14602 matches found
ActiveCampaign for WooCommerce < 1.9.8 - Subscriber+ Error Log Cleanup
The plugin does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. PoC Run the below command in the developer console of the web browser while being on the blog as a...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopystart POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
5 Anker Connect < 1.2.7 - Reflected Cross-Site Scripting
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
HTML Forms < 1.3.25 - Admin+ SQLi
The plugin does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users PoC Access the submission page on https://example.com/wp-admin/admin.php?page=html-forms=editid=formID=submissions Capture the request after...
Creative Mail < 1.6.0 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks, such as enable disable contact sync, reset the plugin, unlink accounts and update email marketing settings...
SEO Redirection Plugin < 9.1 - Multiple CSRF
The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Kadence WooCommerce Email Designer < 1.5.7 - Admin+ PHP Objection Injection
The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import intentionally or not a malicious file and a suitable gadget chain is present on the blog. PoC To simulate a gadget chain, put the following code in a plugin class Evil...
Comment Guestbook <= 0.8.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Import all XML, CSV & TXT into WordPress < 6.5.8 - Admin+ SQLi
The plugin does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin PoC With the additional https://wordpress.org/plugins/polylang/ plugin installed, import a CSV with the following payloa...
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example PoC When replacing the file, select "Replace the file, use new file name and...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Blind SQLi
The plugin does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks PoC As unauthenticated, fill the reservation form it's on a page where the reservationform is embed, intercept the...
WP phpMyAdmin < 5.2.0.4 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in the "phpMyAdmin on hosting" setting...
Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing
The plugin does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes. PoC curl https://example.com/wp-content/uploads/wpjobboard Search for this path / folder in search engines to find...
MailerLite - Signup forms (official) < 1.5.7 - API Key Update via CSRF
The plugin does not have CSRF check in place when updating its API key, which could allow attackers to make a logged in admin change it via a CSRF attack...
SP Project & Document Manager < 4.58 - Sensitive File Disclosure
The plugin uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files. PoC 1. Upload a file using the plugin. 2. On another browser, access the newly uploaded file via:...
BuddyPress Group Reviews < 2.8.4 - Subscriber+ Arbitrary Settings Update & Review Modification
The plugin is missing capability and CSRF checks in various of its AJAX functions available to any authenticated users, which could allow users with a role as low as subscriber to update arbitrary settings and modify reviews...
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...
Image Slider by NextCode <= 1.1.2 - Author+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as author to perform Stored Cross-Site Scripting attacks...
JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update
Any logged-in user, including subscriber-level users, can access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the...
Jupiter < 6.10.2 & JupiterX Core < 2.0.8 - Subscriber+ Privilege Escalation and Post Deletion
When the theme is installed, any logged-in user can elevate their privileges to an administrator by sending an AJAX request with the action parameter set to abbuninstalltemplate. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is...
English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
The plugin does not validate the admincustomlanguagereturnurl before redirecting users o it, leading to an open redirect issue PoC https://example.com/wp-admin/admin-ajax.php?action=heartbeatcustomlanguagetoggle=1customlanguagereturnurl=https://wpscan.com...
Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure
The plugin does not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. PoC Although the API only...
MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
The plugin allows a high privileged user to bypass the DISALLOWFILEEDIT and DISALLOWFILEMODS settings and upload arbitrary files to the site through the "ajaxsave" function. The file is written relative to the current theme's stylesheet directory, and a .php file extension is added. No validation...
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise form data, which could allow high privilege users to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...
Database Peek <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/admin.php?page=ab-database-peek=wpusers="...
Essential Addons for Elementor Lite < 5.0.9 - Reflected Cross-Site Scripting
The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the /includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted li...
Advanced Product Labels for WooCommerce < 1.2.3.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the taxcolorsettype parameter before outputting it back in the berocketaplcolorlistener AJAX action's response, leading to a Reflected Cross-Site Scripting PoC As any authenticated user:...
WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Go to "Field Editor" page. Put the following XSS payload into the "Placeholder /...
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and validate the wlcmslogincustomjs parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue PoC In v 2.2.8, both unauthenticated and authenticated users can be attacked with it. In 2.2.8, it will only...
Easy Pricing Tables < 3.1.3 - Arbitrary Post Removal via CSRF
The plugin does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash PoC https://example.com/wp-admin/edit.php?posttype=easy-pricing-table=ept3-list=trash=1...
Use Any Font < 6.2.1 - Unauthenticated Arbitrary CSS Appending
The plugin does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues PoC...
Crisp Live Chat < 0.32 - CSRF to Stored Cross-Site Scripting
The plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisppluginsettingspage function found in the /crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31...
HTML5 Responsive FAQ <= 2.8.5 - Admin+ Stored Cross-Site Scripting
The plugin does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Put the following payload in the "Text size of answer in pixels" settings: alert'XSS';...
BulletProof Security < 5.2 - Sensitive Information Disclosure
The plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible /dbbackuplog.txt file which grants attackers the full path of the site, in addition to the path of database backup files. PoC...
Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection
The plugin allows unauthenticated users to perform SQL injection via the aysfinishpoll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. PoC This requires a valid nonce, which can be obtained by going to...
Media Usage <= 0.0.4 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the /mmuadmin.php file which allows attackers to inject arbitrary web scripts...
WordPress Download Manager < 3.1.25 - Authenticated File Upload
Authenticated File Upload in WordPress Download Manager = 3.1.24 allows authenticated Author+ users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. The destination folder is also protected by an .htaccess file affecting the same...
Admin Custom Login < 3.2.8 - CSRF to Stored XSS
The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the /includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7. PoC...
WP JobSearch < 1.7.4 - Authenticated Stored XSS
The plugin did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue PoC Vulnerable parameters: fieldeducationtitle=,...
Welcart e-Commerce < 2.2.4 - Cross-Site Scripting (XSS)
The plugin did not sanitise or validate the orderid parameter before outputting in the page of the admin dashboard, leading to a reflected Cross-Site Scripting issue PoC http://wp.lab/wordpress/wp-admin/admin.php?page=uscesorderlistaction=editid=1"...
GeoDirectory Location Manager < 2.1.0.10 - Multiple Unauthenticated SQL Injections
In the plugin, the AJAX action gdpopularlocationlist did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. The prerequisite to exploiting this vulnerability is finding a page on the vulnerable si...
Yes/No Chart < 1.0.12 - Authenticated (contributor+) Blind SQL Injection
The plugin did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users contributor+ to perform Blind SQL Injection attacks PoC To exploit, the site administrator must add a question set and a question first. This requirement is usually met for...
AcyMailing < 7.5.0 - Open Redirect
When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. PoC When using acymailing to subscribe to a newsletter, you make a PO...
Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS)
The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Testimonials” widget accepts a “premiumtestimonialpersonnamesize” parameter...
PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS
The “Elementor Addons – PowerPack Addons for Elementor” WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “Advanced accordion” widget accepts a...
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation
Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for...
Canto <= 1.7.0 - Unauthenticated Blind SSRF
The plugin is affected by Blind SSRF issues via the domain parameter in three files: /includes/lib/tree.php, /includes/lib/detail.php and /includes/lib/get.php. All requests to the arbitrary domain/IP will be made with the HTTPS protocol PoC The PoC will be displayed once the issue has been...
WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion
Description The release notes state: "Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion."...
Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.5.5 - Unauthenticated Remote Code Execution
The Drag and Drop Multiple File Upload – Contact Form 7 WordPress plugin was vulnerable to Remote Code Execution via file upload. The plugin used a blacklist of dangerous file extensions that it did not allow to be uploaded, however, the extensions .phar and .phpt were not within the blacklist,...
Elementor < 2.9.14 - Authenticated Stored Cross-Site Scripting
The template name is not properly sanitised when output back, leading to a stored XSS issue. PoC Go to templates tab, click on "add new', and select page or section Then add XSS payload such as " on "name your template" field and hit create template...