shopping Cart & eCommerce Store < 5.1.1 - CSRF to Stored Cross-Site Scripting
The plugin is vulnerable to Cross-Site Request Forgery via the savecurrencysettings function found in the /admin/inc/wpeasycartadmininitialsetup.php file which allows attackers to inject arbitrary web scripts...
WP Fountain <= 1.5.9 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /wp-fountain.php file which allows attackers to inject arbitrary web scripts...
Cookie Notice & Consent Banner for GDPR & CCPA Compliance < 1.7.2 - Authenticated Stored XSS
The plugin does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options. PoC Go to the plugin's Customize Design page and open the "Wizard menu". Now scroll down and you will find an "Info Text" field where you can inject an XSS payload...
WooCommerce Currency Switcher < 1.3.7 - Authenticated (Low Privilege) Local File Inclusion
The WooCommerce Currency Switcher plugin was vulnerable to LFI attacks via the "woocs" shortcode...
Sign-up Sheets < 1.0.14 - Authenticated CSV Injection
The plugin does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue PoC Go to the Sign-up Sheets-- Add New. Enter the following CSV Injection payload in the field "Title", "Details" and "Task" click on save button. =cmd|' /C...
WP Fluent Forms < 3.6.67 - Cross-Site Request Forgery (CSRF)
The WP Fluent Forms WordPress plugin was vulnerable to a Cross-Site Request Forgery CSRF vulnerability that could lead to Stored Cross-Site Scripting XSS...
Admin Columns Free < 4.3 & Pro < 5.5.1 - Authenticated Stored Cross-Site Scripting (XSS) in Label
The Admin Columns WordPress plugin, Free and Pro versions, rendered input on the posted pages with improper input validation on the value passed into the field Label parameter, by taking this as an advantage an authenticated attacker can supply a crafted arbitrary script and execute it...
Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauthenticated Blind SQL Injection
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The updatelog function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected v...
Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation
An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. Even with the maximu...
Welcart e-Commerce < 2.1.1 - Authenticated SQL Injection
The Welcart e-Commerce WordPress plugin, less than version 2.1.1 and possibly below, was vulnerable to authenticated SQLI Injection in the searchordercolumn0 POST parameter of the "/wp-admin/admin.php?page=uscesorderlist" page. PoC Refer to references...
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Roles
Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges. PoC $username, 'firstname-'. $formid =...
Advanced Access Manager < 6.6.2 - Authenticated Authorization Bypass and Privilege Escalation
A low-privileged user could assign themselves or switch to any role with an equal or lesser user level, or any role that did not have an assigned user level. This could be done by sending a POST request to wp-admin/profile.php with typical profile update parameters and appending a aamuserroles...
Email Subscribers & Newsletters < 4.1.8 - SQL Injection
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system...
Loginizer <= 1.3.5 - Blind SQL Injection
Blind SQL injection in the http-header: X-Forwarded-For and possible others...
WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
...
WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
...
WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
...
WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
...