14602 matches found
GiveWP < 3.3.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
ColorMag < 3.1.3 - Missing Authorization to Arbitrary Plugin Installation
Description The plugin is vulnerable to unauthorized access due to a missing capability check on the pluginactioncallback function in all versions up to, allowing authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins...
Schema & Structured Data for WP & AMP < 1.26 - Contributor+ Stored Cross-Site Scripting
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.25 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...
Taggbox < 3.2 - Unauthenticated PHP Object Injection
Description The Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP...
WP Job Manager < 2.1.0 - Unauthenticated Job Status Update
Description The plugin does not properly authorize the use of some endpoints, allowing an unauthenticated attacker to update job statuses...
Related Post < 2.0.54 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Related Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0.53 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
eCommerce Product Catalog < 3.3.27 - Sensitive Information Exposure via CSV Files
Description The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 3.3.27 exclusive via import and export CSV files. This makes it possible for unauthenticated attackers to extract sensitive data including full...
404 Solution < 2.33.1 - Sensitive Information Exposure via Log File
Description The 404 Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.33.0 via the plugin's log file. This makes it possible for unauthenticated attackers to extract sensitive data including plugin configuration and debug data...
Quotes for WooCommerce < 2.0.2 - Missing Authorization
Description The Quotes for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the qwcupdatestatus and qwcsendquote functions hooked via AJAX in all versions up to, and including, 2.0.2. This makes it possible for authenticated...
Anti Hacker < 4.35 - Cross-Site Request Forgery via antihacker_ajax_scan
Description The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 4.35 exclusive. This is due to missing or incorrect nonce validation on the 'antihackerajaxscan'...
Advanced Access Manager < 6.9.16 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks...
BuddyPress < 11.3.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Members/Groups block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Colibri Page Builder < 1.0.248 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Advanced Category Template <= 0.1 - Cross-Site Request Forgery
Description The Advanced Category Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an...
Event Management Tickets Booking <= 1.3.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Backup Migration < 1.4.0 - Authenticated (Admin+) OS Command Injection via url
Description The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the...
Limit Login Attempts Reloaded < 2.25.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Limit Login Attempts Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.25.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
KP Fastest Tawk.to Chat <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The KP Fastest Tawk.to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
BigCommerce <= 5.0.7 - Unauthenticated Sensitive Information Exposure
Description The BigCommerce For WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.0.7. This makes it possible for unauthenticated attackers to extract sensitive data...
Enfold < 5.6.5 - Reflected Cross-Site Scripting
Description The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 5.6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.4.3 - Missing Authorization via woof_meta_get_keys()
Description The HUSKY – Products Filter for WooCommerce formerly WOOF plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the woofmetagetkeys function in versions up to, and including, 1.3.4.2. This makes it possible for authenticated attackers,...
WP Shortcodes Plugin — Shortcodes Ultimate < 7.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sumeta shortcode combined with post meta data in all versions up to, and including, 5.13.3 due to insufficient input sanitization and output escaping on us...
Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products
Description The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the getproducts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the...
Shortcodes and extra features for Phlox theme < 2.15.0 - Unauthenticated Local File Inclusion
Description The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.14.0. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution ...
Actueel Financieel Nieuws – Denk Internet Solutions <= 5.2.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
MainWP Dashboard < 4.5.1.3 - Authenticated(Administrator+) CSS Injection
Description The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated...
AI ChatBot < 4.9.1 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file
Description The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcldopenaiuploadpagetrainingfile function. This allows subscriber-level attackers to append "...
EazyDocs < 2.3.4 - Subscriber + SQLi
Description The plugin does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. PoC 1. Create a document then create some sections in the documen...
Form Maker by 10Web < 1.15.19 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Post Gallery <= 2.3.12 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Timthumb Scanner <= 1.54 - Scan Initialisation via CSRF
Description The plugin does not have CSRF check when starting a scan, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Memberlite Shortcodes < 1.3.9 - Contributor+ Stored XSS via Shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Po...
Contact Form Generator < 2.6.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
wpShopGermany IT-RECHT KANZLEI < 1.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Ninja Forms < 3.6.26 - Subscriber+ Form Entries Export
Description The plugin does not have proper authorisation check in the processing function, which could allow any authenticated users, such as subscriber to export and download submitted form entries...
Social Media Share Buttons & Social Sharing Icons < 2.8.2 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC Put the payload in any text field of the "8 ...
MStore API < 3.9.3 - Authentication Bypass
The plugin does not properly verify the user provided when adding listing via its REST API, allowing unauthenticated users to login as an arbitrary user by providing their ID...
Rank Math SEO PRO < 3.0.36 - Unauthenticated Reflected XSS
The plugin does not sanitize and escape a parameter before outputting it back in the page, allowing an unauthenticated attacker to inject web scripts that will execute when a visitor follows a crafted link to the page...
Seo By 10Web < 1.2.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to SEO by 10Web » Sitemap section. 2...
Ultimate Carousel For WPBakery Page Builder <= 2.6 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The plugin author was made aware of this...
Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection
The plugin unserializes user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present. PoC Setup As admin - To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup :...
OAuth Single Sign On - SSO (OAuth Client) Standard < 28.4.9 - IdP Deletion via CSRF
The plugin does not have CSRF checks when deleting Identity Providers IdP, which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack PoC https://example.com/wp-admin/admin.php?page=mooauthsettings=config=delete=wordpress...
ProfilePress < 4.5.5 - Reflected XSS
The plugin does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
Wicked Folders < 2.18.17 - Folder Structure Update via CSRF
The plugin does not have CSRF checks when managing its folder structure such as moving, deleting, creating etc folders, which could allow attackers to make logged admins perform such actions via CSRF attacks...
A2 Optimized WP < 3.0.5 - Data Collection Toggle via CSRF
The plugin does not have CSRF check in place when toggling its data Collection settings, which could allow attackers to make a logged in admin enabled/disable it via a CSRF attack...
Tutor LMS < 2.0.10 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the resetkey and userid parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...
Login with Phone Number < 1.4.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ID parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC https://example.com/wp-admin/admin-ajax.php?action=lwpforgotpassword=...
Conditional Payment Methods for WooCommerce <= 1.0 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin|users with a role as low as admin. PoC...
ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the ‘wpusercoverdefaultimageurl parameter before outputting it to the pages on the site, allowing an authenticated admin+ user to inject arbitrary web scripts even when unfilteredhtml has been disabled such as in a multisite setup...
3D FlipBook < 1.13.3 - Contributor+ Stored XSS
The plugin does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators. PoC 1. As an administrator,...