14602 matches found
Barcode Scanner with Inventory & Order Manager < 1.5.2 - Unauthenticated SQL Injection via userToken
Description The Simple Inventory Management – just scan barcode to manage products and orders. For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘userToken’ parameter in all versions up to 1.5.2 exclusive due to insufficient escaping on the user supplied parameter and la...
BookingPress < 1.0.75 - Unauthenticated Booking Price Manipulation
Description The plugin does not have proper validation in its bookingpressconfirmbooking, allowing unauthenticated user to modify the price of an appointment...
YITH WooCommerce Product Add-Ons < 4.3.1 - Authenticated(Shop Manager+) PHP Object Injection
Description The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 4.3.1 exclusive via deserialization of untrusted input in the 'saveaddon' function. This makes it possible for authenticated attackers, with Shop Manager access and...
Simple Job Board < 2.10.6 - Missing Authorization
Description The Simple Job Board plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.10.5. This makes it possible for unauthenticated attackers to perform an unauthorized action...
POST SMTP Mailer < 2.8.8 - Unauthenticated Stored Cross-Site Scripting via device
Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘device’ header due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an...
Astra Pro < 4.3.2 - Authenticated(Contributor+) Remote Code Execution via Metabox
Description The Astra Pro Addon plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.3.1 via the ast-advanced-hook-php-code meta field. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the serv...
Adifier System < 3.1.4 - Unauthenticated SQL Injection
Description The Adifier System plugin for WordPress is vulnerable to SQL Injection in versions up to 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append...
Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion
Description The plugin does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server PoC To download /etc/passwd: curl...
Give - Donation Plugin < 2.33.1 - Authenticated(Give Manager+) Privilege Escalation
Description The Give - Donation Plugin plugin for WordPress is vulnerable to privilege escalation due to an insufficient capability check when updating default roles in versions up to, and including, 2.33.0. This makes it possible for authenticated attackers with Give Manager privileges to elevat...
Jetpack < 12.7 - Authenticated(Contributor+) Clickjacking via Iframe Injection
Description The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Clickjacking via iframe injection due to an unknown parameter in all versions up to and including 12.6.2 due to insufficient input sanitization and output escaping. This makes it possible for...
LuckyWP Scripts Control <= 1.2.1 - Missing Authorization via multiple AJAX actions
Description The LuckyWP Scripts Control plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with...
Slider - Ultimate Responsive Image Slider < 3.5.12 - Subscriber+ Arbitrary Post Access
Description The plugin does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected PoC Run the belo...
SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure
Description The plugin does not prevent unauthorised users from accessing password-protected posts' content. PoC As unauthenticated, view the source via the web browser of any password protected post and find The content of the post will be disclosed in the meta and script tags after this, exampl...
Theater for WordPress < 0.18.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Jetpack < 12.8-a.3 - Contributor+ Stored XSS via block attribute
Description The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Qi Addons For Elementor < 1.6.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
AI ChatBot < 4.9.1 - Subscriber+ Arbitrary File Deletion
Description The plugin does not properly validate files to be deleted in the qcldopenaideletetrainingfile function, allowing users with roles as low as subscriber to delete arbitrary files on the server...
AI ChatBot < 4.9.3 - Subscriber+ Arbitrary File Deletion
Description The plugin does not properly validate files to be deleted in the qcldopenaideletetrainingfile function, allowing users with roles as low as subscriber to delete arbitrary files on the server. This vulnerability is the same as CVE-2023-5212 but was accidentally reintroduced in version...
ChatBot < 4.9.1 - Unauthenticated Blind SQL Injection
Description The plugin is vulnerable to SQL Injection via the $strid parameter in versions up to, and including...
wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR
Description The plugin is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function...
Essential Blocks < 4.2.1 - Unauthenticated Object Injection
Description The plugin doesn't prevent unauthenticated attackers from deserializing user input, which could allow them to run code on the server if they have a POP chain allowing them to do so...
BigContact <= 1.5.8 - Cross-Site Request Forgery
Cross-Site Request Forgery CSRF vulnerability in Arian Khosravi, Norik Davtian BigContact Contact Page plugin = 1.5.8 versions...
EventON < 2.1.2 - Unauthenticated Event Access
The plugin lacks authentication and authorization in its eventonicsdownload ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. PoC https://example.com/wp-admin/admin-ajax.php?action=eventonicsdownloadid=value...
MStore API < 3.9.7 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as Order Status Update, Order Title Update, Product Limit Update, Order Message Update, and Firebase Server Key Update...
WooCommerce Box Office < 1.1.52 - Unauthenticated Ticket Barcode Update
The plugin does not have authorisation and CSRF when updating a ticket bar-code, allowing unauthenticated users to perform such action PoC curl https://example.com/wp-admin/admin-ajax.php -d "action=saveticketbarcodebarcodeimage=xxxbarcodetext=xxxxxid=86"...
Bookly < 21.8 - Admin+ Stored Cross-Site Scripting via service titles
The plugin does not sanitize and escape service titles in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfilteredhtml capability is disallowed for example in a multisite setup...
Feather Login Page < 1.1.2 - Missing Authorization to Authentication Bypass and Privilege Escalation
The plugin lacks authorization checks in the ftlpp-ext-expirable-get-users ajax action, allowing logged in users with roles as low as subscriber to access the login links for the temporary users created by the plugin, which can be used for privilege escalation. PoC GET...
WooCommerce Product Vendors < 2.1.77 - Unauthenticated Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin...
Duplicator Pro < 4.5.11.1 - Unauthenticated Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin...
WooCommerce Ship to Multiple Addresses < 3.8.4 - Subscriber+ Shipping Address Disclosure via IDOR
The plugin does not ensure that the order to display the shipping address from belong to the user making the request, allowing any authenticated users, such as subscriber to view other shipping addresses via an IDOR PoC https://example.com/checkout/shipping-addresses/?orderid=106...
WCFM Membership < 2.11.0 - Unauthenticated Arbitrary Password Update via IDOR
The plugin allows unauthenticated attackers to update the password of arbitrary account via an IDOR attack, which could allow them to gain access to high privilege ones such as administrator...
CMS Tree Page View < 1.6.8 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Ultimate Carousel For Elementor <= 2.1.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The plugin author was made aware of this vulnerability...
ZM Ajax Login & Register <= 2.0.2 - Unauthenticated Authentication Bypass
The plugin does not validate that users are allowed to login through the Facebook feature, allowing unauthenticated to be authenticate as any user such as admin by simply knowing the username...
Betheme < 26.8 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Easy Forms for MailChimp < 6.8.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the below shortcod...
User Registration < 2.3.3 - Subscriber+ PHP Object Injection
The plugin unserializes user input via the urgetuserextrafields and userregistrationformfield function, which could allow any authenticated users, such as subscriber to perform PHP Object Injection when a suitable gadget is present on the blog...
UpQode Google Maps <= 1.0.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit: vcugmmap mapheight='100px;...
Video.js - HTML5 Video Player for WordPress <= 4.5.0 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC videojs mp4='" onerror="alert/XSS/"'...
YaMaps for WordPress Plugin < 0.6.26 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC yamap height='100px;"...
PPWP – WordPress Password Protect Page < 1.8.6 - Contributor+ Stored XSS in Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
AAWP < 3.12.3 - Unsafe URL Handling
The plugin can be used to abuse trusted domains to load malware or other files through it Reflected File Download to bypass firewall rules in companies. PoC wp-content/aawp/public/image.php?url=base64-url will load and download the file from the base64-decoded URL...
HashBar – WordPress Notification Bar < 1.3.6 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC Exploit shortcode: hashbarbtn btntarget='" onmouseover="alert1"'...
WordPress Simple Shopping Cart < 4.6.2 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
Welcart e-Commerce < 2.8.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack. PoC 1. Add a product item to the plugin. The item name, for example, "first". You will also use this in the...
Login with Cognito < 1.4.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "Cognito Login » Configure OAuth",...
Kwayy HTML Sitemap < 4.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Click the 'Settings' button of this plugin...
WP CSV Exporter < 1.3.7 - CSV Injection
The plugin does not properly escape the fields when exporting data as CSV, leading to a CSV injection vulnerability. PoC - create a post using =5+5 as the title - export the data as CSV - open the CSV with a spreadsheet application Excel, Libre Office - the CSV formula gets executed...
Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload
The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE PoC Upload a File: The response give the path to the file uploaded:...
Popup Maker < 1.16.11 - Contributor+ Stored Cross Site Scripting
The plugin does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins PoC Create a New popup Insert pop-up name, title, and body text. Add a new trigger with...