14602 matches found
WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks PoC...
Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
The plugin does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them PoC jQuery.post"https://example.com/wp-admin/index.php", "wtlwp-nonce": "foo", // Not validated tlwpsettingsdata: defaultrole: "editor",...
ProfilePress < 3.2.3 - Reflected Cross-Site Scripting
The plugin does not escape the data parameter of the ppgetformsbybuildertype AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC...
About Author Box < 1.0.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. PoC With a role as low as Contributor, put the following payloads in one of the Social...
Simple Job Board < 2.9.5 - Admin+ Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $jobboardprivacypolicylabel variable echo’d out via the /admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web...
YOP Poll < 6.3.1 - Author+ Stored Cross-Site Scripting via Options Module
The plugin is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation ...
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit a form, add the following payload to a Field Label: The XSS will be triggered when...
Html5 Audio Player < 2.1.3 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode PoC Log in as contributor and add the following shortco...
Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS
The plugin does not properly sanitize values used when creating new calendars. PoC Open the Appointment Hour Booking Tab. Enter XSS payload like " in new calendar name field. and click on "add new" button. Go back to the Appointment Hour Booking Tab and select "Publish" for any calendar. The XSS...
PostX Gutenberg Blocks for Post Grid < 2.4.10 - Missing Access Controls
The plugin performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultpoptions values. PoC You can run this from a browser's javascript console:...
Add Sidebar <= 2.0.0 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the /wpsidebarMenu.php file which allows attackers to inject arbitrary web scripts...
Skaut bazar < 1.3.3 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $SERVER'PHPSELF' in the /skaut-bazar.php file which allows attackers to inject arbitrary web scripts PoC https://example.com/wp-admin/options-general.php/"/?page=skatubazaroption...
Smart Email Alerts <= 1.0.10 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the apikey in the /views/settings.php file which allows attackers to inject arbitrary web scripts...
WP SEO Tags <= 2.2.7 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the saqtxtthefilter parameter in the /wp-seo-tags.php file which allows attackers to inject arbitrary web scripts...
Custom Dashboard & Login Page - AGCA < 6.9.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks...
Project Status <= 1.6 - Reflected Cross-Site Scripting (XSS)
The pspinduplicatepostsaveasnewpost function of the plugin does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue PoC Open the below URL as any authenticated user...
Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)
Description The theme does not sanitise the tdblockid parameter in its tdajaxblock AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability. Due to a nonce check, this issue is only exploitable on unauthenticated users for as long as the nonce used in the reques...
WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfilteredhtml capability is disallowed PoC Create a new map. Add an XSS payload to the title. Click "Show as map title". A...
WP Offload SES Lite < 1.4.5 - Stored Cross-Site Scripting (XSS)
The plugin did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for exampl...
W3 Total Cache < 2.1.5 - Reflected XSS in Extensions Page (JS Context)
The plugin was affected by a reflected Cross-Site Scripting XSS issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This...
WP Hardening < 1.2.2 - Reflected XSS via historyvalue
The plugin did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue. PoC https://example.com/wp-admin/admin.php?page=wphwpharden=...
Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also b...
JNews < 8.0.6 - Reflected Cross-Site Scripting (XSS)
The theme did not sanitise the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory, leading to a Reflected Cross-Site Scripting XSS issue. PoC POST /?ajax-request=jnews HTTP/1.1 Accept: text/html, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding:...
WP Fastest Cache < 0.9.1.7 - Authenticated Arbitrary File Deletion via Path Traversal
The plugin did not validate a path parameter, allowing administrators to delete arbitrary files on the server via a path traversal attack...
RSS for Yandex Turbo < 1.30 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues PoC As admin, Navigate to Setting Яндекс.Турбо Счетчики and enter a payload such as " onmouseover="alert1 into a...
Kaswara Modern VC Addons (0-day) - Unauthenticated Arbitrary File Upload
The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fontsicon directory with no checks for malicious files such as PHP. The vendor has been unresponsive to both the reporter and Envato,...
Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)
The plugin was vulnerable to Reflected Cross-Site Scripting XSS issues via the galleryid, tag, albumid and themeid GET parameters passed to the bwgfrontenddata AJAX action available to both unauthenticated and authenticated users PoC...
N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE
The plugin suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5uniqidrand, however, in the case of misconfigured servers with Directory listing enabled,...
WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)
The plugin was affected by an authenticated admin+ RCE in the settings page due to input validation failure and weak $cachepath check in the WP Super Cache Settings - Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for...
wpDataTables < 3.4.1 - Unauthenticated SQL Injection
In the default configuration, a simple table can be published in a page that does not require authentication. The table can be searched, and is vulnerable to SQL Injection via the order parameter. An unauthenticated user visiting the page where the table is published can perform a SQL injection...
WP Google Map Plugin < 4.1.5 - Authenticated SQL Injection
The Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user admin+. Edit WPScanTeam: September 8th, 2020 - Confirmed & Escalated to WP plugins team September 8th, 2020 - WP plugins team investigating November 25th, 2020 - No updates,...
WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background
Description Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery CSRF vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPre...
WordPress < 5.5.2 - Disable Spam Embeds from Disabled Sites on a Multisite Network
Description The release notes state: "Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network."...
XCloner Backup and Restore 4.2.1 - 4.2.12 - Unprotected AJAX Action
"This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server. Alternatively, an attacker could create an exploit cha...
Newsletter < 6.8.2 - Authenticated PHP Object Injection
The ‘restoreoptionsfromrequest‘ function called by the AJAX function ‘tnpcrendercallback‘ runs ‘unserialize’ directly on ‘$options'inlineedits'’ which is provided by user input in the $POST‘options’ parameter. This creates the potential for an Object Injection vulnerability. For example, a user...
WordPress < 5.4.2 - Authenticated Stored XSS via Theme Upload
Description An authenticated user could upload a purposely broken theme and then change the theme's directory name with a Cross-Site Scripting XSS payload. When WordPress warns the user about the broken theme, the XSS payload is then executed. This vulnerability would be difficult to exploit by a...
Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS)
Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user author+...
BigBlueButton < 2.2.4 - Reflected Cross-Site Scripting (XSS)
XSS via closed captions because dangerouslySetInnerHTML in React is used...
WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint
The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permissioncallbac...
Photo Gallery < 1.5.46 - Multiple Cross-Site Scripting (XSS) Issues
Multiple cross-site scripting vulnerabilities have been discovered in Photo Gallery Plugin version 1.5.45. The vulnerabilities are caused by improper sanitization of user input in the galleries/image edit page...
Houzez < 1.8.4 - Unauthenticated Cross-Site Scripting (XSS)
Two Reflected XSS vulnerability were discovered in the «Houzez - Real Estate WordPress Theme», tested version — v1.8.3.1 Edit WPScanTeam: January 11th, 2020 - Report received & Envato Contacted January 12th, 2020 - Envato Investigating January 27th, 2020 - v1.8.4 released, fixing the issue. PoC...
EU Cookie Law < 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS)
By exploiting the documented vulnerability, an authenticated attacker with high privileges administrator can execute JavaScript code in a victim's browser. By default, in WordPress, administrator users are allowed to inject JavaScript as they have the unfilteredhtml capability. The affected form...
Popup Builder <= 3.44 - SQL Injection
The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter WordPress plugin was affected by a SQL Injection security vulnerability...
Ultimate Member <= 2.0.53 - Cross-Site Scripting (XSS)
The changelog states: "Added security fixes XSS"...
Facebook for WooCommerce <= 1.9.12 - CSRF allowing Option Update
The original issue has been fixed via 1.9.14. However, as additional CSRF checks have been implemented in 1.9.15, the fixed in has been set to 1.9.15...
WebP Express <= 0.14.10 - Multiple Issues
- Arbitrary File Viewing - CRSF - XSS including https://wpvulndb.com/vulnerabilities/9389 - Unauthorised Access...
WP Live Chat Support < 8.0.27 - Unauthenticated Stored XSS
The 3CX Live Chat WordPress plugin was affected by an Unauthenticated Stored XSS security vulnerability...
Photo Gallery by 10Web <= 1.5.22 - Authenticated XSS
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by an Authenticated XSS security vulnerability...
WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
The includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement, leading to an unauthenticated SQL injection issue. PoC curl -k --silent "http://example.com/index.php?restroute=3D/wpgmza/v1/markers/=3D%7B%7D&=fields=3D+from+wpusers+--+-"...
WordPress <= 5.0 - User Activation Screen Search Engine Indexing
Description According to WordPress: "Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords."...