14602 matches found
YARPP - Yet Another Related Posts Plugin < 5.30.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC v 5.30.3 yarpp template="'...
ResponsiveVoice Text To Speech < 1.7.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC responsivevoicebutton voice='"; alert1;...
CPO Companion < 1.1.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting via Form Settings
The plugin does not sanitize and escape several form fields before outputting them to pages on the site, allowing authenticated admin+ users to inject arbitrary web scripts even when unfiltered html has been disabled such as in a multisite setup...
Mesmerize Companion < 1.6.135 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Required...
WP RSS By Publishers <= 0.1 - Admin+ SQLi
The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC https://example.com/wp-admin/admin.php?page=wsysadminrules=delete=0,1+AND+SELECT+5926+FROM+SELECTSLEEP5erUA...
Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation
The plugin does not validate user input before using it in fileexist functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present...
Booster for WooCommerce - Reflected Cross-Site Scripting
The plugins do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting...
Chained Quiz < 1.3.2.4 - Multiple Reflected Cross-Site Scripting
The plugin does not sanitise and escape the ip and date parameters before outputting them back in the chainedquizlist page, which could lead to reflected Cross-Site Scripting...
Photo Gallery < 1.8.3 - Stored XSS via CSRF
The plugin does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. Note: The XSS will only trigger for the...
BeTheme < 26.6.3 - Subscriber+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Stored Cross-Site Scripting attacks...
Appointment Booking Calendar < 1.3.70 - Feedback Submission via CSRF
The plugin does not have CSRF check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a CSRF attack...
Advanced Dynamic Pricing for WooCommerce < 4.1.6 - Rule Type Migration via CSRF
The plugin does not have CSRF check when migrating rule types, which could allow attackers to make logged in admin perform such action via a CSRF attack...
Soledad < 8.2.6 - Subscriber+ Cross-Site Scripting
The plugin does not sanitise and escape a parameter, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks...
Welcart eCommerce < 2.7.8 - Unauthenticated Arbitrary File Access
The plugin does not validate user input used in a path, which could allow unauthenticated users to read arbitrary files via a traversal attack...
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API
The plugin unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution RCE. To successfully exploit this vulnerability attackers must have knowledge of the site...
Activity Log < 2.8.4 - CSV Injection
The plugin does not validate data when output it back in a CSV file, which could lead to CSV injection...
All in One SEO < 4.2.4 - Multiple CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
About Me <= 1.0.12 - Subscriber+ Arbitrary Network Creation/Deletion
The plugin does not have authorisation and CRSF when adding and deleting networks via AJAX actions, which could allow any authenticated users, such as subscriber to create and delete arbitrary networks...
amCharts: Charts and Maps < 1.4.1 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Simple Single Sign On <= 4.1.0 - Authentication Bypass
The plugin leaks its OAuth clientsecret, which could be used by attackers to gain unauthorized access to the site. PoC When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in. The button invokes the following URL:...
String Locator < 2.6.0 - Authenticated PHAR Deserialization
The plugin does not validate a parameter, which could lead to PHAR deserialisation when an attacker manage to upload a malicious file crafted with a suitable gadget chain and having a logged in admin open a malicious link...
LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. PoC...
Enable SVG, WebP & ICO Upload <= 1.0.1 - Author+ Arbitrary File Upload
The plugin does not validate upload files, which could allow users with a role as low as author to upload arbitrary files...
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "method": "POST", "body":...
Beaver Builder < 2.5.4.4 - Subscriber+ Arbitrary Post Builder Layout Disabling
The plugin does not have authorisation and CSRF checks in the flbuilderdisable AJAX action, which could allow any authenticated users, such as subscriber to disable the builder layout of arbitrary posts Note: The original advisory mentions the issue has been fixed, however only a CSRF check has...
Slide Anything < 2.3.47 - Author+ Cross Site Scripting in slide title
The plugin does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfilteredhtml capability is disabled. An incomplete fix was introduced ...
Request a Quote <= 2.3.7 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Misc No Access Message setting of the plugin: The XSS will ...
Age Gate < 2.17.1 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some parameters, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks...
Social Share Buttons < 2.2.4 - Subscriber+ SQLi
The plugin does not properly sanitise and escape some parameters before using them in SQL statements available to any authenticated users, leading to SQL injections...
Form - Contact Form <= 1.2.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Create/edit a form, add a Custom Text field, put the following payload in it: , save the field and...
Events Made Easy < 2.2.81 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection PoC Obtain a valid nonce visit the "Events" page, default is /events/, and extract it from the source while looking for...
HC Custom WP-Admin URL <= 1.4 - Unauthenticated Secret URL Disclosure
The plugin leaks the secret login URL when sending a specific crafted request PoC curl -sIXGET -H "Cookie: validloginslug=1" https://example.com/wp-login.php HTTP/2 302 x-redirect-by: WordPress location: secret...
User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC An an admin -...
Tabs Responsive < 2.2.8 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit a Tab via the plugin, and put the following payload in a Tab...
WP Meta SEO < 4.4.7 - Admin+ Stored Cross-Site Scripting via breadcrumbs
The plugin does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed. PoC As admin, put the following payload in the Breadcrumb...
Countdown & Clock <= 2.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed...
VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF
The plugin does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack PoC XSS will be triggered...
BadgeOS <= 3.7.0 - Unauthenticated SQLi
The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users PoC curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get-achievementsonly=trueid=11 AND SELECT 9628 FROM...
Social comments by WpDevArt < 2.5.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfilteredhtml is disallowed PoC Put the following payload in any of the plugin's text field settings such as Title , Title font-size etc: "...
LifterLMS PayPal < 1.4.0 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/purchase/confirm-payment/?order=order-xxxxxxx=aa"...
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data PoC Make a booking to get a customer account Login via API and get access token: curl...
Easy Smooth Scroll Links < 2.23.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in any text field settings of the plugin for example Scroll Speed...
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. PoC...
Wow Countdowns <= 3.1.2 - Admin+ SQLi
The plugin does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. PoC https://example.com/wp-admin/admin.php?page=mwp-countdown=del=1+AND+SELECT+5382+FROM+SELECTSLEEP5PpNt...
Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion
The plugin includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation. PoC...
LearnPress < 4.1.5 - Arbitrary Image Renaming
Users of the plugin can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request,...
UpdraftPlus < 1.16.69 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the updraftrestore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting PoC...
WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks PoC...