14603 matches found
Multi-column Tag Map < 17.0.27 - Cross-Site Request Forgery
Description The Multi-column Tag Map plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the scmcTagMappluginoptions function in versions up to, and including, 17.0.26. This makes it possible for unauthenticated attackers to update the plugin's setting...
Embed Privacy < 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Embed Privacy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedprivacyoptout ' shortcode in all versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...
WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
Description The plugin does not validate and sanitise the wpquery parameter which allows an attacker to run arbitrary command on the remote server PoC 1. Go to "All Export" "New Export" 2. Select "WP Query Results" as the export type 3. Enter the payload phpinfo for the query. 4. Click...
Contact Form to DB by BestWebSoft < 1.7.2 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by BestWebSoft –...
ChatBot < 4.7.9 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...
Funnelforms Free < 3.4 Unauthenticated Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks PoC 1. Create a contact form 2. Embed the contact form shortcode on a post or page. 3. As an Unauthitncated user, inject the inputs for a malicious...
Easy Admin Menu <= 1.3 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
File Manager Pro < 1.8 - Remote Code Execution via CSRF
Description The plugin does not properly check the CSRF nonce in the fsconnector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. PoC As a Super Admin, run the following...
WP 404 Auto Redirect to Similar Post <= 1.0.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
123.chat < 1.3.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC In the plugin's "User-ID" setting...
Rank Math SEO < 1.0.119.1 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WP Brutal AI < 2.06 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC In the plugin settings, for a...
Grid Kit Premium < 2.2.0 - Multiple Reflected Cross-Site Scripting
The plugin does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open one of the URL below...
Active Directory Integration / LDAP Integration < 4.1.6 - Sensitive Information Disclosure
The plugin will expose Sensitive Information due to insufficient sanitization of the supplied username value...
BookIt < 2.3.8 - Authentication Bypass
The plugin does not perform any authorisation check when a user book an appointment using an email from an existing account, allowing unauthenticated attackers to login as any user from the blog by providing their email address PoC On a page where the bookit is embed, book an appointment using an...
Float menu < 5.0.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add a new item in the plugin settings 2...
Directorist < 7.5.5 - Subscriber+ Insecure Direct Object Reference to Arbitrary Post Deletion
The plugin does not properly validate that users are authorized to delete a given listing, or that it is a listing at all, making it possible for less-privileged users like subscribers to delete posts...
B2BKing < 4.6.20 - Subscriber+ Arbitrary Products Price Update
The plugin does not have authorisation in some AJAX actions, allowing any authenticated users, such as subscriber to update the price of any WooCommerce products...
TaxoPress < 3.6.5 - Editor+ Stored XSS
The plugin does not sanitise and escape some parameters, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Easy Sign Up <= 3.4.1 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Easy Forms for MailChimp < 6.8.8 - Reflected XSS
The plugin does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page with the following code this requires the attacker...
Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins PoC 1. Login as a WordPress administrator or any of the custom roles from GroundHogg 2. Navigate to the URL:...
WP-Advanced-Search <= 3.3.8 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
WP Statistics < 14.0 - Authenticated SQLi
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manageoptions capability admin+, however the plugin has a settings to allow low privilege users to access it as well. PoC...
CPO Content Types <= 1.1.0 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Metform Elementor Contact Form Builder < 3.2.2 - reCaptcha Bypass
The plugin does not properly check for the submitted from captcha value server side, which could lead to bypass...
HT Slider For Elementor < 1.4.0 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack PoC activate woocommerce plugin exploit: fetch'http://localhost/wp-admin/admin-ajax.php', method: 'POST', headers: new...
WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF
The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack PoC fetch'https://example.com/wp-admin/admin-ajax.php', method: 'POST', headers: new Headers 'Content-Type':...
Conversios.io < 5.2.4 - Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
Booking calendar, Appointment Booking System < 3.2.4 - Form Creation/Update/Deletion/Duplication via CSRF
The plugin does not have CSRF checks on some of its form actions such as creation/update/deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks...
Timed Content < 2.73 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC timed-content-client hide="10:00:'...
Spotlight Social Feeds < 1.4.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Exploit Additional CSS classes for "Spotlight...
WP Google Maps < 9.0.16 - Admin+ Path Traversal
The plugin does not validate the XML Directory path settings, which could allow high privilege users such as admin to perform Path Traversal attacks...
Meks Flexible Shortcodes < 1.3.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...
Royal Elementor Addons < 1.3.60 - Subscriber+ Mega Menu Settings Update
The plugin does not have authorisation and CSRF checks when updating the mega menu settings, which could allow any authenticated user, such as subscriber to perform such action...
Royal Elementor Addons < 1.3.60 - Menu Template Creation via CSRF
The plugin does not have CSRF check when creating menu templates, which could allow attackers to make a logged in admin perform such action via a CSRF attack...
Login as User or Customer < 3.3 - Unauthenticated Privilege Escalation to Admin
The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. PoC Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user,...
MashShare < 3.8.7 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit:...
Easy Accordion < 2.2.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. PoC Exploit...
WCK < 2.3.3 - Admin+ Stored XSS
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup. PoC 1. Create/edit a Post Type via the plugin...
WP Social Sharing <= 2.2 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Settings » WP Social Sharing page of...
Build App Online < 1.0.19 - Unauthenticated SQL Injection
The plugin does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection PoC Additional plugins required: https://wordpress.org/plugins/wc-multivendor-marketplace/...
Contest Gallery < 19.1.5 - Admin+ SQL Injection
The plugins do not escape the optionid GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgorder POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST /wp-admin/admin-ajax.php...
Contest Gallery < 19.1.5 - Author+ SQL Injection
The plugins do not escape the cgcopyid POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. PoC POST...
Chained Quiz < 1.3.2.5 - Submitted Quiz Response Deletion via CSRF
The plugin does not have CSRF checks when deleting submitted quiz response, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Simple Basic Contact Form < 20221201 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to "Settings » Contact Form » Plugin...
Advanced Booking Calendar <= 1.7.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
SEO Plugin by Squirrly SEO < 12.1.11 - Contributor+ Arbitrary File Upload
The plugin does not validate files to be uploaded, which could allow users with a role as low as contributor to upload arbitrary files such as PHP...
Zoho CRM Lead Magnet < 1.7.6.2 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF in some AJAX actions, and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary blog options such as defaultrole and userscanregister. PoC v response.text...