14602 matches found
Transposh WordPress Translation <= 1.0.8 - Admin+ SQL Injection
The plugin does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection PoC https://example.com/wp-admin/admin.php?page=tpeditor=filter-by=+AND+SELECT+42+FROM+SELECTSLEEP5b...
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them PoC Install the plugin and configure any mailer other than Default. Access the wp-admin area with a Subscriber+ use...
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC As admin, put the following payload in a field label: The XSS will be triggered when editing the form, as well as ...
IgniteUp <= 3.4.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some fields when high privilege users don't have the unfilteredhtml capability, which could lead to Stored Cross-Site Scripting issues PoC Customise a template from the plugin /wp-admin/admin.php?page=cscstemplates and put the following payload in the...
HubSpot < 8.8.15 - Contributor+ Blind SSRF
The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the editposts capability by default contributor and above to perform SSRF attacks PoC As an authenticated user with the editposts capability, get REST nonce via...
Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access
The plugin does not have proper authorisation which could allow users with a role as low as contributor to view information on the database without the access permission...
Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection
The plugin does not escape the artID parameter before using it in a SQL statement in the apvcresetcountart AJAX action, available to any authenticated user, leading to a SQL injection PoC v = 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvcresetcountart=sleep10 v 6.1.6 -...
Nimble Page Builder < 3.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC v 3.1.32 v 3.2.2...
Podcast Importer SecondLine < 1.3.8 - Admin+ SQLi
The plugin does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file PoC Put the XML below on a web server replacing the PAYLOAD with the correct one, then import a podcast...
SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi
The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the dkspeakoutsendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users PoC Create a new email petition /wp-admin/admin.php?page=dkspeakoutaddnew, check x Do not send email...
WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting
The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP, browser and platform parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site...
PHP Everywhere < 3.0.0 - Contributor+ RCE via Metabox
The plugin allows any users with a role as low as contributor to execute PHP via the Metabox of the plugin in posts...
Perfect Brands for WooCommerce < 2.0.5 - Subscriber+ Sensitive Information Disclosure
The plugin does not have authorisation and CSRF checks in some of its AJAX actions, which could allow any authenticated users, such as subscriber to retrieve sensitive information about the server...
WHMCS Bridge < 6.3 - Subscriber+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting via the ccwhmcsbridgeurl parameter found in the /whmcs-bridge/bridgecp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1. Due to missing authorization checks on the ccwhmcsbridgeaddadmin...
WP-DownloadManager < 1.68.7 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of the download settings such as downloadpath, downloadpathurl and downloadpageurl, which could allow high privilege users to perform Cross-Site Scripting attacks...
Advanced Custom Fields: Extended < 0.8.8.7 - Admin+ SQL Injection
The plugin does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue PoC https://example.ocm/wp-admin/options-general.php?page=acfe-options=1%20and%20sleep0.02%23...
Survey Maker < 2.0.7 - Unauthenticated Store Cross-Site Scripting
The plugin is affected by an unauthenticated Stored Cross-Site Scripting issue...
Hide My WP < 6.2.4 - Unauthenticated SQL Injection
The plugin does not escape the IP address retrieved via headers such as X-Forwarded-For before using it in a SQL statement, leading to an SQL injection...
Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF
The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. PoC The following HTML code can be...
WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Analytics Report Leaks
The plugin was vulnerable to Analytics Report Leaks on some hosting configurations. As well as updating WooCommerce to at least version 5.7.0, and WooCommerce Admin to at least version 2.6.4, it is also recommended that directory listing is disabled on your host. Automattic updates were rolled ou...
Booster for WooCommerce < 5.4.4 - Authentication Bypass
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the processemailverification function due to a random token generation weakness in the resetandmailactivationlink function found in the...
BuddyPress < 9.1.1 - SQL Injections
The plugin was affected by SQL Injections via the BPNotificationsNotification::getorderbysql and BPInvitation::getorderbysql functions...
Availability Calendar < 1.2.2 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Create a new category via the plugin...
Form Maker < 1.13.60 - Authenticated Stored XSS
The plugin does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue PoC Create or edit a form and add the following payload in the Form Title field "autofocus...
GetPaid < 2.3.4 - Authenticated Stored XSS
In the plugin, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is...
Admin Columns Free (< 4.3.2) & Pro (< 5.5.2) - Authenticated Stored Cross-Site Scripting (XSS) in Custom Field
The Admin Columns WordPress plugin allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns. When a "Custom...
Goto < 2.1 - Unauthenticated Blind SQL Injection
The theme did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue PoC sqlmap --url="https://example.com/tour-list/?keywords=13date=13" --random-agent -dbs --level=3 --threads=4...
Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them even when the unfiletedhtml is disabled PoC Use a payload such as a" in the plugin settings for example, the Powered by Text input...
All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote...
WordPress Related Posts <= 3.6.4 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin contains an authenticated admin+ stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to execute JavaScript code in the user's browser. PoC Put the following payload in the "Related Posts Title" settings of the plugin...
wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter
The plugin allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=getwdtableid=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain...
SuperStoreFinder & SuperInteractiveMaps - Unauthenticated SQL Injections
The ssf-social-action.php and sim-wp-data.php files from the respective superstorefinder-wp = 5.0.12 AND time-based blind query SLEEP Payload: action=selectwpid=1 AND SELECT 7900 FROM SELECTSLEEP5gxXh Type: UNION query Title: Generic UNION query NULL - 7 columns Payload: action=selectwpid=1 UNION...
Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload
"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further...
Abandoned Cart Lite for WooCommerce < 5.8.3 - Unauthenticated SQL Injection
The plugin is affected by an unauthenticated SQL injection via the billingfirstname parameter of the savedata AJAX call. PoC From the original researcher: ./sqlmap.py -u https://example.com/wp-admin/admin-ajax.php --cookie='cookies content here' --method='POST'...
Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection
The bulkaction, exportfull and savesliderdb functionalities of the plugin were vulnerable, allowing a high privileged user Admin, or medium one such as Contributor+ if "Role Options" is turn on for other users to perform a SQL Injection attacks. PoC Vulnerable param: check Vulnerable function:...
wpDiscuz < 5.3.6 - Unauthenticated SQL Injection
The Comments – wpDiscuz WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability...
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection
SQL injection in the Photo Gallery 10Web Photo Gallery plugin before 1.5.55 exists via the frontend/models/model.php bwgsearchx parameter. Impact All gallerytype is affected by this bug and any unauthenticated remote attacker can exploit the plugin. PoC Sqlmap payload: sqlmap -u...
Learnpress < 3.2.6.8 - Authenticated Time Based Blind SQL Injection
This could allow a low privilege user, to perform a time based SQL Injection attack and retrieve data from the DB, such as hashed passwords...
WP-Advanced-Search < 3.3.7 - Authenticated SQL Injection
The import functionality to restore plugin settings within the admin pages was vulnerable to SQL Injection through a privileged user with the editposts capability...
MapPress Maps < 2.53.9 - Authenticated Map Creation/Deletion Leading to Stored Cross-Site Scripting (XSS)
Both the Free and Pro versions of this plugin register AJAX actions that call functions which lack capability checks and nonce checks. It is possible for a logged-in attacker with minimal permissions, such as a subscriber, to add a map containing malicious JavaScript to an arbitrary post or page ...
OneTone <= 3.0.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
Due to missing capability checks and security nonces, an unauthenticated attacker can use the theme options import feature to inject JavaScript code into all pages and posts of the website...
Contact Form 7 Datepicker <= 2.6.0 - Authenticated Stored Cross-Site Scripting (XSS)
Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check. As such, a logged-in attacker with minimal permissions such as a subscriber can send a crafted request which will store a malicious JavaScript in the...
Pricing Table by Supsystic < 1.8.2 - Unauthenticated Stored XSS
No permission check on the ImportJSONTable endpoint allows for malicious javascript to be injected by unauthenticated users. PoC...
WordPress <= 5.2.3 - JSON Request Cache Poisoning
Description The fix sends the "Vary: Origin" response header for GET requests from unauthenticated users...
Ultimate FAQ < 1.8.25 - Unauthenticated Options Import/Export
The Ultimate FAQ – WordPress Q Plugin WordPress plugin was affected by an Unauthenticated Options Import/Export security vulnerability...
WordPress 5.2.2 - Cross-Site Scripting (XSS) in Dashboard
Description According to the WordPress release notes: "Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard."...
Ocean Extra <= 1.5.8 - Unauthenticated Settings change and CSS injection
The Ocean Extra WordPress plugin was affected by an Unauthenticated Settings change and CSS injection security vulnerability...
GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
The GraceMedia Media Player WordPress plugin was affected by a Local File Inclusion LFI security vulnerability...
Peters Login Redirect <= 2.9.1 - Multiple CSRF
The Peter's Login Redirect WordPress plugin was affected by a Multiple CSRF security vulnerability...
Smush Image Compression and Optimization <= 2.9.1 - Authenticated Phar Deserialization
The Smush – Lazy Load Images, Optimize & Compress Images WordPress plugin was affected by an Authenticated Phar Deserialization security vulnerability...