14603 matches found
Advanced Booking Calendar <= 1.7.1 - Unauthenticated SQLi
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users...
SEO Plugin by Squirrly SEO < 12.1.11 - Contributor+ Arbitrary File Upload
The plugin does not validate files to be uploaded, which could allow users with a role as low as contributor to upload arbitrary files such as PHP...
Zoho CRM Lead Magnet < 1.7.6.2 - Subscriber+ Arbitrary Options Update
The plugin does not have authorisation and CSRF in some AJAX actions, and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary blog options such as defaultrole and userscanregister. PoC v response.text...
Image Hover Effects Ultimate < 9.7.2 - Authenticated Arbitrary Options Change
The plugin does not ensure that the options to be updated belong to the plugin, which could allow high privilege users to update arbitrary options even when they should not be allowed to...
SearchWP < 4.2.6 - Subscriber+ Settings Update
The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...
Form Maker by 10Web < 1.15.6 - Admin+ SQLI
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin PoC Create/edit a form, go to the Settings MySQL Mapping i.e /admin.php?page=managefm=editid=1=4id=mapping. Copy the link t...
Contact Bank <= 3.0.30 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC Create/edit a form and put the following...
Add Shortcodes Actions And Filters <= 2.0.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Pop-up < 1.1.6 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
MP3 jPlayer <= 2.7.3 - Multiple CSRF
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC 1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5" 2 - Click on "Contact - Add...
Beaver Builder < 2.5.5.3 - Authenticated Stored XSS via Caption
The plugin does not sanitise and escape the caption parameter added to images via the media uploader, which could allow users with access to the plugin's editor to perform Cross-Site Scripting attacks...
Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection
The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts PoC The postid is the ID of a saved layout...
Rank Math SEO < 1.0.95.1 - Unauthenticated SSRF
The plugin does not properly restrict access to some .htaccess blocked REST endpoints when the headless settings is enabled, which could allow unauthenticated attackers to perform SSRF attacks...
Gallery PhotoBlocks <= 1.2.6 - Cross-Site Request Forgery
The plugin does not have CSRF check in some places, which could allow attackers to make logged in users perform unwanted actions...
Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change
The plugin does not have any authorisation in its tptranslation AJAX action, allowing unauthenticated users to call it...
Crowdsignal Polls & Ratings < 3.0.8 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting PoC...
Easy Username Updater < 1.0.5 - Arbitrary Username Update via CSRF
The plugin does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin PoC...
Discy < 5.0 - Subscriber+ Broken Access Control to change settings
The theme lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change the theme options by sending a crafted POST request. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...
Data Tables Generator by Supsystic < 1.10.20 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Create/edit a table, go to its settings,...
LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Client ID" settings: "/...
MashShare <= 3.8.1 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Custom Popup Builder <= 1.3.1 - Contributor+ Stored Cross-Site Scripting
The plugin does have proper authorisation in place, and does not sanitise as well as escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks...
Webriti SMTP Mail <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
LiveSync for WordPress <= 1.0 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...
Discy < 5.2 - Restore Default Settings via CSRF
The theme does not check for CSRF tokens in the AJAX action discyresetoptions, allowing an attacker to trick an admin into resetting the site settings back to defaults. PoC...
WP Statistics < 13.2.2 - Reflected Cross-Site Scripting
The plugin does not sanitise the REQUESTURI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting XSS in web browsers which do not encode characters PoC GET /wp-admin/admin.php?page=wpssettingspage= HTTP/1.1 Accept:...
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update
The plugin does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector PoC curl --url...
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC As administrator, put the following payload in any of the plugin's settings and save: "...
WP 2FA < 2.2.1 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=wp-2fa-settingserror=...
Slide Anything < 2.3.44 - Editor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Create/edit a Slider with the plugin and put the following payload in a Slide...
Adrotate < 5.8.23 - Admin+ XSS via Advert Name
The plugin does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit an Advert and put the following payload in the Name field: " The XSS will be triggered when...
Adrotate < 5.8.23 - Admin+ XSS via Group Name
The plugin does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Create/edit a group and put the following payload in the Name field: " style=animation-name:rotation...
Floating Chat Widget < 2.8.4 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...
Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting
The plugin does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting PoC The issue is only exploitable when there are no forms created yet...
Safe SVG < 1.9.10 - SVG Sanitisation Bypass
The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending on further use of uploaded SVG...
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
The plugin does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbotsgravafingerprint AJAX action, available to unauthenticated users, leading to a SQL injection PoC curl -i 'https://example.com/wp-admin/admin-ajax.php' --data...
UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the updraftinterval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting XSS vulnerability. PoC https://example.com//wp-admin/options-general.php?page=updraftplusinterval"confirm1...
Coupon Affiliates < 4.16.4.5 - Unauthenticated Stored XSS
The plugin does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. PoC curl https://example.com/wp-admin/admin-ajax.php...
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. PoC 1. Create a booking with user01 2...
Narnoo Distributor <= 2.5.1 - Unauthenticated LFI to Arbitrary File Read / RCE
The plugin fails to validate and sanitize the libpath parameter before it is passed into a call to require via the narnoodistributorlibrequest AJAX action available to both unauthenticated and authenticated users which results in the disclosure of arbitrary files as the content of the file is the...
Contact Form X < 2.4.1 - Reflected Cross-Site Scripting
The plugin does not escape the tab parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/options-general.php?page=contactformx="+style=animation-name:rotation+onanimationstart=alert/XSS///...
Kunze Law < 2.1 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its 'E-Mail Error "From" Address' settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Put the following payload in the 'E-Mail Error "From" Address' settings of the plugi...
Fancy Product Designer < 4.7.5 - Admin+ SQL Injection
The plugin is vulnerable to SQL Injection due to insufficient escaping and validation of the ID parameter found in the /inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information...
PHP Everywhere < 3.0.0 - Subscriber+ RCE via Shortcode
The plugin allows any authenticated users, such as subscriber to execute PHP via the phpeverywhere shortcode...
Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure
The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords fixed in 3.2.24 and files Master Keys fixed in 3.2.25. PoC Expose plaintext passwords...
Page Views Count < 2.4.15 - Unauthenticated SQL Injection
The plugin does not sanitise and escape the postids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks PoC...
WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)
The plugin does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting PoC http://example.com/wp-admin/options-general.php?page=cc-ce-bridge-cp=%3Cimg%20src%20onerror=alert1%3E...
Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting PoC Once the "Server Requirements" are passed in the initial setup process you can bypass the check for localhosts by editing the islocalhost functio...
tarteaucitron.js - Cookies legislation & GDPR < 1.6.1 - Admin + Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...