14602 matches found
ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference
Description The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.7.9 due to missing validation on a user controlled key. This makes it possible for authenticated attacker...
Master Slider < 3.9.7 - Unauthenticated PHP Object Injection
Description The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.9.5 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is...
Media Library Folders < 8.1.8 - Authenticated (Author+) SQL Injection
Description The Media Library Folders plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 8.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...
MasterStudy LMS < 3.3.4 - Unauthenticated Local File Inclusion via template
Description The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of...
wp-forecast < 9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The wp-forecast plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...
Webinar and Video Conference with Jitsi Meet < 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Webinar and Video Conference with Jitsi Meet plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Metform Elementor Contact Form Builder < 3.8.6 - Contributor+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web...
Ninja Forms Contact Form < 3.8.1 - Author+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages...
Pie Register <= 3.8.3.1 - Unauthenticated Arbitrary File Upload
Description The Pie Register plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the piesaveregistration function in versions up to, and including, 3.8.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affect...
Combo Blocks < 2.2.76 - Unauthenticated Password Protected Posts Access
Description The plugin does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts PoC Open one of the below URL as an unauthenticated user and note that password protected posts are disclosed...
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 6.8.7 - Authenticated (Contributor+) SQL Injection via Shortcode
Description The GamiPress – The 1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to SQL Injection via the 'achievementtypes' attribute of the gamipressearnings shortcode in all versions up to, and including, 6.8.6 due to...
Digits < 8.4.2 - Cross-Site Request Forgery to Privilege Escalation
Description The Digits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.1. This is due to missing nonce validation in the 'digitssavesettings' function. This makes it possible for unauthenticated attackers to modify the default role of...
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.6.24 - Cross-Site Request Forgery to Plugin Data Reset
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. This is due to missing or incorrect nonce validation on the ssafactoryreset function. This...
WP Editor < 1.2.8 - Sensitive Information Exposure via log file
Description The plugin stores its logs at a predictable path, making it easy for anyone to leak their content...
Link Library < 7.6 - Cross-Site Request Forgery via action_admin_init
Description The Link Library plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.5.13. This is due to missing or incorrect nonce validation on the actionadmininit function. This makes it possible for unauthenticated attackers to dismissing a notice...
Total Upkeep < 1.15.9 - Improper Authorization to Unauthenticated Arbitrary File Download
Description The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check in all versions up to, and including, 1.15.8. This makes it possible for unauthenticated attackers to...
JS Help Desk < 2.8.2 - Unauthenticated SQL Injection via email and trackingid
Description The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on th...
Uncanny Automator < 5.1.0.3 - Sensitive Information Exposure via Log File
Description The Uncanny Automator – Automate everything with the 1 no-code automation and integration plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.0.2 via the plugin's log file. This makes it possible for unauthenticated...
Beaver Builder < 2.7.2.1 - Contributor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings available to Contributor and above roles, which could allow them to perform Stored Cross-Site Scripting attacks...
Sirv < 7.1.3 - Missing Authorization via sirv_disconnect
Description The Sirv plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sirvdisconnect function hooked via AJAX in versions up to, and including, 7.1.2. This makes it possible for authenticated attackers, with subscriber-level access a...
Piotnet Forms Plugin < 1.0.29 - Unauthenticated Arbitrary File Upload
Description The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'piotnetformsajaxformbuilder' function, allowing unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible...
Restricted Site Access <= 7.4.1 - IP Spoofing to Protection Mechanism Bypass
Description The Restricted Site Access plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 6.3.0. This is due to insufficient restrictions on where the IP Address information is being retrieved for user IP Addresses. This makes it possible for attackers to...
Advanced Local Pickup for WooCommerce < 1.6.0 - Authenticated (Administrator+) SQL Injection
Description The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in versions up to, and including, 1.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...
WP Ultimate Exporter < 2.4.2 - Unauthenticated Information Disclosure
Description The WP Ultimate Exporter plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.4.1 due to insufficient protection on the directory in which exported files are stored in. This can allow unauthenticated attackers to extract sensitive da...
Login and Logout Redirect <= 2.0.2 - Open Redirect
Description The Login and Logout Redirect plugin for WordPress is vulnerable to Open Redirect in versions up to, and including, 2.0.2. This is due to insufficient validation on the redirect url supplied via the 'redirectto' parameter. This makes it possible for unauthenticated attackers to redire...
Category SEO Meta Tags <= 2.5 - Cross-Site Request Forgery via csmt_admin_options
Description The Category SEO Meta Tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5. This is due to missing or incorrect nonce validation on the 'csmtadminoptions' function. This makes it possible for unauthenticated attackers to change th...
Icegram Express < 5.6.24 - Admin+ Directory Traversal
Description The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector...
Open User Map | Everybody can add locations < 1.3.27 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
nuajik CDN <= 0.1.0 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
DoLogin Security < 3.7 - IP Spoofing
Description The plugin uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. PoC 1. Send login request with x-forwarded-for: REDACTEDIP 2. See spoofed IP address in the "Login Attempts Log"...
tagDiv Composer < 4.2 - Unauthenticated Stored XSS
Description The plugin, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scriptin...
WooCommerce Bulk Stock Management < 2.2.34 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...
Simple Iframe < 1.2.0 - Contributor+ Stored XSS
The plugin does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks. PoC POST /wp-json/wp/v2/posts/60?locale=user HTTP/1.1 Host: 127.0.0.1 Content-Length: 378...
Directorist < 7.5.5 - Subscriber+ Arbitrary User Password Reset to Privilege Escalation
The plugin does not properly validates a user sent a valid password reset token, enabling attackers to take over other user accounts, like administrators...
Aajoda Testimonials < 2.2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. In Aajoda » Optional Aajoda Style, insert...
KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure
The plugin does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users PoC Run the below command in the developer console of the web...
ReviewX < 1.6.14 - Subscriber+ Privilege Escalation
The plugin does not validate parameters passed to the rxsetscreenoptions function, allowing any authenticated users, such as subscriber to set themselves as administrators...
Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin...
OSM – OpenStreetMap <= 6.01 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. PoC osmmap mapborder='3px solid black;background:red;width:100px;height:100px;" onmouseover="alert1"'...
Login Rebuilder < 2.8.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Settings » Login rebuilder 2. In...
Shield Security < 17.0.18 - Unauthenticated Stored XSS
The plugin does not escape the User Agent header retrieved via audit log records, which could allow unauthenticated attackers to perform Stored XSS attacks...
Form Block < 1.0.2 - Form Submission via CSRF
The plugin does not have CSRF checks when submitting forms, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Bit Form < 1.9 - RCE via Unauthenticated Arbitrary File Upload
The plugin does not validate the file types uploaded via it's file upload form field, allowing unauthenticated users to upload arbitrary files types such as PHP or HTML files to the server, leading to Remote Code Execution. PoC As an unauthenticated user access a form containing a File Upload for...
Continuous Image Carousel With Lightbox < 1.0.16 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
W4 Post List < 2.4.6 - Subscriber+ Password Protected Post Content Disclosure
The plugin does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them PoC Setup: Create a default Post list, and create a password protected post with secret content Then, run the below command in the...
WP Popup Banners <= 1.2.5 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the bannerid parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers...
Watu Quiz < 3.3.9.1 - Reflected XSS
The plugin does not sanitise and escape some parameters such as email, dn, date and points before outputting then back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC...
WP Statistics < 13.2.11 - Subscriber+ SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements, leading to a SQL injection exploitable by users with a role as low as subscriber...
ShopLentor < 2.5.4 - PHP Object Injection
The plugin unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection...
VikRentCar < 1.3.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...