14602 matches found
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. PoC 1 Download 'poc.zip' via...
WHA Crossword <= 1.1.10 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the From Email or From...
WP Visitor Statistics (Real Time Traffic) < 5.8 - Unauthenticated SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements available to unauthenticated users, leading to SQL injection...
Ocean Extra < 1.9.5 - Reflected Cross-Site Scripting
The plugin does not escape generated links which are then used when the OceanWP theme is active, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/?step=demo=owpsetup"...
Video Slider - Slider Carousel < 1.4.8 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a video from a slider and put the following payload in the Description: , then save/update the...
MapSVG < 6.2.20 - Unauthenticated SQLi
The plugin does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users. PoC https://example.com/wp-json/mapsvg/v1/maps/2?id=1%27%20AND%20SELECT%2042%20FROM%20SELECTSLEEP5b--+...
Yoo Slider < 2.1.0 - Arbitrary Slider Creation/Edition via CSRF
The plugin does not have CSRF check in place when creating and editing sliders, which could allow attackers to make a logged in admin create and edit arbitrary slider via a CSRF attack...
Easy Digital Downloads < 2.11.6 - Arbitrary Payment Note Insertion via CSRF
The plugin does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack PoC...
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. PoC 1. Make a booking to become...
Bank Mellat <= 1.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=bank-mellat="...
Header Footer Code Manager < 1.1.17 - Reflected Cross-Site Scripting
The plugin does not escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting...
Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion
The plugin does not have authorisation nor CSRF checks in the acf7dbeditscrfiledelete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPre...
Team Circle Image Slider With Lightbox < 1.0.16 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the orderpos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=circlethumbnailsliderwithlightboximagemanagementpos=...
Social Media Feather < 2.0.5 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...
CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed. PoC Put the following payloads in the "License ID" setting of the plugin and save: "...
Comment Engine Pro <= 1.0 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, allowing high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks...
CorreosExpress <= 2.6.0 - Sensitive Information Disclosure
The plugin generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses PoC https://example.com/wp-content/plugins/correos-express/log/logcronfunction.txt...
Download Monitor < 4.4.7 - Admin+ Arbitrary File Download
The plugin does not validate files to be downloaded, which could allow high privilege users such as admin to access arbitrary files from the server...
Duplicate Post < 1.2.0 - Authenticated SQL Injection
The plugin does not properly sanitise and escape the id parameter passed to the cdpactionhandling AJAX action, which could allow user having access to the plugin by default admins to perform SQL Injection attacks PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 229 Accept: /...
YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Preview Module
The plugin is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of...
Storefront Footer Text <= 1.0.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed. PoC The plugin requires the Storefront theme Go to Appearance Customize...
Asgaros Forum < 1.15.13 - Unauthenticated SQL Injection
The plugin does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue PoC https://example.com/forum/?subscribetopic=1%20union%20select%201%20and%20sleep10...
BP Better Messages < 1.9.9.41 - Reflected Cross-Site Scripting
The plugin sanitise with sanitizetextfield but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/chat-rooms/?subject=asd%22%20%22%20onmouseover=javascript:alert1;%20test=%22&new-message;=asd...
OptinMonster < 2.6.1 - Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to Reflected Cross-Site Scripting XSS due to insufficient input validation in the loadpreviews function found in the /OMAPI/Output.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.6.0...
Bitcoin / AltCoin Payment Gateway for WooCommerce < 1.6.1 - Reflected Cross-Site Scripting
The plugin does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/admin.php?page=cs-woo-altcoin-all-coins="...
TranslatePress < 2.0.9 - Authenticated Stored Cross-Site Scripting
The plugin does not implement a proper sanitisation on the translated strings. The 'trpsanitizestring' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues. PoC As...
Advanced Custom Fields < 5.11 - Subscriber+ Arbitrary ACF Data/Field Groups View and Fields Move
Some of the functions did not have proper capability checks in place, allowing low privilege users such as subscribers to view arbitrary ACF data, movie fields, as well as view field groups...
WordPress Real Media Library < 4.14.2 - Author Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting via the name parameter in the /inc/overrides/lite/rest/Folder.php file which allows author-level attackers to inject arbitrary web scripts in folder names...
Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
The plugin does not sanitise or escape the feedID POST parameter in its feedlocator AJAX action available to both authenticated and unauthenticated users before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will ...
Scribble Maps <= 1.2 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the /includes/admin.php file which allows attackers to inject arbitrary web scripts...
Custom Post Type Relations <= 1.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the cptrname parameter found in the /pages/admin-page.php file which allows attackers to inject arbitrary web scripts...
Titan Framework <= 1.12.1 - Reflected Cross-Site Scripting (XSS)
Description The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues Edit WPScanTeam: - The original report mentioned the issue...
Blue Admin <= 21.06.01 - CSRF to Stored Cross-Site Scripting (XSS)
The plugin does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. PoC Add the...
Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG
The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
Visitors <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
The plugin is affected by an Unauthenticated Stored Cross-Site Scripting XSS vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel. PoC $ curl -i http://localhost:10008/ --user-agent "alert1...
Ultimate Addons for Elementor < 1.30.0 - Contributor+ Stored XSS
The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. These vulnerabilities were discovered and patched by Brainstorm Force after the...
Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX action
The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreonsaveattachmentpatreonlevel AJAX action of the plugin. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with t...
PhastPress < 1.111 - Open Redirect
There is an open redirect in the plugin that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/ that...
YITH WooCommerce Gift Cards Premium < 3.3.1 - RCE via Arbitrary File Upload
"An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium before 3.3.1 allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a...
Responsive Menu < 4.0.4 - CSRF to Arbitrary File Upload
"Attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site." PoC...
WordPress < 5.5.2 - Stored XSS in Post Slugs
Description The release notes state: "Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs."...
Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"
The plugin attempts to delete malicious files such as .php form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not remove...
Ajax Load More < 5.3.2 - Authenticated SQL Injection
The Ajax Load More WordPress plugin was vulnerable to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep5=test. The attacker needs to be authenticated with the editthemeoptions capability, which only administrators have by default. PoC...
Broken Link Checker <= 1.11.8 - Authenticated Cross-Site Scripting (XSS)
The Broken Link Checker WordPress plugin was affected by an Authenticated Cross-Site Scripting XSS security vulnerability...
Nextgen Gallery < 3.2.11 - SQL Injection
The WordPress Gallery Plugin – NextGEN Gallery WordPress plugin was affected by a SQL Injection security vulnerability...
Hustle <= 6.0.7 - Unauthenticated CSV Injection
The Hustle – Email Marketing, Lead Generation, Optins, Popups WordPress plugin was affected by an Unauthenticated CSV Injection security vulnerability...
PixelYourSite < 5.3.0 - XSS
The PixelYourSite – Your smart PIXEL TAG Manager WordPress plugin was affected by a XSS security vulnerability...
WP Live Chat Support < 8.0.06 - Unauthenticated Stored XSS
An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field "Name" of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history. In the file wp-live-chat-support.php there is no sanitization of $result-id row 4439. WP Live Chat...
WPGlobus <= 1.9.6 - Stored XSS & CSRF
The WPGlobus – Multilingual Everything! WordPress plugin was affected by a Stored XSS & CSRF security vulnerability...