Lucene search
K
WpvulndbMost viewed

14602 matches found

WPVulnDB
WPVulnDB
added 2022/12/16 12:0 a.m.27 views

ActiveCampaign for WooCommerce < 1.9.8 - Subscriber+ Error Log Cleanup

The plugin does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. PoC Run the below command in the developer console of the web browser while being on the blog as a...

4.3CVSS2.6AI score0.00483EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/12/05 12:0 a.m.27 views

Contest Gallery < 19.1.5 - Author+ SQL Injection

The plugins do not escape the cgcopystart POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...

6.5CVSS0.2AI score0.00854EPSS
Exploits2References1Affected Software2
WPVulnDB
WPVulnDB
added 2022/11/08 12:0 a.m.27 views

5 Anker Connect < 1.2.7 - Reflected Cross-Site Scripting

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

4.8CVSS5AI score0.00437EPSS
Exploits0
WPVulnDB
WPVulnDB
added 2022/11/07 12:0 a.m.27 views

HTML Forms < 1.3.25 - Admin+ SQLi

The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users PoC Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms=editid=formID=submissions Capture the request after...

7.2CVSS0.8AI score0.01786EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/10/28 12:0 a.m.27 views

Creative Mail < 1.6.0 - Multiple CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as enable disable contact sync, reset the plugin, unlink accounts and update email marketing settings...

8.8CVSS4.2AI score0.00276EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/10/25 12:0 a.m.27 views

SEO Redirection Plugin < 9.1 - Multiple CSRF

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

8.8CVSS5AI score0.00276EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/10/03 12:0 a.m.27 views

Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection

The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil...

7.2CVSS0.5AI score0.0115EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/09/26 12:0 a.m.27 views

Comment Guestbook <= 0.8.0 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS2.3AI score0.00396EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/09/20 12:0 a.m.27 views

Import all XML, CSV & TXT into WordPress < 6.5.8 - Admin+ SQLi

The plugin does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin PoC With the additional https://wordpress.org/plugins/polylang/ plugin installed, import a CSV with the following payloa...

7.2CVSS0.7AI score0.00992EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/09/14 12:0 a.m.27 views

Enable Media Replace < 4.0.0 - Admin+ Path Traversal

The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example PoC When replacing the file, select "Replace the file, use new file name and...

4.9CVSS1.9AI score0.00781EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/09/06 12:0 a.m.27 views

Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Blind SQLi

The plugin does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks PoC As unauthenticated, fill the reservation form it's on a page where the reservationform is embed, intercept the...

9.8CVSS1.1AI score0.37709EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/01 12:0 a.m.27 views

WP phpMyAdmin < 5.2.0.4 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "phpMyAdmin on hosting" setting...

4.8CVSS2AI score0.00642EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/01 12:0 a.m.27 views

Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing

The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes. PoC curl https://example.com/wp-content/uploads/wpjobboard Search for this path / folder in search engines to find...

7.5CVSS0.4AI score0.03158EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/01 12:0 a.m.27 views

MailerLite - Signup forms (official) < 1.5.7 - API Key Update via CSRF

The plugin does not have CSRF check in place when updating its API key, which could allow attackers to make a logged in admin change it via a CSRF attack...

8.8CVSS4.5AI score0.00303EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/06/28 12:0 a.m.27 views

SP Project & Document Manager < 4.58 - Sensitive File Disclosure

The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. PoC 1. Upload a file using the plugin. 2. On another browser, access the newly uploaded file via:...

6.5CVSS0.4AI score0.00807EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/06/16 12:0 a.m.27 views

BuddyPress Group Reviews < 2.8.4 - Subscriber+ Arbitrary Settings Update & Review Modification

The plugin is missing capability and CSRF checks in various of its AJAX functions available to any authenticated users, which could allow users with a role as low as subscriber to update arbitrary settings and modify reviews...

6.5CVSS4.5AI score0.00671EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/06/15 12:0 a.m.27 views

Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...

1.3AI score
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2022/05/26 12:0 a.m.27 views

Image Slider by NextCode <= 1.1.2 - Author+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...

4.8CVSS3.3AI score0.00519EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/05/18 12:0 a.m.27 views

JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update

Any logged-in user, including subscriber-level users, can access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the...

5.5CVSS4.4AI score0.00513EPSS
Exploits0References1Affected Software2
WPVulnDB
WPVulnDB
added 2022/05/18 12:0 a.m.27 views

Jupiter < 6.10.2 & JupiterX Core < 2.0.8 - Subscriber+ Privilege Escalation and Post Deletion

When the theme is installed, any logged-in user can elevate their privileges to an administrator by sending an AJAX request with the action parameter set to abbuninstalltemplate. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is...

9CVSS2.4AI score0.01498EPSS
Exploits1References1Affected Software2
WPVulnDB
WPVulnDB
added 2022/03/29 12:0 a.m.27 views

English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect

The plugin does not validate the admincustomlanguagereturnurl before redirecting users o it, leading to an open redirect issue PoC https://example.com/wp-admin/admin-ajax.php?action=heartbeatcustomlanguagetoggle=1customlanguagereturnurl=https://wpscan.com...

6.1CVSS1.2AI score0.01873EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/03/21 12:0 a.m.27 views

Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure

The plugin does not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. PoC Although the API only...

5.3CVSS5.1AI score0.01146EPSS
Exploits2Affected Software2
WPVulnDB
WPVulnDB
added 2022/03/14 12:0 a.m.27 views

MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution

The plugin allows a high privileged user to bypass the DISALLOWFILEEDIT and DISALLOWFILEMODS settings and upload arbitrary files to the site through the "ajaxsave" function. The file is written relative to the current theme's stylesheet directory, and a .php file extension is added. No validation...

7.2CVSS6.9AI score0.01484EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/03/02 12:0 a.m.27 views

MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting

The plugin does not properly sanitise form data, which could allow high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...

4.8CVSS3.5AI score0.00489EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/03/01 12:0 a.m.27 views

Database Peek <= 1.2 - Reflected Cross-Site Scripting

The plugin does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=ab-database-peek=wpusers="...

6.1CVSS0.00788EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/02/18 12:0 a.m.27 views

Essential Addons for Elementor Lite < 5.0.9 - Reflected Cross-Site Scripting

The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the /includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted li...

6.1CVSS5.3AI score0.03193EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/02/15 12:0 a.m.27 views

Advanced Product Labels for WooCommerce < 1.2.3.7 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the taxcolorsettype parameter before outputting it back in the berocketaplcolorlistener AJAX action's response, leading to a Reflected Cross-Site Scripting PoC As any authenticated user:...

6.1CVSS1.2AI score0.00863EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/02/14 12:0 a.m.27 views

WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Go to "Field Editor" page. Put the following XSS payload into the "Placeholder /...

4.8CVSS1AI score0.00588EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/02/07 12:0 a.m.27 views

White Label MS < 2.2.9 - Reflected Cross-Site Scripting

The plugin does not sanitise and validate the wlcmslogincustomjs parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue PoC In v 2.2.8, both unauthenticated and authenticated users can be attacked with it. In 2.2.8, it will only...

6.1CVSS1.5AI score0.0812EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/02/01 12:0 a.m.27 views

Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF

The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash PoC https://example.com/wp-admin/edit.php?posttype=easy-pricing-table=ept3-list=trash=1...

6.5CVSS4.8AI score0.00523EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/01/31 12:0 a.m.27 views

Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending

The plugin does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues PoC...

6.1CVSS0.3AI score0.01469EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2021/12/16 12:0 a.m.27 views

Crisp Live Chat < 0.32 - CSRF to Stored Cross-Site Scripting

The plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisppluginsettingspage function found in the /crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31...

8.8CVSS3.8AI score0.00608EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/11/23 12:0 a.m.27 views

HTML5 Responsive FAQ <= 2.8.5 - Admin+ Stored Cross-Site Scripting

The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Put the following payload in the "Text size of answer in pixels" settings: alert'XSS';...

4.8CVSS2.9AI score0.00588EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2021/09/16 12:0 a.m.27 views

BulletProof Security < 5.2 - Sensitive Information Disclosure

The plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible /dbbackuplog.txt file which grants attackers the full path of the site, in addition to the path of database backup files. PoC...

5.3CVSS0.8AI score0.7233EPSS
Exploits7References2Affected Software1
WPVulnDB
WPVulnDB
added 2021/09/13 12:0 a.m.27 views

Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection

The plugin allows unauthenticated users to perform SQL injection via the aysfinishpoll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. PoC This requires a valid nonce, which can be obtained by going to...

7.5CVSS0.6AI score0.01587EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2021/08/13 12:0 a.m.27 views

Media Usage <= 0.0.4 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the /mmuadmin.php file which allows attackers to inject arbitrary web scripts...

6.1CVSS4.9AI score0.00844EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/07/29 12:0 a.m.27 views

WordPress Download Manager < 3.1.25 - Authenticated File Upload

Authenticated File Upload in WordPress Download Manager = 3.1.24 allows authenticated Author+ users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. The destination folder is also protected by an .htaccess file affecting the same...

6.5CVSS4.6AI score0.0058EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/07/28 12:0 a.m.27 views

Admin Custom Login < 3.2.8 - CSRF to Stored XSS

The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the /includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7. PoC...

6.8CVSS3.9AI score0.007EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/06/16 12:0 a.m.27 views

WP JobSearch < 1.7.4 - Authenticated Stored XSS

The plugin did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue PoC Vulnerable parameters: fieldeducationtitle=,...

5.4CVSS1.6AI score0.00633EPSS
Exploits2References2Affected Software2
WPVulnDB
WPVulnDB
added 2021/06/11 12:0 a.m.27 views

Welcart e-Commerce < 2.2.4 - Cross-Site Scripting (XSS)

The plugin did not sanitise or validate the orderid parameter before outputting in the page of the admin dashboard, leading to a reflected Cross-Site Scripting issue PoC http://wp.lab/wordpress/wp-admin/admin.php?page=uscesorderlistaction=editid=1"...

6.1CVSS0.1AI score0.01044EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/06/04 12:0 a.m.27 views

GeoDirectory Location Manager < 2.1.0.10 - Multiple Unauthenticated SQL Injections

In the plugin, the AJAX action gdpopularlocationlist did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. The prerequisite to exploiting this vulnerability is finding a page on the vulnerable si...

9.8CVSS10AI score0.01832EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/05/31 12:0 a.m.27 views

Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection

The plugin did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users contributor+ to perform Blind SQL Injection attacks PoC To exploit, the site administrator must add a question set and a question first. This requirement is usually met for...

6.5CVSS3AI score0.01164EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2021/04/29 12:0 a.m.27 views

AcyMailing < 7.5.0 - Open Redirect

When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. PoC When using acymailing to subscribe to a newsletter, you make a PO...

6.1CVSS0.01939EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2021/04/13 12:0 a.m.27 views

Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS)

The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Testimonials” widget accepts a “premiumtestimonialpersonnamesize” parameter...

3.5CVSS1.2AI score0.0059EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/04/13 12:0 a.m.27 views

PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS

The “Elementor Addons – PowerPack Addons for Elementor” WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Advanced accordion” widget accepts a...

3.5CVSS1.3AI score0.00663EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2021/01/12 12:0 a.m.27 views

Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation

Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for...

0.1AI score0.009EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2020/11/30 12:0 a.m.28 views

Canto <= 1.7.0 - Unauthenticated Blind SSRF

The plugin is affected by Blind SSRF issues via the domain parameter in three files: /includes/lib/tree.php, /includes/lib/detail.php and /includes/lib/get.php. All requests to the arbitrary domain/IP will be made with the HTTPS protocol PoC The PoC will be displayed once the issue has been...

5CVSS1.6AI score0.27771EPSS
Exploits3References1Affected Software1
WPVulnDB
WPVulnDB
added 2020/10/29 12:0 a.m.27 views

WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion

Description The release notes state: "Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion."...

9.1CVSS9.3AI score0.04059EPSS
Exploits0References3
WPVulnDB
WPVulnDB
added 2020/09/21 12:0 a.m.27 views

Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.5.5 - Unauthenticated Remote Code Execution

The Drag and Drop Multiple File Upload – Contact Form 7 WordPress plugin was vulnerable to Remote Code Execution via file upload. The plugin used a blacklist of dangerous file extensions that it did not allow to be uploaded, however, the extensions .phar and .phpt were not within the blacklist,...

2.4AI score
Exploits1References2Affected Software1
WPVulnDB
WPVulnDB
added 2020/07/21 12:0 a.m.27 views

Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting

The template name is not properly sanitised when output back, leading to a stored XSS issue. PoC Go to templates tab, click on "add new', and select page or section Then add XSS payload such as " on "name your template" field and hit create template...

3.5CVSS0.65037EPSS
Exploits2References1Affected Software1
Total number of security vulnerabilities5000