14602 matches found
WP < 6.0.3 - Stored XSS via the Customizer
Description WordPress does not escape some input in the Customizer, which could lead to Stored Cross-Site Scripting issue...
WP < 6.3.2 - Denial of Service via Cache Poisoning
Description A Denial of Service could occur via Cache Poisoning when the X-HTTP-Method-Override header is sent in a request to the REST API in an heavily cached configuration...
Yoast SEO < 22.6 - Reflected Cross-Site Scripting
Description The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
Snap Pixel <= 1.5.7 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Multiple Plugins - Unauthenticated RCE via PHPUnit
There was an Unauthenticated Remote Code Execution RCE vulnerability in PHPUnit, a widely used testing framework for PHP. This vulnerability has been seen exploited in the wild. PoC curl -X POST --data ""...
Gravity Forms < 2.7.4 - Unauthenticated PHP Object Injection
The plugin unserializes user input via the getfieldinput, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...
tagDiv Composer < 3.5 - Unauthenticated Account Takeover
Description The plugin, required by the themes, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address PoC Run the below command in the developer console of the web browser while being on the blog as an...
WP AutoSuggest 0.24 - Unauthenticated SQL Injection
The wp-autosuggest WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability. PoC sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpasaction=querykeys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpaskeys --tamper space2comment...
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
Description This vulnerability could allow an unauthenticated user to view private or draft posts due to an issue within WPQuery. PoC http://wordpress.local/?static=1ℴ=asc...
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component
There is functionality in the plugin to add file uploads to user registrations and profile updates that had no file type checking in place making it possible for arbitrary files to be uploaded. PoC fh = open'shell.php', 'wb' fh.writeb'\xFF\xD8\xFF\xE0' + b'' fh.close 'Hax0r', 'regemail' =...
Contact Form 7 < 5.8.4 - Authenticated (Editor+) Arbitrary File Upload
Description The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7antiscriptfilename' function in versions up to, and including, 5.8.3. This makes it possible f...
The School Management < 9.9.7 - Unauthenticated RCE via REST api
The plugin contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. PoC curl -d 'blowfish=1' -d "blowf=system'id';" 'https://examples.com/wp-json/am-member/license'...
WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation
The plugin has a flaw allowing unauthenticated attackers to create an admin account and take over the blog PoC POST /wp-json/wp/v2/users HTTP/1.1 Host: 127.0.0.1 Upgrade-Insecure-Requests: 1 Accept:...
Yoast SEO < 21.1 - Authenticated (Seo Manager+) Stored Cross-Site Scripting
Description The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 21.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with seo manager-level access and above, to inject...
All-in-One WP Migration < 7.59 - Admin+ File Deletion on Windows Hosts via Path Traversal
The plugin is vulnerable to arbitrary file deletion via directory traversal due to insufficient file validation via the /lib/model/class-ai1wm-backups.php file which can be exploited by administrative users, and users who have access to the site’s secret key on WordPress instances with Windows...
WordPress <= 5.2.3 - Admin Referrer Validation
Description The fix changes the PHP equal identifier == to the identical identifier ===...
All in One SEO Pack <= 2.9.1.1 - Authenticated Stored Cross-Site Scripting (XSS)
The All in One SEO Pack WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
Ultimate Addons for Elementor < 1.24.2 - Registration Bypass
"The Ultimate Addons for Elementor plugin recently patched a vulnerability in version 1.24.2 that allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site." This vulnerability is being used in conjunction with a 0-day vulnerability in Elementor PRO...
WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
Description WordPress does not properly escape the "tagName" attribute in the "Template Part block" allowing high-privileged users to perform Stored Cross-Site Scripting XSS attacks. PoC As a contributor, add a "Template Part" block to a post, click on "Start Blank" and then Create. Go into Edito...
Smarty for WordPress <= 3.1.35 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
NextGen Gallery < 3.5.0 - CSRF allows File Upload, Stored XSS, and RCE
It was possible to bypass the "isauthorizedrequest" function used to control access to plugin settings by sending a request without a nonce parameter. This could be used to upload arbitrary code to a CSS file with a double extension e.g. file.php.css, and could also be used to include the uploade...
Tutor LMS < 1.8.8 - Authenticated Local File Inclusion
The plugin is affected by a local file inclusion vulnerability through the maliciously constructed subpage parameter of the plugin's Tools, allowing high privilege users to include any local php file PoC https://your.domain/wp-admin/admin.php?page=tutor-tools⊂page=..%2F..%2F..%2F..%2F..%2F..%2Fin...
WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
Description According to WordPress: "This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting."...
Highlight < 0.9.3 - Authenticated Stored Cross-Site Scripting
The plugin does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Tick the "Enable Highlight" setting of the plugin, and put the following payload in the CustomCSS setting as well:...
Google Language Translator <= 5.0.05 - XSS
The Translate WordPress – Google Language Translator WordPress plugin was affected by a XSS security vulnerability...
WP < 6.0.3 - Stored XSS via RSS Widget
Description WP does not escape the error messages in the RSS Widget, which could lead to Stored Cross-Site Scripting issue...
WordPress < 5.9.2 - Prototype Pollution in jQuery
Description The jQuery library used in WordPress is affected by a Prototype Pollution issue...
Contact Form 7 < 5.9.5 - Unauthenticated Open Redirect
Description The plugin has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. PoC 1. Add a form to a footer widget area 2. Disable JavaScript 3. Access the URL: https://example.com/%0a/google.com 4. Fill out the form and submit 5. The...
Slider Revolution < 6.6.16 - Authenticated (Author+) Arbitrary File Upload
Description The Slider Revolution plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 6.6.15. This makes it possible for attackers with author-level access and higher to upload arbitrary files on the affected site's server which may make remote code...
Jetpack <= 2.9.2 - class.jetpack.php XML-RPC Access Control Bypass
The Jetpack – WP Security, Backup, Speed, & Growth WordPress plugin was affected by a class.jetpack.php XML-RPC Access Control Bypass security vulnerability...
Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit
The plugin uses an outdated PHPUnit library, which is known to be affected by an unauthenticated RCE issue. February 28th, 2020 - Ticket sent to vendor via https://support.cedcommerce.com/open.php March 6th, 2020 - Update requested to vendor also realised that the ticket was closed w/o reason giv...
WordPress 5.2.2 - Authenticated Cross-Site Scripting (XSS) in Post Previews
Description From the WordPress version release: "Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting XSS vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments."...
Simple Backup <= 2.7.10 - Arbitrary File Download
The simple-backup WordPress plugin was affected by an Arbitrary File Download security vulnerability...
BuddyForms < 2.8.9 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery
Description The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions UGC plugin for WordPress is vulnerable to Arbitrary File Read and Server-Side Request Forgery in all versions up to, and including, 2.8.8. This makes it possible for...
WordPress 3.5-4.7.1 - WP_Query SQL Injection
...
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
The plugin does not validate the url parameter of its uploadimagefromurl AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well PoC 1. Create a malicious phar file. 2...
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
The plugin lets any user execute arbitrary PHP functions on the site. PoC https://example.com/wp-admin/admin-post.php?vrccmd=phpinfo...
POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API
Description The plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to...
Contact Form by WPForms < 1.4.8.1 - Unauthenticated Cross-Site Scripting (XSS)
RIPS Technologies identified an Unauthenticated Cross-Site Scripting XSS vulnerability within the WPForms WordPress plugin during their WordPress Security Calendar 2018 research. The date parameter was embedded within JavaScript code without any validation or encoding...
W3 Total Cache 0.9.2.4 - Username & Hash Extract
The W3 Total Cache WordPress plugin was affected by an Username & Hash Extract security vulnerability...
Ultimate Member 2.1.3 - 2.8.2 - Unauthenticated SQL Injection
Description The plugin does not sanitize and escape the sorting parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks when the "Enable custom table for usermeta" option is enabled. PoC Requirement: "Enable custom table for usermeta" option t...
Elementor Website Builder < 3.16.5 - Missing Authorization to Arbitrary Attachment Read
Description The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getinlinesvg function in all versions up to, and including, 3.16.4. This makes it possible for authenticated attackers, with contributor-level acces...
WordPress 5.4 to 5.8 - Lodash Library Update
Description On September 9, 2021 WordPress version 5.8.1 was released fixing three vulnerabilities. The official blog post states: "The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes." The Lodash changelog states that a command injection...
WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
...
Download Manager < 3.2.85 - Unauthenticated File Download
Description The plugin is vulnerable to unauthorized file download of files added via the plugin, allowing unauthenticated attackers to download files added with the plugin even when privately published...
ElegantThemes - Privilege Escalation
Description An information disclosure vulnerability was found in the Divi Builder included in our Divi and Extra themes, as well as our Divi Builder plugin which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on...
LearnPress Plugin < 4.2.0 - Unauthenticated LFI
The plugin does not validate various parameters in the lp/v1/courses/archive-course REST endpoints before using them in include statement, which could lead to LFI issues...
WordPress < 5.4.2 - Open Redirection
Description Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wpvalidateredirect...
WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
Description An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata...
Ajax Search Lite < 4.11.1, Pro < 4.26.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the code below...