14602 matches found
Crayon Syntax Highlighter < 2.8.4 - Multiple XSS
The Crayon Syntax Highlighter WordPress plugin was affected by a Multiple XSS security vulnerability...
WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)
...
WP-Piwik <= 1.0.4 - Cross-Site Scripting (XSS)
The WP-Matomo Integration WP-Piwik WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
BJ Lazy Load <= 0.7.5 - Remote File Inclusion (Timthumb)
The BJ Lazy Load WordPress plugin was affected by a Remote File Inclusion Timthumb security vulnerability...
WPML 2.9.3-3.2.6 - Cross-Site Scripting (XSS) in Accept-Language Header
The sitepress-multilingual-cms WordPress plugin was affected by a Cross-Site Scripting XSS in Accept-Language Header security vulnerability...
Job Manager <= 0.7.25 - Insecure Direct Object Reference (IDOR)
It is possible to enumerate the CV filename that is uploaded on the server and then access the CV file by performing a bruteforce attack to the wordpress upload directory structure...
Twenty Fifteen Theme <= 1.1 - DOM Cross-Site Scripting (XSS)
Genericons = 3.2 vulnerable to DOM XSS in the example.html file due to using outdated version of jQuery and vulnerable code. Vulnerable Code: permalink = "genericon-" + window.location.hash.split''1; cssclass = jQuery '.' + permalink .attr'class'; PoC...
Easy Digital Downloads < 2.3.3 - SQL Injection
The Easy Digital Downloads – Simple Ecommerce for Selling Digital Files WordPress plugin was affected by a SQL Injection security vulnerability...
Simple Security <= 1.1.5 - 2 x Cross-Site Scripting (XSS)
The Simple Security WordPress plugin was affected by a 2 x Cross-Site Scripting XSS security vulnerability...
WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists
...
Extend 1.3.7 - Shell Upload
The extend-wordpress WordPress plugin was affected by a Shell Upload security vulnerability...
WordPress 3.7.1 & 3.8.1 - Potential Authentication Cookie Forgery
...
WordPress 3.7.1 & 3.8.1 - Privilege Escalation
Description From the researcher edik who discovered the vulnerability: Using the bulk edit feature you can publish posts and pages PUBLICLY without the publishing-cap. The problem is that there are no checks for publishing-cap's on serverside. It's only protected in UI. How to reproduce: 1. Login...
WooCommerce Swipe <= 2.7.1 - Unauthenticated Reflected XSS
The last time it was checked the plugin was still affected and had been closed. PoC http://www.example.com/wp-content/plugins/swipehq–payment–gateway–woocommerce/test-plugin.php?apiurl=apiurl%27%3E%3Cscript%3Ealert%284%29%3C/script%3E...
Sharebar <= 1.2.1 - SQL Injection & Cross-Site Scripting (XSS)
wp-admin/options-general.php status parameter XSS...
Contact Form Plugin by Fluent Forms < 5.1.16 - Contributor+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additiona...
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.7.8 - Sensitive Information Exposure
Description The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wpdndcf7uploads/wpcf7-files' directory. This makes it possible for unauthenticated...
Rate My Post – Star Rating Plugin by FeedbackWP < 3.4.5 - Insecure Direct Object Reference
Description The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to rate priva...
Events Manager < 6.4.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the physical location value in all versions up to, and including, 6.4.7.1 due to insufficient input sanitization and output escaping. This makes it possibl...
WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
Description The plugin does not prevent users with at least the contributor role from leaking products they shouldn't have access to. e.g. private, draft and trashed products PoC 1. ADMIN: Install WooCommerce 2. ADMIN: Add products of various visibility and statuses including Publish, Draft,...
NEX-Forms – Ultimate Form Builder < 8.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 8.5.5 due to insufficient input sanitization and output escaping on user supplied...
Avada < 7.11.2 - Contributor+ Arbitrary File Upload
Description The theme is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaximportoptions' function, making it possible for authenticated attackers with contributor permissions to upload arbitrary files on the affected site's server which may make remote code...
FileBird < 5.6.1 - Admin+ Stored XSS
Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
MapPress Maps for WordPress < 2.88.15 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks PoC As a contributor, create/edit a map with the below payload as title and attach it to a post ca...
wpDiscuz < 7.6.13 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Essential Addons for Elementor < 5.9.3 - Contributor+ Stored XSS
Description The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom ID in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping...
404 Solution < 2.35.0 - Admin+ SQLi
Description The plugin does not properly sanitise and escape the orderby parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin...
Divi < 4.23.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'etpbtext' shortcode in all versions up to, and including, 4.23.1 due to insufficient input sanitization and output escaping on user supplied custom field data. This makes it possible for...
Responsive Lightbox < 2.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via name
Description The Responsive Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level...
Perfmatters < 2.2.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Description The Perfmatters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to 2.2.0 exclusive due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access or...
Contact Form for Plugin by Fluent Forms < 5.0.9 - Insecure Direct Object Reference
Description The Contact Form for Plugin by Fluent Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 5.0.8 via the addIsRenderableFilter function due to missing validation on the publication status of a form. This makes it possible for...
Leyka < 3.30.3 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WPCode < 2.0.13.1 - Reflected XSS
Description The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting PoC Make a logged in admin open https://example.com/wp-admin/admin.php?page=wpcode"=2...
ShopLentor < 2.6.3 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Menubar < 5.9 - Cross-Site Request Forgery
The plugin does not properly implement anti-CSRF measures, potentially making it possible for unwanted actions to be performed in the user's session...
Ultimate Addons for Contact Form 7 < 3.1.24 - Subscriber+ SQL Injection
The plugin does not properly sanitize the 'id' parameter, leading to a SQL Injection vulnerability...
Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal
The plugin does not sanitize the dir parameter when handling the getsubdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root. PoC - Payload: ../../../../../../../../../../../../../../../../../../../ - At the "Other...
CMP – Coming Soon & Maintenance < 4.1.8 - Maintenance Mode Bypass
The plugin does not properly secure maintenance mode, allowing users to bypass it by using a correct cmpbypass GET parameter in the URL...
Enhanced WP Contact Form <= 2.3 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Popup Banners <= 1.2.5 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the value parameter before using it in a SQL statement via the getpopupdata AJAX action, leading to a SQL injection exploitable by any authenticated users, such as subscriber PoC Run the below command in the developer console of the web browser whi...
Complianz - GDPR/CCPA Cookie Consent < 6.4.2 - Contributor+ Stored XSS
The plugins do not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC cmplz-consent-area...
OAuth Single Sign On - SSO (OAuth Client) Enterprise < 48.4.9 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=mooauthsettings=config=delete=wordpress...
ProfilePress < 4.5.5 - Reflected XSS
The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Quiz And Survey Master < 8.0.8 - Text Message Setting Update via CSRF
The plugin does not have CSRF check when updating the Quiz Text Message Setting, which could allow attackers to make logged admin perform such actions via a CSRF attack...
PDF Viewer < 1.0.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Exploit shortcode: pdfviewer height='" onmouseover="alert1"'http://localhost/file.pdf/pdfviewer...
FluentAuth < 1.0.2 - Bypass blocks by IP Spoofing
The plugin prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTEADDR, which makes it possible to bypass the IP-based blocks set by the plugin. PoC Set HTTPXREALIP, HTTPXFORWARDEDFOR, HTTPCFCONNECTINGIP or HTTPCLIENTIP to spoof the IP address...
WP-Ban < 1.69.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to the plugin settings and set these...
Quiz and Survey Master < 8.0.5 - Unauthenticated iFrame Injection
The plugin does not sanitise and escape the questionid parameter, which could allow unauthenticated users to perform iFrame injection attack...
Kraken.io Image Optimizer < 2.6.6 - Settings Update via CSRF
The plugin does not have CSRF check when updating its settings, which could allow attackers to make logged in admin change them via a CSRF attack...
WP Popup Builder < 1.3.0 - Subscriber+ Arbitrary Popup Deletion
The plugin does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup PoC fetch'/wordpress/wp-admin/admin-ajax.php?action=deletepopup', method: 'POST',headers:"content-type":"application/x-www-form-urlencoded", bod...