14603 matches found
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in Product XML Feeds Module
The plugin does not sanitise and escape the wcjcreateproductsxmlresult parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue PoC The "Product XML Feeds" module needs to be enabled in "Woocommerce -...
Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS
The plugin does not have any authorisation and CSRF checks on some of its AJAX actions available to authenticated users, which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users d...
HashThemes Demo Importer < 1.1.2 - Improper Access Control to Blog Reset
The plugin does not have capability checks in some of its AJAX action, relying on CSRF nonces for this, which are displayed for any authenticated users. As a result, a user with a role as low as subscriber could use the hdiinstalldemo AJAX action to reset the entire blog including the tables in t...
eCommerce Product Catalog for WordPress < 3.0.39 - Reflected Cross-Site Scripting
The plugin does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue PoC...
Visitor Traffic Real Time Statistics < 3.9 - Subscriber+ SQL Injection
The plugin does not validate and escape user input passed to the todaytrafficindex AJAX action available to any authenticated users before using it in a SQL statement, leading to an SQL injection issue PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01...
WP Survey Plus <= 1.0 - Subscriber+ AJAX Calls
The plugin does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues PoC To create a surve...
Events Made Easy < 2.2.24 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed PoC Add/Edit a Custom Field /wp-admin/admin.php?page=eme-formfields and put the following payload in the Field...
Easy Twitter Feed < 1.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode PoC Log in as contributor and add the following shortco...
qTranslate X <= 3.4.6.8 - Multiple Admin+ Stored Cross-Site Scripting
The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Affected POST Parameters: - Settings Languages Languages:...
WP Cerber Security < 8.9.3 - Rest-API Protection Bypass
The /wp-json REST API endpoint is by default blocked by WP Cerber from accessing its information. However, by appending a ?, the access control list protections are bypassed and data can then be retrieved from it...
TypoFR <= 0.11 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the /vendor/OrgHeigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts...
AddToAny Share Buttons < 1.7.48 - Admin+ Stored Cross-Site Scripting
The plugin does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Add the following payload in the Universal Button Image URL settings: " onerror=alert/XSS/ " The...
SMS Alert Order Notifications – WooCommerce < 3.4.7 Authenticated Cross Site Scripting
The plugin is affected by a cross site scripting XSS vulnerability in the plugin's setting page. PoC Enter the payload below for the "SMS Alert Username" in the plugin's settings. "+onfocus="alert1"+autofocus=" You will observe that the JavaScript payload successfully got reflected is and we are...
Slider Hero < 8.2.7 - Contributor+ SQL Injection
The plugin does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. PoC As a contributor, add the following shortcode in a post and preview it to execute the SQLi...
Custom Login Redirect <= 1.0.0 - CSRF to Stored XSS
The plugin does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue PoC...
Forms < 1.12.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting XSS vulnerability within the Forms "Add new" field. PoC Step 1: Install and activate the plugin. Step 2: Go to the Forms-- Add New...
Workreap < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
The theme's AJAX actions workreapawardtempfileuploader and workreaptempfileuploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were...
Newspaper < 11 - Reflected Cross-Site Scripting (XSS)
Description The theme does not sanitise the tdatts.modulescategory parameter in its tdajaxsearch AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate...
WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF
The plugin does not properly check for CSRF in its delfield and savealldata AJAX actions, allowing attacker to make logged in user call them via a CSRF attack PoC To delete a field from the Registration Form: To change the whole Registration Form:...
Side Menu Lite < 2.2.1 - Authenticated SQL Injection
The plugin does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack. PoC http://www.example.com/wp-admin/admin.php?page=side-menu-lite=add-new=duplicate=0...
JoomSport < 5.1.8 - Unauthenticated PHP Object Injection
The joomsportmdload AJAX action of the plugin, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other...
Happy Addons for Elementor Free < 2.24.0 and Pro < 1.17.0 - Contributor+ Stored XSS
The plugins have a number of widgets that are vulnerable to stored Cross-Site ScriptingXSS by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “titletag” parameter. Although the element control lists a fixed set of possible html tags, it is possib...
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
In the plugin, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7rresetsettings to reset the plugin’s settings, wpcf7raddaction to add actions to a form, and more...
All 404 Redirect to Homepage < 1.21 - Authenticated Reflected Cross-Site Scripting (XSS)
The tab parameter of the settings page of the plugin was vulnerable to an authenticated reflected Cross-Site Scripting XSS issue as user input was not properly sanitised before being output in an attribute. PoC...
Fitness Calculators < 1.9.6 - Cross-Site Request Forgery to Cross-Site Scripting (XSS)
The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored...
WP-DownloadManager < 1.68.5 - Server-Side Request Forgery (SSRF)
The plugin before version 1.68.5 is vulnerable to server-side request forgery SSRF attacks. This could allow an attacker identify open ports, network hosts and access web resources on a non-public facing network...
Imagements <= 1.2.5 - Unauthenticated Arbitrary File Upload to RCE
The Imagements WordPress plugin, versions = 1.2.5, allowed images to be uploaded in comments, however, only checked for the Content-Type HTTP header for validation, which can be tampered with. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type head...
All Thrive Themes and Plugins - Unauthenticated Option Update
The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty apikey parameter in vulnerable versions if Zapier was not enabled. Attackers coul...
Data Tables Generator by Supsystic < 1.10.1 - Authenticated Stored Cross-Site Scripting (XSS)
The "Editor" tab under the "Tables" section is vulnerable to stored XSS. It is possible to store XSS in all input fields as the code does not sanitise any of the user input. PoC Open a Table, go to the editor and enter a payload below in a cell, then save the Table = 1.9.99 - = 1.10.0 -...
Pricing Table by Supsystic < 1.8.9 - Authenticated SQL Injections
The GET parameter sidx and sord are used in a SQL statement without being sanitised when searching for pricing tables in the dashboard, leading to an authenticated SQL Injection issues. PoC...
Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
The plugin did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. PoC https://drive.google.com/file/d/1lLEXDyPp4LcKoCOqYS7A-0YgpIQD-ND/view?usp=sharing...
WP Shieldon 1.6.3 - Unauthenticated Cross-Site Scripting (XSS)
The WP Shieldon WordPress plugin, versions 1.6.3 and below, were vulnerable to Unauthenticated Reflected Cross-Site Scripting XSS when the CAPTCHA page is shown. This was due to $SERVER'REQUESTURI' being echoed to a page without any encoding. PoC http://www.example.com/?...
WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR
"The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the orderid parameter in a fetchorderstatus action." PoC https://example.com/wp-admin/admin-ajax.php?action=fetchorderstatusid=XX...
Ninja Forms < 3.4.27.1 - Validation Bypass via Email Field
The plugin did not correctly validate the email address field...
Ninja Forms < 3.4.28 - Stored Cross-Site Scripting
The plugin did not escape HTML content of fields in the submissions table, which could lead to Cross-Site Scripting issues...
File Manager < 6.5 - Backup File Directory Listing
The File Manager WordPress plugin could expose backup files if the web server had Directory Listing enabled. The File Manager WordPress plugin, version 6.4 and lower, failed to restrict external access to the fmbackups directory with a .htaccess file. This resulted in the ability for...
YITH WooCommerce Ajax Product Filter < 3.11.1 - Authenticated Reflected Cross-Site Scripting (XSS)
The YITH WooCommerce Ajax Product Filter WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting XSS vulnerability in an admin form. The vulnerability was fixed in version 3.11.1 of the plugin...
Chopslider <= 3.4 - Unauthenticated Blind SQL Injection
The id parameter of the getscript/index.php page is not sanitised when used in a SQL statement, leading to an unauthenticated blind SQL Injection issue. Vendor was contacted by researcher, on March 3rd, 2020 but no reply was received. PoC The PoC will be displayed once the issue has been remediat...
LearnPress < 3.2.6.9 - Authenticated Post Creation and Status Modification
The LearnPress plugin for WordPress allows authenticated remote attackers with minimal permissions to create pages with arbitrary titles, or modify the publication status of any existing page, via the learnpresscreatepage or learnpressupdateorderstatus AJAX actions...
GTranslate < 2.8.52 - Unauthenticated Reflected Cross Site Scripting (XSS)
The GTranslate plugin before 2.8.52 for WordPress was vulnerable to an Unauthenticated Reflected XSS vulnerability via a crafted link. This requires use of the hreflang tags feature within a sub-domain or sub-directory paid option. The vulnerability was due to outputting the WordPress addqueryarg...
LifterLMS < 3.37.15 - Arbitrary File Writing
The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress WordPress plugin was affected by an Arbitrary File Writing security vulnerability...
Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The hmapsprem WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC...
GistPress < 3.0.2 - Authenticated Stored XSS
XSS vulnerability that could be exploited by untrusted contributors on multi-author sites...
CityBook < 2.3.4 - Multiple Vulnerabilities
Multiple vulnerabilities was discovered in the 'CityBook - Directory & Listing WordPress Theme', tested version — v2.3.3: - Unauthenticated Reflected XSS - Authenticated Persistent XSS - IDOR Edit WPScanTeam: December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January...
Popup-Maker < 1.8.12 - Multiple Vulnerabilities
An attacker can partially control the arguments of the doaction, during the initialization of the PUMSite . Because of this, an attacker can call any method which contains an action starting from popmake or pum . This will lead to successful execution of functions which do not require arguments...
WordPress <= 5.2.3 - Stored XSS in Customizer
...
WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
Description According to the WordPress release notes: "Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting XSS in shortcode previews."...
2 Click Socialmedia Buttons < 0.34 - Multiple XSS
Description The 2 Click Social Media Buttons WordPress plugin was affected by a Multiple XSS security vulnerability...
Photo Gallery by 10Web <= 1.5.24 - Authenticated LFI
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by an Authenticated LFI security vulnerability...
Better Search 2.2.2 - Unauthenticated SQL Injection
The Better Search WordPress plugin was affected by an Unauthenticated SQL Injection security vulnerability...