14603 matches found
Rehub < 19.6.2 - Unauthenticated Local File Inclusion
Description The Rehub theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 19.6.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can ...
FooGallery < 2.4.15 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attachment Fields
Description The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type' in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output...
WP Responsive Tabs horizontal vertical and accordion Tabs < 1.1.18 - Authenticated (Contributor+) SQL Injection
Description The WP Responsive Tabs horizontal vertical and accordion Tabs plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mak...
Filter Custom Fields & Taxonomies Light <= 1.05 - Authenticated (Contributor+) PHP Object Injection
Description The Filter Custom Fields & Taxonomies Light plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.05 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to...
Forminator < 1.29.1 - Unauthenticated Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via an uploaded file e.g. 3gpp file due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user...
Essential Addons for Elementor < 5.9.14 - Author+ PHP Object Injection
Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input from the 'errorresetpassword' attribute of the "Login | Register Form" widget disabled by default. This makes it possible for authenticated attackers, with author-level access and above, to inject ...
MasterStudy LMS < 3.3.2 - Unauthenticated Privilege Escalation
Description The plugin is vulnerable to Privilege Escalation due to insufficient validation checks within the registeruser function called by the 'wpajaxnoprivstmlmsregister' AJAX action. This makes it possible for unauthenticated attackers to register a user with administrator-level privileges...
Co-marquage service-public.fr < 0.5.73 - Reflected Cross-Site Scripting via search_term
Description The Co-marquage service-public.fr plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘searchterm’ parameter in versions up to, and including, 0.5.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...
Co-marquage service-public.fr < 0.5.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The Co-marquage service-public.fr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 0.5.71 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...
Elementor Addon Elements < 1.13.3 - Contributor+ DOM-Based Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in...
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 5.3.2.0 - Authenticated (Contributor+) SQL Injection via Shortcode
Description The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of the RMForm shortcode in all versions up to, and including, 5.3.1.0 due to insufficient escaping on the user...
Restrict User Access – Membership Plugin with Force < 2.6 - Reflected Cross-Site Scripting
Description The Restrict User Access – Membership Plugin with Force plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
MyCurator Content Curation < 3.77 - Reflected Cross-Site Scripting
Description The MyCurator Content Curation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'topic' parameter in all versions up to, and including, 3.76 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
APIExperts Square for WooCommerce < 4.3 - Reflected Cross-Site Scripting
Description The APIExperts Square for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
Orbit Fox by ThemeIsle < 2.10.33 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget
Description The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Global Badge Module
Description The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Fluent Forms < 5.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web...
Simple Ajax Chat < 20240223 - Unauthenticated Stored XSS
Description The plugin does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users. PoC await fetch"http://vulnerable-site.tld/wp-content/plugins/simple-ajax-chat/simple-ajax-chat-core.php?sacSendChat=yes", "credentials": "include",...
WP Social Widget < 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The WP Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
Gestpay for WooCommerce < 20240307 - Cross-Site Request Forgery (CSRF) via ajax_delete_card
Description The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajaxdeletecard' function. This makes it possible for unauthenticated attackers to...
Scalable Vector Graphics (SVG) <= 3.4 - Author+ Stored XSS via SVG
Description The plugin does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. PoC Upload an SVG with the following code: Access the uploaded file directly to see the XSS...
WP Shortcodes Plugin — Shortcodes Ultimate < 7.0.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Description The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping on RSS feed content. This makes it possib...
Elementor Addon Elements < 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the linkto parameter in all versions up to, and including, 1.12.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Portugal CTT Tracking for WooCommerce < 2.2 - Reflected Cross-Site Scripting
Description The Portugal CTT Tracking for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
SlimStat Analytics < 5.1.4 - Subscriber+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the 'filterarray' parameter due to insufficient input sanitization and output escaping, allowing any authenticated users, such as subscriber, to inject arbitrary web scripts in pages that will execute whenever a user accesses...
IP2Location Country Blocker < 2.33.4 - Unauthenticated Sensitive Information Exposure via Debug Log File
Description The IP2Location Country Blocker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.33.3 via ip2location-country-blocker.php. This makes it possible for unauthenticated attackers to extract sensitive data including debug...
GigPress <= 2.3.29 - Admin+ Stored Cross Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to "GigPress Settings" 2...
MailerLite – WooCommerce integration < 2.0.9 - Cross-Site Request Forgery via Multiple AJAX Functions
Description The MailerLite – WooCommerce integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.8. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to...
Ajax Search Lite < 4.11.5 - Reflected Cross-Site Scripting
Description The plugin is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a us...
ElementsKit Lite < 3.0.4 - Unauthenticated Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.3 via the ekitwidgetareacontent function. This makes it possible for unauthenticated attackers to obtain contents of posts in draft, private or pending review status that should not be...
Custom 404 Pro < 3.10.1 - Unauthenticated Stored Cross-Site Scripting via logging
Description The Custom 404 Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several logged parameters in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
GEO my WordPress < 4.0.3 - Authenticated(Administrator+) SQL Injection
Description The GEO my WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to 4.0.3 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers,...
LearnPress < 4.2.5.8 - Subscriber+ Arbitrary Course Progress Disclosure
Description The plugin is vulnerable to Insecure Direct Object Reference in the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the...
Accredible Certificates & Open Badges < 1.4.9 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
WP Edit Username < 1.0.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Seos Contact Form <= 1.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description The Seos Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...
iframe Shortcode <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Description The iframe Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
WP Photo Album Plus < 8.6.01.003 - Insecure Direct Object Reference
Description The WP Photo Album Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.5.02.005 due to missing validation on a user controlled key. This makes it possible for unauthenticated attacker to perform an unauthorized action bas...
RegistrationMagic < 5.2.3.0 - Cross-Site Request Forgery
Description The RegistrationMagic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.2.2.6. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorize...
WP Event Manager < 3.1.42 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Stored Cross-Site Scripting attacks...
RegistrationMagic < 5.2.4.2 - Reflected Cross-Site Scripting via section_id
Description The RegistrationMagic plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘sectionid’ parameter in versions up to, and including, 5.2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
Description The plugin does not disallow listing the backups-dup-lite/tmp directory or the backups-dup-pro/tmp directory in the Pro version, which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to...
Backup Migration < 1.3.7 - Unauthenticated Arbitrary File Download to Sensitive Information Exposure
Description The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMIBACKUP case of the handledownloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers...
12 Step Meeting List < 3.14.25 - Authenticated (Contributor+) Server-Side Request Forgery
Description The 12 Step Meeting List plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.14.24 via the tsmladddatasource parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web reques...
CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Upload
Description The CataBlog plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.7.0. This makes it possible for authenticated attackers, with editor access and above to upload arbitrary files on the affected site's server which may make remote code...
WP Forms Puzzle Captcha <= 4.1 - Captcha Bypass
Description The WP Forms Puzzle Captcha plugin for WordPress is vulnerable to Captcha Bypass in versions up to, and including, 2.8. This makes it possible for unauthenticated attackers to bypass the Captcha Verification...
Stripe Gateway < 7.6.1 - Cross-Site Request Forgery
Description The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 exclusive. This is due to missing or incorrect nonce validation on the maybehandleredirect function. This makes it possible for unauthenticated attackers...
LWS Hide Login < 2.1.9 - Protection Mechanism Bypass
Description The LWS Hide Login plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 2.1.8. This is due to the fact that attackers can bypass the hidden login page by visiting install.php. This makes it possible for unauthenticated attackers to...
LayerSlider < 7.7.10 - Cross-Site Request Forgery
Description The LayerSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.7.9. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a...
EazyDocs < 2.3.6 - Unauthenticated OnePage Document Update/Publish
Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the doconepage and editdoconepage functions, allowing unauthenticated attackers to publish and edit the plugin's OnePage document...